efedbd226b293f773ddad70155e5596a91ed501d65bacf6a78c7a38d8b4a46e3

General

Target

fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe
Size

15KB
MD5

fe03c9cd24f5b913a3ad5e732a86c7dc
SHA1

e803f9bce447000181095db7a5c4bdb6107be2af
SHA256

efedbd226b293f773ddad70155e5596a91ed501d65bacf6a78c7a38d8b4a46e3
SHA512

44b42fdd61f490d781b9ce5942d351a613bf9ae6dab7d2cb03c7cd160177ef7c18f9712adbcbdce740e26e04e89ea4e7380395e6840f98c2a9178425b56e9358
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEHt:hDXWipuE+K3/SSHgxWt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1592	DEMC34F.exe
2788	DEM1842.exe
2600	DEM6DEF.exe
1620	DEMC37E.exe
1696	DEM189F.exe
324	DEM6DB1.exe

Loads dropped DLL 6 IoCs

pid	Process
2236	fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe
1592	DEMC34F.exe
2788	DEM1842.exe
2600	DEM6DEF.exe
1620	DEMC37E.exe
1696	DEM189F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6DEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC37E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM189F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC34F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1842.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1592	2236	fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe	32
PID 2236 wrote to memory of 1592	2236	fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe	32
PID 2236 wrote to memory of 1592	2236	fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe	32
PID 2236 wrote to memory of 1592	2236	fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe	32
PID 1592 wrote to memory of 2788	1592	DEMC34F.exe	34
PID 1592 wrote to memory of 2788	1592	DEMC34F.exe	34
PID 1592 wrote to memory of 2788	1592	DEMC34F.exe	34
PID 1592 wrote to memory of 2788	1592	DEMC34F.exe	34
PID 2788 wrote to memory of 2600	2788	DEM1842.exe	36
PID 2788 wrote to memory of 2600	2788	DEM1842.exe	36
PID 2788 wrote to memory of 2600	2788	DEM1842.exe	36
PID 2788 wrote to memory of 2600	2788	DEM1842.exe	36
PID 2600 wrote to memory of 1620	2600	DEM6DEF.exe	38
PID 2600 wrote to memory of 1620	2600	DEM6DEF.exe	38
PID 2600 wrote to memory of 1620	2600	DEM6DEF.exe	38
PID 2600 wrote to memory of 1620	2600	DEM6DEF.exe	38
PID 1620 wrote to memory of 1696	1620	DEMC37E.exe	40
PID 1620 wrote to memory of 1696	1620	DEMC37E.exe	40
PID 1620 wrote to memory of 1696	1620	DEMC37E.exe	40
PID 1620 wrote to memory of 1696	1620	DEMC37E.exe	40
PID 1696 wrote to memory of 324	1696	DEM189F.exe	42
PID 1696 wrote to memory of 324	1696	DEM189F.exe	42
PID 1696 wrote to memory of 324	1696	DEM189F.exe	42
PID 1696 wrote to memory of 324	1696	DEM189F.exe	42

C:\Users\Admin\AppData\Local\Temp\fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\DEMC34F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC34F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\DEM1842.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1842.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\DEM6DEF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6DEF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\DEMC37E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC37E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Users\Admin\AppData\Local\Temp\DEM189F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM189F.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\DEM6DB1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6DB1.exe"
        7⤵
        Executes dropped EXE
        
        PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1842.exe

Filesize
15KB

MD5
7bef96d486389e4ee43561dddc113b49

SHA1
89307377dd68ae0c8e0cde989d366c244e936ad8

SHA256
5ad6642d75138f04cd414ef53dc400f3c42bea5cb0133758f7b10ac9dd6e450b

SHA512
9e72435bb7f9aa350c4211d83c53e8c36a79850c30a0f32122a8dc38d77e5630a114e518969db2f0777da6397f3671706b0d7b389274438cb7b9186beaea86a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC34F.exe

Filesize
15KB

MD5
ed0926ef62a6cedb44d24c4e851ac848

SHA1
75946fb772d9269854264f5ad83ef71aa883d0a5

SHA256
e275bf5ff52d6b0860617c540cc9014853bf7496b4d87e352395a7b63b1394d2

SHA512
edd0248debe23ea1f1c1e44a865c2c2ca2051a86a9a389905ae5bf1aef1242e74abbae939dbd82ce3575c97e785747c509820204987692feb27019125f4e9389

Download Submit
\Users\Admin\AppData\Local\Temp\DEM189F.exe

Filesize
15KB

MD5
b0b43e6816801390aa20f38a4b7b80c8

SHA1
caab09b2de4dee6d43a418e69482c5cf8fbafd1a

SHA256
989e63cc94be83e743fabe62d3be31abaf5f9b19b8c7c7ce97a4850415853345

SHA512
1a7455255945cb3e4dac0293d0700bdd1ba2cdff61ba9dcf03243c34447282106bbcf396a7fcd937ee75a130102dc2e81382f6e466c2de5ceb4f7a05b2f9e880

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6DB1.exe

Filesize
15KB

MD5
dcdebbd9ed5d71db47f8163c7b81c5cd

SHA1
4d89116cea3a5671bb659db57949314439413d2e

SHA256
2ffa8818ce66cf12d61f290f26c74978329e2b2a533c3b58f34d267ea5370e06

SHA512
b70a791b22d52880751fb80587b2b5e0805353029806132972bf84d0fe55826e2116a91085f588b40eefd5fb99482bc5a4e6739f1f4285a0343f785c0365f1ab

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6DEF.exe

Filesize
15KB

MD5
bcac21771ff7decf5444458d7cedb878

SHA1
5613a62d5bb755f2df8d08b3c6ed37bef86c8b0d

SHA256
265ea0bcd0b75e2c8beb2f5aaf7018e6eb2cbfd91864b40524e8e789c9f41f48

SHA512
674cf2163def906170f82bd2b2ee11853a857a6b9332d3b0a893abb785f95326ec65f48d48667924c0d30ee43300132c76e993890b5e2b1c5f626df661a1f689

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC37E.exe

Filesize
15KB

MD5
53bd5091e5f21dc98b16556cf359e8d9

SHA1
0b87a72670c21d6b16e9842fe76372bc7852be8f

SHA256
d4839c866b2e513613aba7509f7bf7bc4d4d8da673c8d5b3b83260495733a9c3

SHA512
8948a22fe8a6e3f33fde3aec9a37a7a7214e213dbd625a21b15f8c0e31e248ef790e5b799ae2f856e0cf3f6c7656ee9392c61f2c73b11318366df5e52d35d91e

Download Submit

Analysis

Sharing