473202c5035fccc0e2f205154730b35ad70e209dd37c79f37e9cefe7697046b2

General

Target

ffbd348ef894a33198b49af2bf26d8e6_JaffaCakes118.exe
Size

15KB
MD5

ffbd348ef894a33198b49af2bf26d8e6
SHA1

ce92288c922195ccfd82b07695b856a463fd0c23
SHA256

473202c5035fccc0e2f205154730b35ad70e209dd37c79f37e9cefe7697046b2
SHA512

e8568094267ae3530815f8bfd8f06aba9b8df549acc2c3e802717e855eaaed6de55c0538a5df11c6de9600ae35c36927d4b1094340937fe83ee7c47a61265873
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEHI:hDXWipuE+K3/SSHgxWI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2656	DEMEF20.exe
2584	DEM450C.exe
2400	DEM9AB9.exe
2580	DEMEFEA.exe
1696	DEM45C7.exe
2904	DEM9B07.exe

Loads dropped DLL 6 IoCs

pid	Process
2244	ffbd348ef894a33198b49af2bf26d8e6_JaffaCakes118.exe
2656	DEMEF20.exe
2584	DEM450C.exe
2400	DEM9AB9.exe
2580	DEMEFEA.exe
1696	DEM45C7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM45C7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffbd348ef894a33198b49af2bf26d8e6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEF20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM450C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9AB9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEFEA.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2656	2244	ffbd348ef894a33198b49af2bf26d8e6_JaffaCakes118.exe	31
PID 2244 wrote to memory of 2656	2244	ffbd348ef894a33198b49af2bf26d8e6_JaffaCakes118.exe	31
PID 2244 wrote to memory of 2656	2244	ffbd348ef894a33198b49af2bf26d8e6_JaffaCakes118.exe	31
PID 2244 wrote to memory of 2656	2244	ffbd348ef894a33198b49af2bf26d8e6_JaffaCakes118.exe	31
PID 2656 wrote to memory of 2584	2656	DEMEF20.exe	33
PID 2656 wrote to memory of 2584	2656	DEMEF20.exe	33
PID 2656 wrote to memory of 2584	2656	DEMEF20.exe	33
PID 2656 wrote to memory of 2584	2656	DEMEF20.exe	33
PID 2584 wrote to memory of 2400	2584	DEM450C.exe	35
PID 2584 wrote to memory of 2400	2584	DEM450C.exe	35
PID 2584 wrote to memory of 2400	2584	DEM450C.exe	35
PID 2584 wrote to memory of 2400	2584	DEM450C.exe	35
PID 2400 wrote to memory of 2580	2400	DEM9AB9.exe	38
PID 2400 wrote to memory of 2580	2400	DEM9AB9.exe	38
PID 2400 wrote to memory of 2580	2400	DEM9AB9.exe	38
PID 2400 wrote to memory of 2580	2400	DEM9AB9.exe	38
PID 2580 wrote to memory of 1696	2580	DEMEFEA.exe	40
PID 2580 wrote to memory of 1696	2580	DEMEFEA.exe	40
PID 2580 wrote to memory of 1696	2580	DEMEFEA.exe	40
PID 2580 wrote to memory of 1696	2580	DEMEFEA.exe	40
PID 1696 wrote to memory of 2904	1696	DEM45C7.exe	42
PID 1696 wrote to memory of 2904	1696	DEM45C7.exe	42
PID 1696 wrote to memory of 2904	1696	DEM45C7.exe	42
PID 1696 wrote to memory of 2904	1696	DEM45C7.exe	42

C:\Users\Admin\AppData\Local\Temp\ffbd348ef894a33198b49af2bf26d8e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffbd348ef894a33198b49af2bf26d8e6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\DEMEF20.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEF20.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\DEM450C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM450C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\DEM9AB9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9AB9.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Users\Admin\AppData\Local\Temp\DEMEFEA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEFEA.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Users\Admin\AppData\Local\Temp\DEM45C7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM45C7.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\DEM9B07.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9B07.exe"
        7⤵
        Executes dropped EXE
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM450C.exe

Filesize
15KB

MD5
67d2ef028edcb2f4c07aa2b1e8898403

SHA1
55bfe5990b78eea9516ffeb7687d588cd47ffcf4

SHA256
0f40c8b5e6b4064f874670784ee3eb51af31d25caa7e221623f571b92afcb9d9

SHA512
5e23ecdb731c2601dd1a1aafb45011299de5bd779e35324a491e55c880619263a10f5b2f2b8e4fb3e68d78da27f9798becf493d79c15f7317d0e9653790ef3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9AB9.exe

Filesize
15KB

MD5
a2e5a4f5b962c82552a2f84ee2e7d351

SHA1
4b356c66c1c4fb8ad3308a3e1190aa586eef5650

SHA256
24391ef7d34d332ca239547c931fe309cbae9f18835376e2194230a22f96b71c

SHA512
0085288c23b674481525488e53d4580aebeb27d9b46211309f893507cf08d459b3b063bfb60647ff3c7159f115445ce27d4212fbae73008451b3b113ebcdceea

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9B07.exe

Filesize
15KB

MD5
6db4d837c8a2496d1e6e1b99dd6a74ea

SHA1
125a02e9e0eb7022f741a102580fabcce72c6def

SHA256
38b88bd19e077475a728ce5f2b96c10a57a96f2019a87fe8b1c456c75aec7d5f

SHA512
ea0cde3e014ed5b6a7a6c9106276f8c30da4002ea715d018813e51aacdb4d5975a32fa06225ecd1c59e317bbd75d3a656957eeaa4fd862a1898491fcc61d6e0e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM45C7.exe

Filesize
15KB

MD5
d0afa7631ec6955902e3576b32732697

SHA1
f00dcf86097487991f286c9b71b88579eff4bc1c

SHA256
9e909c574bd1967f31dfb83a25412a892033c37d0223fbaf3b6ffa5496f8b8d8

SHA512
3f0743b14fc81746c9daf314de12724c38502c19133a7b542c6db868883e8466b60fbbf75f9531df53c249883c66e47d1d3bb7d661f83b7406582fd15d5d076a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEF20.exe

Filesize
15KB

MD5
39d3c869cda24821f5385e584a56f840

SHA1
af24a0005fb01491a1310885975bbab675d13ce8

SHA256
a6140751a15de3f7d974b39799630335b178b6c95a6e158e17713efa9a101ebb

SHA512
6e92c1fc15970d2c4c8b873d88ba0f336be004773c13988b038e55b01f8a541939e330fccffd6bf606e9402ead6acd4b9f093d4d45e1e124ad80b7ecbb3f72a3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEFEA.exe

Filesize
15KB

MD5
fc81963e690f57c786e2554d5d997406

SHA1
03139f58310f865f74cd97335ec40e99556ffc13

SHA256
bfcc7c13bc57d655f64412e24ed65881e1bcc17676dbc2aea845942f6ac71bd0

SHA512
606484f4319c0a9e47bdef832fc016974888d3d10029552e96939a12bcdefd8dcaad2211d60b109b3683a48062f7067930a7df015417fdbb4cb8d91ae292601a

Download Submit

Analysis

Sharing