3ec4cd537105c489e5bd2081636d8684978b93e79cf1a6819280fbacc35dd9df

General

Target

eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe
Size

14KB
MD5

eaa4ecdc85b5a1ec8f0252323c3e8c81
SHA1

6afcd5689e41a8323990094507d5b5ad46f0fa32
SHA256

3ec4cd537105c489e5bd2081636d8684978b93e79cf1a6819280fbacc35dd9df
SHA512

efbea2b84fd7d57b6d4f398659b75f7be58950f3a4bf3365bd236dcd0ccec39c340b30787b8b0255f557708b1ea53c0beff1412323a694e6e3e4f4c3bb94dbb0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJGl:hDXWipuE+K3/SSHgxmwl

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2856	DEMB73E.exe
2184	DEMC50.exe
2528	DEM624C.exe
708	DEMB7DA.exe
2312	DEMD1B.exe
2884	DEM621D.exe

Loads dropped DLL 6 IoCs

pid	Process
3052	eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe
2856	DEMB73E.exe
2184	DEMC50.exe
2528	DEM624C.exe
708	DEMB7DA.exe
2312	DEMD1B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB73E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM624C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB7DA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD1B.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2856	3052	eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe	32
PID 3052 wrote to memory of 2856	3052	eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe	32
PID 3052 wrote to memory of 2856	3052	eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe	32
PID 3052 wrote to memory of 2856	3052	eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe	32
PID 2856 wrote to memory of 2184	2856	DEMB73E.exe	34
PID 2856 wrote to memory of 2184	2856	DEMB73E.exe	34
PID 2856 wrote to memory of 2184	2856	DEMB73E.exe	34
PID 2856 wrote to memory of 2184	2856	DEMB73E.exe	34
PID 2184 wrote to memory of 2528	2184	DEMC50.exe	36
PID 2184 wrote to memory of 2528	2184	DEMC50.exe	36
PID 2184 wrote to memory of 2528	2184	DEMC50.exe	36
PID 2184 wrote to memory of 2528	2184	DEMC50.exe	36
PID 2528 wrote to memory of 708	2528	DEM624C.exe	38
PID 2528 wrote to memory of 708	2528	DEM624C.exe	38
PID 2528 wrote to memory of 708	2528	DEM624C.exe	38
PID 2528 wrote to memory of 708	2528	DEM624C.exe	38
PID 708 wrote to memory of 2312	708	DEMB7DA.exe	40
PID 708 wrote to memory of 2312	708	DEMB7DA.exe	40
PID 708 wrote to memory of 2312	708	DEMB7DA.exe	40
PID 708 wrote to memory of 2312	708	DEMB7DA.exe	40
PID 2312 wrote to memory of 2884	2312	DEMD1B.exe	42
PID 2312 wrote to memory of 2884	2312	DEMD1B.exe	42
PID 2312 wrote to memory of 2884	2312	DEMD1B.exe	42
PID 2312 wrote to memory of 2884	2312	DEMD1B.exe	42

C:\Users\Admin\AppData\Local\Temp\eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\DEMB73E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB73E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\DEMC50.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC50.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\DEM624C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM624C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Users\Admin\AppData\Local\Temp\DEMB7DA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB7DA.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:708
      - C:\Users\Admin\AppData\Local\Temp\DEMD1B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD1B.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\DEM621D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM621D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM621D.exe

Filesize
14KB

MD5
4bfb7e04ae8be522b32f85329f9cd05e

SHA1
5e9214d6beef1c28365f87b15209550d1ba59f6c

SHA256
2eb26b06fd57d1ace45cbe8372fde4c9d00525d7d82c060d3ef3c9d899955417

SHA512
37e143ba29c4ce4d25a601d269cebfed091f14e1be0ee0d44710af9c7436ed550c10b44839b932980fe85fa488b5daa6737fcda1be5120f1ec008592e019ceeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC50.exe

Filesize
14KB

MD5
259e7429f4f80614a3a209295194e863

SHA1
2c91e5e289e1731da47b845cc2386982aca25d5f

SHA256
41b84458e4d643591cf46425c8424ebf42afc2718819a6c2f263300da0018494

SHA512
2714b64dd53a181fd3ffb21cf0d63596cb1d61e6f99586a0cd21a01ca5c2bc432f00ec77d254ed7ec00853d761bb13f4856d07c348ff81e3e935be8e5e03219c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD1B.exe

Filesize
14KB

MD5
9218ed81851896436d03083889d106cc

SHA1
bc25008b761b803a27c32ed4b3d395e652abc04c

SHA256
09d2d2022317d2d10523039b0d03d66288a3e74d24b8ec0e89d02cff409eeab2

SHA512
df51a9e06f90d3c6f680f6cb0549459fe1d397c3a2b598fb4b0fefb8dd532219fda23fab6681734c855ef5bea14c796d290c21373fd0d5ed58adb4689b331fa3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM624C.exe

Filesize
14KB

MD5
9c40ad49b847fd0b5c9ae10f636d2b75

SHA1
c5a2e27bd74d09f0437234fe508f079010144666

SHA256
56809f246da61bf778cbba1b9e35dec2e22cbaf4fb8d339807cf6a30cd7f2b28

SHA512
93cdc20f0f47a45da1ed94597ac88176183efe38c3496d078efca0788c0bbc542976c888659da6ed6018b84daeed3e9ab0ef6b0ee1ffddbe015f6ea9f2169444

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB73E.exe

Filesize
14KB

MD5
b592e3d1008dfd4dd95d0d35dd7d2444

SHA1
c6448aa4550b3e0e40771eb861a0a03c9f3e957f

SHA256
65aabb124a05e3c94865fcb0f5565036e254c779c3b96f6c4b4bd54f98b49bf2

SHA512
d5112b819694b9ceb56bbf5615b98ea2649f8c869fb07fda2c26a2d94dd84fb6198075ed28abd06638ec8da6cb90eb900c6ff31319ed49f6a498726e3c9baf65

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB7DA.exe

Filesize
14KB

MD5
4a9190596974d73c4e7968cebb1055d8

SHA1
fb347e2ba9a20fe7f1989450658d257aac4df713

SHA256
dadaee9d27959c61d46392f56cc1b4394a1b435423e9bd6c949a97433a6a4db3

SHA512
f0e0f8a7eb894d68c58d403aa61b4275c04fb08c9ea1ee0153cb73a0a4ccb7c388f6306eab23bd452f4b1771ce4127c8d3d05015ef8333158bc4aaf37a650d0b

Download Submit

Analysis

Sharing