fb7c3e6f061accacea0e739e11865d77a64e275abf255ef473e87dcd19b834a5

General

Target

ea809167a75f9760e5df837ec16ad9cd_JaffaCakes118.exe
Size

15KB
MD5

ea809167a75f9760e5df837ec16ad9cd
SHA1

0d579d2ee8be1219e107a4464cde56593c87f7fe
SHA256

fb7c3e6f061accacea0e739e11865d77a64e275abf255ef473e87dcd19b834a5
SHA512

1aaeb0e9e1e9ae1a461fb8509565c1eca726600fdfc62d7d132f220d17a2397b4635e8163f76ba2d851ea1e97ee68147a8256f91742aff09910afdacb280d05a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxC:hDXWipuE+K3/SSHgxmHw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2296	DEM950F.exe
2648	DEMEA5F.exe
1448	DEM3F80.exe
2940	DEM94C1.exe
1848	DEMEA30.exe
1236	DEM3F51.exe

Loads dropped DLL 6 IoCs

pid	Process
2336	ea809167a75f9760e5df837ec16ad9cd_JaffaCakes118.exe
2296	DEM950F.exe
2648	DEMEA5F.exe
1448	DEM3F80.exe
2940	DEM94C1.exe
1848	DEMEA30.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEA30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea809167a75f9760e5df837ec16ad9cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM950F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEA5F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3F80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM94C1.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2296	2336	ea809167a75f9760e5df837ec16ad9cd_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2296	2336	ea809167a75f9760e5df837ec16ad9cd_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2296	2336	ea809167a75f9760e5df837ec16ad9cd_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2296	2336	ea809167a75f9760e5df837ec16ad9cd_JaffaCakes118.exe	32
PID 2296 wrote to memory of 2648	2296	DEM950F.exe	34
PID 2296 wrote to memory of 2648	2296	DEM950F.exe	34
PID 2296 wrote to memory of 2648	2296	DEM950F.exe	34
PID 2296 wrote to memory of 2648	2296	DEM950F.exe	34
PID 2648 wrote to memory of 1448	2648	DEMEA5F.exe	36
PID 2648 wrote to memory of 1448	2648	DEMEA5F.exe	36
PID 2648 wrote to memory of 1448	2648	DEMEA5F.exe	36
PID 2648 wrote to memory of 1448	2648	DEMEA5F.exe	36
PID 1448 wrote to memory of 2940	1448	DEM3F80.exe	38
PID 1448 wrote to memory of 2940	1448	DEM3F80.exe	38
PID 1448 wrote to memory of 2940	1448	DEM3F80.exe	38
PID 1448 wrote to memory of 2940	1448	DEM3F80.exe	38
PID 2940 wrote to memory of 1848	2940	DEM94C1.exe	40
PID 2940 wrote to memory of 1848	2940	DEM94C1.exe	40
PID 2940 wrote to memory of 1848	2940	DEM94C1.exe	40
PID 2940 wrote to memory of 1848	2940	DEM94C1.exe	40
PID 1848 wrote to memory of 1236	1848	DEMEA30.exe	42
PID 1848 wrote to memory of 1236	1848	DEMEA30.exe	42
PID 1848 wrote to memory of 1236	1848	DEMEA30.exe	42
PID 1848 wrote to memory of 1236	1848	DEMEA30.exe	42

C:\Users\Admin\AppData\Local\Temp\ea809167a75f9760e5df837ec16ad9cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea809167a75f9760e5df837ec16ad9cd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\DEM950F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM950F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\DEMEA5F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMEA5F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\DEM3F80.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3F80.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Users\Admin\AppData\Local\Temp\DEM94C1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM94C1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Users\Admin\AppData\Local\Temp\DEMEA30.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEA30.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\DEM3F51.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3F51.exe"
        7⤵
        Executes dropped EXE
        
        PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMEA5F.exe

Filesize
15KB

MD5
3bf5cfd749dc8f90762bb719bdaf523e

SHA1
a1139f4ef9caf2bcc63d8011098b17694a4286ba

SHA256
58dc411014943db1713187a3566019a3e20e2f4a1bd08c024e7311e0575952a6

SHA512
681879282986f42fea6e2f2d533d520344bb3bebca84e83a59fa1e60af0da3c6107318133160d0583cea965bc3548df5e6e88be5946d95e6cee17b4b870b9c77

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3F51.exe

Filesize
15KB

MD5
ec539ffd6a5037b126a8660047aff37b

SHA1
addf1e193ef62709b486e203350f6b45e2d4aeed

SHA256
e1af4bd6b4546bf56fe3cbf61c060bdfe8608edef57cb0b5b3861f3228ae0666

SHA512
8f37faa7faec49676ed85b0e2e80a54ce70ef5edd594d2fb3996550de41dd27fb88e7c2772a5da6f9b21e87e68bb5a682281cfec392bfc6cf5f55091e9423b45

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3F80.exe

Filesize
15KB

MD5
74bf4c635a1a74e57aaa43ec7731dbd9

SHA1
8f03127a3e56abf8c61ac00418dbf759b25896b0

SHA256
05497a35d445c8cbc657d2acb42743ceda968940176d83fdf10c8206ca584c72

SHA512
466158c25ffadfbfefc73a9f23207c2b6763bbcaaecd07243b4e895cf6dae396dd4f709aa009ffdcc833beabde0c79145279f68279dd543d820c195589169957

Download Submit
\Users\Admin\AppData\Local\Temp\DEM94C1.exe

Filesize
15KB

MD5
fe35435d863743d98a6cd876980688ce

SHA1
00722ea087efcbc48bf022ab827a63e054dbcfa0

SHA256
3d8d02ccba6724e404221d22482fab0ecb2b98e53306d9d0e5657d75513acda1

SHA512
de350d31420321bd41e0f806e4f9aca09e62d93e9cdfed99a9d9367b08453c4d4fb34b91439b38079c2d57e54932804c1672ea2752c54619a82e88a58b2c1fbc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM950F.exe

Filesize
15KB

MD5
ccc10270fa3f2f29e1c819f5049d3f59

SHA1
83c78b8aec3ec2ed8c741baaed52feda32b62f78

SHA256
6c24dd8f2ca99f58e010fa577417c6e7b514dc3204d8173c42059eade9b093d3

SHA512
c4ad80217c9390e41d14a3f2c6f39505e924d7a912f0ecea334f85107b95f1f485ebbf49ce63b2e16b3a9c93285dccc2b572ea9eba7727930f7d183ed3452bd8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEA30.exe

Filesize
15KB

MD5
c04e5bef91fb4f2d0038d1a999d6c012

SHA1
34b3097ed1e8d20454199189bce38031c42a4b1f

SHA256
43746b91dcb9221f25333e010a8790f2711e7a2169fcfa63c72db7292d704a95

SHA512
8b1ef886978f3515cdd9c1ffbcc9f25f1953b74149458ac12cc364f7f29357470538205b06632d05da574a80ad0d284aee7065d0edd427c1e4cc09015e8a9817

Download Submit

Analysis

Sharing