a19167c5eb4ac1338105d7597d6c4fc212a0bc5acbe03fee16c99d9449c8b620

General

Target

eaad4d6b2d66f87160215d32100ff63b_JaffaCakes118.exe
Size

14KB
MD5

eaad4d6b2d66f87160215d32100ff63b
SHA1

cfa86fa8d88f447fb7d0e79db9c51091ee3f7ce8
SHA256

a19167c5eb4ac1338105d7597d6c4fc212a0bc5acbe03fee16c99d9449c8b620
SHA512

216d31c397b5640cfcb6eef119b0181bde1546637c5172b8fc6b7f2d1727d0819fc03054cfc2ceac6eee293270cbe50b6cb4a6a8354a76ecca1096e639c52ad5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhW2:hDXWipuE+K3/SSHgxc2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2704	DEM5560.exe
1816	DEMAA72.exe
1728	DEMFFA3.exe
2208	DEM5532.exe
2628	DEMAA53.exe
2320	DEMFFD2.exe

Loads dropped DLL 6 IoCs

pid	Process
2188	eaad4d6b2d66f87160215d32100ff63b_JaffaCakes118.exe
2704	DEM5560.exe
1816	DEMAA72.exe
1728	DEMFFA3.exe
2208	DEM5532.exe
2628	DEMAA53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5560.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAA72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFFA3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5532.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAA53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaad4d6b2d66f87160215d32100ff63b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2704	2188	eaad4d6b2d66f87160215d32100ff63b_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2704	2188	eaad4d6b2d66f87160215d32100ff63b_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2704	2188	eaad4d6b2d66f87160215d32100ff63b_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2704	2188	eaad4d6b2d66f87160215d32100ff63b_JaffaCakes118.exe	31
PID 2704 wrote to memory of 1816	2704	DEM5560.exe	33
PID 2704 wrote to memory of 1816	2704	DEM5560.exe	33
PID 2704 wrote to memory of 1816	2704	DEM5560.exe	33
PID 2704 wrote to memory of 1816	2704	DEM5560.exe	33
PID 1816 wrote to memory of 1728	1816	DEMAA72.exe	35
PID 1816 wrote to memory of 1728	1816	DEMAA72.exe	35
PID 1816 wrote to memory of 1728	1816	DEMAA72.exe	35
PID 1816 wrote to memory of 1728	1816	DEMAA72.exe	35
PID 1728 wrote to memory of 2208	1728	DEMFFA3.exe	37
PID 1728 wrote to memory of 2208	1728	DEMFFA3.exe	37
PID 1728 wrote to memory of 2208	1728	DEMFFA3.exe	37
PID 1728 wrote to memory of 2208	1728	DEMFFA3.exe	37
PID 2208 wrote to memory of 2628	2208	DEM5532.exe	40
PID 2208 wrote to memory of 2628	2208	DEM5532.exe	40
PID 2208 wrote to memory of 2628	2208	DEM5532.exe	40
PID 2208 wrote to memory of 2628	2208	DEM5532.exe	40
PID 2628 wrote to memory of 2320	2628	DEMAA53.exe	42
PID 2628 wrote to memory of 2320	2628	DEMAA53.exe	42
PID 2628 wrote to memory of 2320	2628	DEMAA53.exe	42
PID 2628 wrote to memory of 2320	2628	DEMAA53.exe	42

C:\Users\Admin\AppData\Local\Temp\eaad4d6b2d66f87160215d32100ff63b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaad4d6b2d66f87160215d32100ff63b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\DEM5560.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5560.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\DEMAA72.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAA72.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\DEMFFA3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFFA3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Users\Admin\AppData\Local\Temp\DEM5532.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5532.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Users\Admin\AppData\Local\Temp\DEMAA53.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAA53.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\DEMFFD2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFFD2.exe"
        7⤵
        Executes dropped EXE
        
        PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5532.exe

Filesize
14KB

MD5
ea992d6b385c2abb159853ed0da7ad20

SHA1
0381693dba2a5e474db80ac2797dd011a1511dfa

SHA256
0cfa0e17bd0582125f9733d3d81fba2482701d8e91253438c74b8ced7cf2b737

SHA512
d39524cb74a52203d425bb3d596fe7d94aee90aa4f0589fddc565cb90e362550d75602b4651293710aad3a25a532df9b7dc883dc61a921d3f02192fe030a6dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAA72.exe

Filesize
14KB

MD5
1a2fa80dc6f112948737fc960c7f474f

SHA1
f3e1159c80cce088a15a19f2c406b030800251cb

SHA256
115dbcd512069620039f2ddeb50136e3eb5a14e604bb0ac131498a7b9ec1929c

SHA512
6348223dd62980aa6aa502663d1c957e5f37111cdd3ea5aff584c1e4d6c0a286ce782c3340a0f05b324ebfb5c55bb1eb94a27bb8f715e35747676e025a50fe5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFFA3.exe

Filesize
14KB

MD5
fb2d45588b1a7f66e8b122016f7e7c07

SHA1
ababa0ce9737ae7e92e46687c0be043bcea4892f

SHA256
4a50a4403a22d74a00959ff22f2f9e068ffff827c002ee95705fa85887fd7441

SHA512
2e2c98c49701e98eec3791d2b6a0914546745feeb1a9257786a4bc150eee34ec5a7a90c3ac2eeeb01dbb9868f5623f5cff04370a354fce3ac019344a4a433529

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFFD2.exe

Filesize
14KB

MD5
e1e60f2d6200224758556cc3cb7492c4

SHA1
4555c57863e074dd1225489fda0c6c2ac609db2f

SHA256
baa94242ffc31653c5b053967660a7ff413091543e194a7842e1c7599982c60c

SHA512
476aa79f6dd23b0e5704ebdb6767aca24fc9812bbd7a76c86783f61eec23bac1421c7f3d384e82fd76f3009f4949fa94372b8574fb18e9e796115e9eb906fb58

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5560.exe

Filesize
14KB

MD5
3694ad72b20beed33177f624e449c6a0

SHA1
6c1a2e33b7de5953f95314cbf528bcb19eb0e86c

SHA256
61098363bc3af62250bc8d1f928f030d5f6f7f59b3cca798d64ac719c3ee852e

SHA512
1d77329514efe114889d3f1d02d2362dd5e51a51b4cc04af1cc009bdb79ee66a6f5d6eea5b38f318e2e4ae3e809cedf9f65cecb9f9f8d6931a3d801bba24dd07

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAA53.exe

Filesize
14KB

MD5
f1c0ab11f2790031cd166b1fdcae6a2e

SHA1
05878322351dc4bbd6620be4243b361d8a96c4c1

SHA256
56e414064e5e9de78fa4d86c5bf32fcd9bceca6ef7ae7fef53f380e4e424f11c

SHA512
2acd5295032c1f0418354fca133037bea847314f03dd7f15eaa03a5e095af2e038ebe49665c27b8df5bb0139510f54f3e16216cf45aa123a74aa8d1453950e25

Download Submit

Analysis

Sharing