b3f7cf0373dd448b4bbd47d1bc21ca470697faa12053e061d873101b865ba761

General

Target

eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe
Size

15KB
MD5

eac55a7dba53a3ca40b4c83a7fcf4923
SHA1

bb3100a8d6ac07b8a5e4969853736b0dad511713
SHA256

b3f7cf0373dd448b4bbd47d1bc21ca470697faa12053e061d873101b865ba761
SHA512

18b582f04dc863686abedb8c764ee9811d4dac8352cf4e9f72f719eeb956535d1732eeb1ae620b0a33450e8942f982e48b7548ccdbdc3a8bddb04bfc4ec1e118
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYll:hDXWipuE+K3/SSHgxmll

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2924	DEMCDE9.exe
2872	DEM2397.exe
3036	DEM79C2.exe
3068	DEMCF31.exe
2864	DEM24A0.exe
2132	DEM7A7D.exe

Loads dropped DLL 6 IoCs

pid	Process
820	eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe
2924	DEMCDE9.exe
2872	DEM2397.exe
3036	DEM79C2.exe
3068	DEMCF31.exe
2864	DEM24A0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCF31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM24A0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCDE9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2397.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM79C2.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 2924	820	eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe	31
PID 820 wrote to memory of 2924	820	eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe	31
PID 820 wrote to memory of 2924	820	eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe	31
PID 820 wrote to memory of 2924	820	eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2872	2924	DEMCDE9.exe	33
PID 2924 wrote to memory of 2872	2924	DEMCDE9.exe	33
PID 2924 wrote to memory of 2872	2924	DEMCDE9.exe	33
PID 2924 wrote to memory of 2872	2924	DEMCDE9.exe	33
PID 2872 wrote to memory of 3036	2872	DEM2397.exe	35
PID 2872 wrote to memory of 3036	2872	DEM2397.exe	35
PID 2872 wrote to memory of 3036	2872	DEM2397.exe	35
PID 2872 wrote to memory of 3036	2872	DEM2397.exe	35
PID 3036 wrote to memory of 3068	3036	DEM79C2.exe	37
PID 3036 wrote to memory of 3068	3036	DEM79C2.exe	37
PID 3036 wrote to memory of 3068	3036	DEM79C2.exe	37
PID 3036 wrote to memory of 3068	3036	DEM79C2.exe	37
PID 3068 wrote to memory of 2864	3068	DEMCF31.exe	39
PID 3068 wrote to memory of 2864	3068	DEMCF31.exe	39
PID 3068 wrote to memory of 2864	3068	DEMCF31.exe	39
PID 3068 wrote to memory of 2864	3068	DEMCF31.exe	39
PID 2864 wrote to memory of 2132	2864	DEM24A0.exe	41
PID 2864 wrote to memory of 2132	2864	DEM24A0.exe	41
PID 2864 wrote to memory of 2132	2864	DEM24A0.exe	41
PID 2864 wrote to memory of 2132	2864	DEM24A0.exe	41

C:\Users\Admin\AppData\Local\Temp\eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:820
- C:\Users\Admin\AppData\Local\Temp\DEMCDE9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCDE9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\DEM2397.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2397.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\DEM79C2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM79C2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\DEMCF31.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCF31.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Users\Admin\AppData\Local\Temp\DEM24A0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM24A0.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\DEM7A7D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7A7D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2397.exe

Filesize
15KB

MD5
3d0caa71d69c7c343341354923632368

SHA1
8f457ceeafa9cfcd374da5132e803f56130186b5

SHA256
00da4b40cf65002135c02b1545afe71f5b7b47ac81db95e1a5840550e61222f1

SHA512
7c4a6b55d15ee361ff457e95c28a3106178465d00b14432f6a7d7b26c5dcee748b10268281dab1630995937e6ff67d39b4b5f51eabdc5e7ba69b9935651603a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM24A0.exe

Filesize
15KB

MD5
d22ce21b7f48cfe1c4c6eecbfd9d1216

SHA1
776bd1e287984dbc5d60bd51bc13c7d75226ed8f

SHA256
1fa818b665e4a544fa6ad847a630ddb3ffbe12a5c3dc214ae58a4aab0b077f9d

SHA512
7f544e736a1bee37ab0fe379d091bdb3c05542e9f9b1051b261f5a82589a5fceb4f28891afcb130119ab69882a48fb8bb16367fa3cfee39267e432982987ba66

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM79C2.exe

Filesize
15KB

MD5
c1ddd7aa9a7fb1ec3dd6d3dd9dd05880

SHA1
74b830fd869b4578c1574ce3e1a9490f6f6236c9

SHA256
96628c01e916d8de278e1ad15c2fc9395e784e6af0f8b4a87d1818dec55a378c

SHA512
6be80b39e1d01c6f4e6168a4be06521680b70b0b551c6219100cbeb293dcde628f645cb3704700ee1c495d728b7977eb6dba4653878d5437f7aefdea4d60475e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A7D.exe

Filesize
15KB

MD5
b79f94c2fa69067cd140af9a919160ca

SHA1
30315dbe603444c86c898cb98d94ef59e090a181

SHA256
7542e091be6e972686c32b6dc810bf76f280363758e7f17f30e392447faf8f64

SHA512
28544742b74c8b97bb28260c17264a3ef12143737a7f8adf94fc5331b4370a80f41434f1a95e2683eaa6c1a6ae601e23e7851389b5077abfb70af00fe957eec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCDE9.exe

Filesize
15KB

MD5
60329a19fa1216e00a317ef175718be9

SHA1
4cb788a146377efb26ca7de445eb335b30c63dd2

SHA256
6bea5447afbb726c8c58ddda451ce00f243e9efc697075c06eee3a9b7a29bed7

SHA512
83f1395ab91553d82f0e8218630a0444c47bb6971abce6a30b32f8e7bbeb6d003263b7e3f6bc539fe5592be97f23e5fab605abe74c420bdea70a5af588f9f158

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCF31.exe

Filesize
15KB

MD5
f69f5b2da3a3eef723ec86066404b3b3

SHA1
edd12688dab40e513b5fb8c0adc0444af19d9b2a

SHA256
7a4539c4a5c4f37f8e6ca81a6404ad072c9ada8b745fb5130c15c391f9442518

SHA512
ae719a6d41f532111589a2fcdf0d4e32dd4ce8995a4e0fd0947b9d4a09b76a155b797194e6c2485332b1ae772289158555a5de59f24fc4917a558a19f7515143

Download Submit

Analysis

Sharing