faabb97dd7db86cb73f71f0f7e5bfba6cf9133c928bb0d21c14b6c89ae3acbdc

General

Target

f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe
Size

14KB
MD5

f5fecf633e0665c42ec68086a16f43c7
SHA1

f56bc51a58713533362927794161a26049c2421e
SHA256

faabb97dd7db86cb73f71f0f7e5bfba6cf9133c928bb0d21c14b6c89ae3acbdc
SHA512

2f4925e76b1f0ab51ed701bf77aa82a3f297f6ac2e46f3918203b5a9e28a6a8cec5a301fc16977d334d4d3a0e144dbb81b75c9f49426e4ecc6a0bc73827c01ba
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZ3:hDXWipuE+K3/SSHgx33

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2836	DEM34F5.exe
1044	DEM8A26.exe
1928	DEMDFC4.exe
2828	DEM34C6.exe
1788	DEM8A36.exe
2356	DEMDF48.exe

Loads dropped DLL 6 IoCs

pid	Process
2096	f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe
2836	DEM34F5.exe
1044	DEM8A26.exe
1928	DEMDFC4.exe
2828	DEM34C6.exe
1788	DEM8A36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDFC4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM34C6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8A36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM34F5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8A26.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2836	2096	f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2836	2096	f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2836	2096	f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2836	2096	f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe	31
PID 2836 wrote to memory of 1044	2836	DEM34F5.exe	33
PID 2836 wrote to memory of 1044	2836	DEM34F5.exe	33
PID 2836 wrote to memory of 1044	2836	DEM34F5.exe	33
PID 2836 wrote to memory of 1044	2836	DEM34F5.exe	33
PID 1044 wrote to memory of 1928	1044	DEM8A26.exe	35
PID 1044 wrote to memory of 1928	1044	DEM8A26.exe	35
PID 1044 wrote to memory of 1928	1044	DEM8A26.exe	35
PID 1044 wrote to memory of 1928	1044	DEM8A26.exe	35
PID 1928 wrote to memory of 2828	1928	DEMDFC4.exe	37
PID 1928 wrote to memory of 2828	1928	DEMDFC4.exe	37
PID 1928 wrote to memory of 2828	1928	DEMDFC4.exe	37
PID 1928 wrote to memory of 2828	1928	DEMDFC4.exe	37
PID 2828 wrote to memory of 1788	2828	DEM34C6.exe	39
PID 2828 wrote to memory of 1788	2828	DEM34C6.exe	39
PID 2828 wrote to memory of 1788	2828	DEM34C6.exe	39
PID 2828 wrote to memory of 1788	2828	DEM34C6.exe	39
PID 1788 wrote to memory of 2356	1788	DEM8A36.exe	41
PID 1788 wrote to memory of 2356	1788	DEM8A36.exe	41
PID 1788 wrote to memory of 2356	1788	DEM8A36.exe	41
PID 1788 wrote to memory of 2356	1788	DEM8A36.exe	41

C:\Users\Admin\AppData\Local\Temp\f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\DEM34F5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM34F5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\DEM8A26.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8A26.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\DEMDFC4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDFC4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\DEM34C6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM34C6.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\DEM8A36.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8A36.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\DEMDF48.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDF48.exe"
        7⤵
        Executes dropped EXE
        
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM34C6.exe

Filesize
14KB

MD5
d51a798121824734cc6f320cacd8da42

SHA1
c0cd8376611eed78da6fffb61373b50fb5e2a642

SHA256
8d8fdf33423ddd2e54b76678340fd7b443d9b64b3490d548b47498ffb54e0185

SHA512
38327329e41333703a2c49f7a4ed3c63e79d7cd3de5dfd20eb8b2c978bc4360b5626647379d733a18eb512bbabfe6989db893b9247cc520b0c9b5a4cf9655127

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM34F5.exe

Filesize
14KB

MD5
64f9946400b1dd562a711bafcf61d895

SHA1
f10f13f7ead5255e11abedbb6143fb425791ef19

SHA256
0fc7d9cf38392703f912552dedc340fd6f346a5a2767673b41f131c93c56a635

SHA512
e4214ed9fabb31943b8aa19315db62594c4e3dca3826ea471340ea8eaf6aa72b534ad20d2a8e589cf2606053172e7069a023c0c1df62ec905b6c75ed33e2635f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8A26.exe

Filesize
14KB

MD5
ec9bc58576ad698e4e5f98228afc54a8

SHA1
7256f8ba39c479285afa63df2c81719d13cc7a91

SHA256
1a6cc5c636a34eb2b0ff4d565e406be5e92377507607a059756283b2417458a2

SHA512
821390afe83b6fc876a4409a7776fd84577743d24d762ab2878ee12ef2e630fd0501b44896667c2920d31fe7cfc426b11b13bc44adb721be6d6a0464365a7462

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDF48.exe

Filesize
14KB

MD5
c6e443d5e447e6275f94252d134e9399

SHA1
7a3a4af6609fcd149e09ebb4dd4dd45fa92d92dd

SHA256
164d106d5693c54eebc068dbad73ef83545f0c4ea059b0d1a9aed7820b33eb1d

SHA512
d262bd9152e4bbd3654ec4c759fe446d43f8bc57a707810ef514436845192ed8a89790bd58f8adcab0a0003313e605ab3f7d4a9066ca6ae8af78f289974c99a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDFC4.exe

Filesize
14KB

MD5
7a2278aeb5b65cc92ef0df831f7a6608

SHA1
92874fcad4a204d87194201bad70d345554fbae8

SHA256
98f61136170c2fec16943e22674ff89f6227cda49840cb28903350fb199e991e

SHA512
84cc5321a2ecceab24067dfa44c3023b69ae4d26582d52fcbf2ef086b813d97635b8cff0cefac5a455dae4bbae8c877f32f510b8bc1b3266dbf77f4b5b63e264

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8A36.exe

Filesize
14KB

MD5
3056e074b4d3fad4c38c28de0cae07de

SHA1
bbc0cb665728ff4ce8d4c18186223e1841477166

SHA256
0f60f22a576797dad73e296e2ae80f7e277d65194229cda8274f6250f3cd37d6

SHA512
8036bf0851b62d6be67da39656eb6b5f0fa6e8baed029df60165e233de8100175acdbc63834d6d74c5fbfa313ffa52a08094095a52a369283df0d961e13d958e

Download Submit

Analysis

Sharing