3ce20da33f839e3ba6f037b1443e5a3afb62c78cf8d8d6bf6ca7a31202ee5caf

General

Target

de6c93027c33413b8e7a1e54eb5b1a4a_JaffaCakes118.exe
Size

15KB
MD5

de6c93027c33413b8e7a1e54eb5b1a4a
SHA1

437ac2d99ff9790880ce7075112841cd8c52cff0
SHA256

3ce20da33f839e3ba6f037b1443e5a3afb62c78cf8d8d6bf6ca7a31202ee5caf
SHA512

c8f66ca5d47b8d6020351d108f65167ccff79f751f6c8f188c8975c4ee644567e9a729c88f80a4cb79bb02bb79e021894339bc4b5cb782f5df4ba6d27d003e12
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5i:hDXWipuE+K3/SSHgxl5i

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2072	DEMD52A.exe
2732	DEM2B54.exe
2616	DEM80D3.exe
2816	DEMD6A0.exe
108	DEM2C00.exe
2360	DEM820B.exe

Loads dropped DLL 6 IoCs

pid	Process
1984	de6c93027c33413b8e7a1e54eb5b1a4a_JaffaCakes118.exe
2072	DEMD52A.exe
2732	DEM2B54.exe
2616	DEM80D3.exe
2816	DEMD6A0.exe
108	DEM2C00.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2C00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de6c93027c33413b8e7a1e54eb5b1a4a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD52A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2B54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM80D3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD6A0.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2072	1984	de6c93027c33413b8e7a1e54eb5b1a4a_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2072	1984	de6c93027c33413b8e7a1e54eb5b1a4a_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2072	1984	de6c93027c33413b8e7a1e54eb5b1a4a_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2072	1984	de6c93027c33413b8e7a1e54eb5b1a4a_JaffaCakes118.exe	32
PID 2072 wrote to memory of 2732	2072	DEMD52A.exe	34
PID 2072 wrote to memory of 2732	2072	DEMD52A.exe	34
PID 2072 wrote to memory of 2732	2072	DEMD52A.exe	34
PID 2072 wrote to memory of 2732	2072	DEMD52A.exe	34
PID 2732 wrote to memory of 2616	2732	DEM2B54.exe	36
PID 2732 wrote to memory of 2616	2732	DEM2B54.exe	36
PID 2732 wrote to memory of 2616	2732	DEM2B54.exe	36
PID 2732 wrote to memory of 2616	2732	DEM2B54.exe	36
PID 2616 wrote to memory of 2816	2616	DEM80D3.exe	38
PID 2616 wrote to memory of 2816	2616	DEM80D3.exe	38
PID 2616 wrote to memory of 2816	2616	DEM80D3.exe	38
PID 2616 wrote to memory of 2816	2616	DEM80D3.exe	38
PID 2816 wrote to memory of 108	2816	DEMD6A0.exe	40
PID 2816 wrote to memory of 108	2816	DEMD6A0.exe	40
PID 2816 wrote to memory of 108	2816	DEMD6A0.exe	40
PID 2816 wrote to memory of 108	2816	DEMD6A0.exe	40
PID 108 wrote to memory of 2360	108	DEM2C00.exe	42
PID 108 wrote to memory of 2360	108	DEM2C00.exe	42
PID 108 wrote to memory of 2360	108	DEM2C00.exe	42
PID 108 wrote to memory of 2360	108	DEM2C00.exe	42

C:\Users\Admin\AppData\Local\Temp\de6c93027c33413b8e7a1e54eb5b1a4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de6c93027c33413b8e7a1e54eb5b1a4a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\DEMD52A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMD52A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\DEM2B54.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2B54.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\DEM80D3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM80D3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\DEMD6A0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD6A0.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Users\Admin\AppData\Local\Temp\DEM2C00.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2C00.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\DEM820B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM820B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2B54.exe

Filesize
15KB

MD5
1cc8d0a3ac7c0784d8907da1f50d3650

SHA1
f775dfdbe24ae00efc58724afd47fec58950f14a

SHA256
3c06ac61d73d2d15fb54dbbdac689cb6376111b093dffc728d2a8ffb12a3fb2d

SHA512
12044013fcbf9f020292a3c96070ec3f8e7dd69fba0e499c4a58104250d0d0a3ef679febdf07cc901a44b427559be7931a1c6bad05b43b5df1ee54a948c2a7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD6A0.exe

Filesize
15KB

MD5
98d70027c23f4c79a3c9f2ad8919781e

SHA1
045bdfa6fd773e8e45f686ede22ad96c9a9dc667

SHA256
f37098481248b0469f086facc793450a82d88b1407ef72661db9dfccf2fb09df

SHA512
ac69e510dcbdf5c4cbfc5244cb23e4daac4fdc05e09b4c02189c3e73534887a468689b2579dd8ff4656c11356c2ec535eb49c7174ae7d477f32fd328cfe16a0d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2C00.exe

Filesize
15KB

MD5
e2a0a10153d75f41fd0a68f471161dc0

SHA1
5db7d28d5a78d67b8bb18c88859c5d85e1da306f

SHA256
dfcdc06b63ac50260aa8a41dc5478eaa8e49003758edce93f6ee5842e4d9ed4f

SHA512
7d69185255624904826f3b98eb2dd699fe9ce66df94fe6bb3d6303a8af33f3bcf1c777df0732eee37a2250309f4cce44270a2e1a43371cb7bf30b2cdc51d7e69

Download Submit
\Users\Admin\AppData\Local\Temp\DEM80D3.exe

Filesize
15KB

MD5
808f15bdf3335c9bb6daac73f56b9317

SHA1
77844e1aa38b6e00b6f1a0579bfb73446c7427cb

SHA256
9f89cc55e018b39a6ea7bc68c1af3a907a1c2bb932f4284af55872778ffd731c

SHA512
b2d94ac331c751a2aee906a061f04bda1e608549bc0e136c30b6016df687109e83b8eec9652fa898307ebe769103cf8560721854d86b6b1e91d4d17faaa1e7bf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM820B.exe

Filesize
15KB

MD5
0c210e5a7db7c7f2de9bf60a9565297a

SHA1
9d9183f1ec6a2b37d72728c4fd42a6d39268d6aa

SHA256
f634730edbd725d142b3bc1293b3e49fd01fd3063be3dc7ad9c8f87672af7fa9

SHA512
0abfb7d44a09dd29dfb451080ed432f900fe41a798484aa2f837c5a6b09b1efec3a5a4b225574d944bb877daa29fc8ee66fc5c66c33a8fccff48e9621079f715

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD52A.exe

Filesize
15KB

MD5
ff6574fbf20bcf37ba68554b373aeda1

SHA1
a7f1937f3aa8641fe8a047dbddf732e7b8c69516

SHA256
05f140f27ea43e044fd000f06be16354d2541a2b3b474ee2527ab970b3fe98d3

SHA512
1436300812f14e13ed6d7dc7d5e92c3d816d0c13d303020ec0d6d6c93581f630d61b31fa4cb81b2ca0ed654870a7176a74217c7894d995734b0bb374b33e9dff

Download Submit

Analysis

Sharing