f0ddc3d1199d4364d002ca67d611f4a794c06c2aa5d6577e08a1592bb43cf962

General

Target

e0f0e44c608a97b49963ba2aebbad726_JaffaCakes118.exe
Size

14KB
MD5

e0f0e44c608a97b49963ba2aebbad726
SHA1

e21e3f9385f988ca2cf35d9042907269ac2e6c4b
SHA256

f0ddc3d1199d4364d002ca67d611f4a794c06c2aa5d6577e08a1592bb43cf962
SHA512

00a43a093ad5f80041fe90e15da34c49667fb893d3db189cc463a02af12757b0c4201b10434e7d43a44ddae44de47f1eafcaecdfccacf47dc49f6550b586dbaf
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhKs:hDXWipuE+K3/SSHgxP

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2228	DEMC50.exe
2584	DEM61B0.exe
2212	DEMB6F0.exe
1800	DEMC40.exe
708	DEM6171.exe
1796	DEMB6D1.exe

Loads dropped DLL 6 IoCs

pid	Process
2644	e0f0e44c608a97b49963ba2aebbad726_JaffaCakes118.exe
2228	DEMC50.exe
2584	DEM61B0.exe
2212	DEMB6F0.exe
1800	DEMC40.exe
708	DEM6171.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM61B0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB6F0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC40.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6171.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0f0e44c608a97b49963ba2aebbad726_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2228	2644	e0f0e44c608a97b49963ba2aebbad726_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2228	2644	e0f0e44c608a97b49963ba2aebbad726_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2228	2644	e0f0e44c608a97b49963ba2aebbad726_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2228	2644	e0f0e44c608a97b49963ba2aebbad726_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2584	2228	DEMC50.exe	33
PID 2228 wrote to memory of 2584	2228	DEMC50.exe	33
PID 2228 wrote to memory of 2584	2228	DEMC50.exe	33
PID 2228 wrote to memory of 2584	2228	DEMC50.exe	33
PID 2584 wrote to memory of 2212	2584	DEM61B0.exe	35
PID 2584 wrote to memory of 2212	2584	DEM61B0.exe	35
PID 2584 wrote to memory of 2212	2584	DEM61B0.exe	35
PID 2584 wrote to memory of 2212	2584	DEM61B0.exe	35
PID 2212 wrote to memory of 1800	2212	DEMB6F0.exe	37
PID 2212 wrote to memory of 1800	2212	DEMB6F0.exe	37
PID 2212 wrote to memory of 1800	2212	DEMB6F0.exe	37
PID 2212 wrote to memory of 1800	2212	DEMB6F0.exe	37
PID 1800 wrote to memory of 708	1800	DEMC40.exe	39
PID 1800 wrote to memory of 708	1800	DEMC40.exe	39
PID 1800 wrote to memory of 708	1800	DEMC40.exe	39
PID 1800 wrote to memory of 708	1800	DEMC40.exe	39
PID 708 wrote to memory of 1796	708	DEM6171.exe	41
PID 708 wrote to memory of 1796	708	DEM6171.exe	41
PID 708 wrote to memory of 1796	708	DEM6171.exe	41
PID 708 wrote to memory of 1796	708	DEM6171.exe	41

C:\Users\Admin\AppData\Local\Temp\e0f0e44c608a97b49963ba2aebbad726_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0f0e44c608a97b49963ba2aebbad726_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\DEMC50.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC50.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\DEM61B0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM61B0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\DEMB6F0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB6F0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\DEMC40.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC40.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\DEM6171.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6171.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\DEMB6D1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB6D1.exe"
        7⤵
        Executes dropped EXE
        
        PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM61B0.exe

Filesize
14KB

MD5
49b9feafd464567d2b52d411780199ee

SHA1
72797640bb8a495090875b23394a4dc2fea00e0d

SHA256
14a649311e98231b28824d42459c07192b3909fefb8db92194124f862095cf99

SHA512
2775317ea24d1f688fd68cb8411e47357e44bfb78194006378f862494dc6625f7e2820a7cea04fd561a1e22d34b8ae43976f4b012e5762652849ebf135b8c855

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB6D1.exe

Filesize
14KB

MD5
a1420f7b60728db04539944077f537cf

SHA1
372e006cb0c99a3e7c4da168e9d0409f7baab9bb

SHA256
3692597e770de0171f2337827313b0508b1c6a89cf3d9bbbc51acc4ba56fa179

SHA512
db804f110b0062f44cb0b52501fde5e3ddbaa22bf941f35993915b7d1c1b52af20e09d9039ce1332c52f06306d42d8ed4b0d949742fa7514ecafd028884377a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB6F0.exe

Filesize
14KB

MD5
317bc37746020436022a650738291db5

SHA1
ea560389c353db0fccfec526761b1819bb5c5581

SHA256
9e5333a6714bab7e50f5b265ef2dbb5ff49572e1671ad0d366fa65a8a4e075a3

SHA512
833f0cd52c5ac6981ea0ae2ccaae7386c0ec269671a38f6942a5ebf6604fd35e290b7dd5e950c2543a535d7ad70c3d9d914be0f752c81bdfdeeb48b6a05f93b8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6171.exe

Filesize
14KB

MD5
c63da848fe529d77ff5ef3a52375b49a

SHA1
c2ea8c4c9584881c8a5b2386bde1e7dd59be5ed4

SHA256
bd40029d9cee2442cc4bd36442d40662754b453531ae7066269f4e54c0d3383c

SHA512
4a5950d812fce057888a43f54b4c380035dd014e7a44c067e7ca06530e60ce0577d8fcc8cbb9fdecf46b8c699e727a066da0630b55bee6a6a4b221f9b110336b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC40.exe

Filesize
14KB

MD5
c38f1d0071e7aa5e2c12bb3ee4f5c45f

SHA1
ee9ab10230443e172c37a20c6c7ab97794462941

SHA256
ba6d78a4dbea807d93fdee3d7b53e56cd66b0a1fd073e7faeb203622b76c586a

SHA512
2b6f7078507d28d6332984fc1e5b8a7af34512c619de305611d92982302b1ea2bb70d8d0f1a274ca7b09709f6a20afd14a4e0cee784f1daf9093887b7801b365

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC50.exe

Filesize
14KB

MD5
4753e04de13c36f310d5d319f4c95796

SHA1
f26875b265f8d67401185b4399bc481fd0a3231c

SHA256
74f7928d049f8f9044c1fb1ceeb5ab6c883f22c31f04039fd179d34a048b6a06

SHA512
0b3f4ab2235e6c5f18141cdd9d74243cf3a7bdcc6b1daabf5c927b66f6e4de844f1d351ae3c2821188fbb7bcf0535cf20db68c377cf2c5ee397c64369028c0c1

Download Submit

Analysis

Sharing