d41dadafa8222349dea80cef5c3455258a7a4f3ee9c1503952565daedf98ef05

General

Target

01014541c6ac4abd4560f100d41f4560_JaffaCakes118.exe
Size

15KB
MD5

01014541c6ac4abd4560f100d41f4560
SHA1

e2b2cf33666fcbaeda0c0b31dc0c944a0b930154
SHA256

d41dadafa8222349dea80cef5c3455258a7a4f3ee9c1503952565daedf98ef05
SHA512

adc7e1ca321d07a84d786ebadb688aa26baba29ab5e1d69549ec0eddb77e201d8abe6a9795cf7a6c58ad066c8ce9194271f25db2d79603fad2205a5ef7d27b3b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx8:hDXWipuE+K3/SSHgxmHu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2432	DEMB6B2.exe
2724	DEMBF2.exe
2728	DEM6143.exe
2956	DEMB683.exe
2140	DEMCDC.exe
2188	DEM623C.exe

Loads dropped DLL 6 IoCs

pid	Process
1736	01014541c6ac4abd4560f100d41f4560_JaffaCakes118.exe
2432	DEMB6B2.exe
2724	DEMBF2.exe
2728	DEM6143.exe
2956	DEMB683.exe
2140	DEMCDC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB683.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCDC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01014541c6ac4abd4560f100d41f4560_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB6B2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBF2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6143.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2432	1736	01014541c6ac4abd4560f100d41f4560_JaffaCakes118.exe	32
PID 1736 wrote to memory of 2432	1736	01014541c6ac4abd4560f100d41f4560_JaffaCakes118.exe	32
PID 1736 wrote to memory of 2432	1736	01014541c6ac4abd4560f100d41f4560_JaffaCakes118.exe	32
PID 1736 wrote to memory of 2432	1736	01014541c6ac4abd4560f100d41f4560_JaffaCakes118.exe	32
PID 2432 wrote to memory of 2724	2432	DEMB6B2.exe	34
PID 2432 wrote to memory of 2724	2432	DEMB6B2.exe	34
PID 2432 wrote to memory of 2724	2432	DEMB6B2.exe	34
PID 2432 wrote to memory of 2724	2432	DEMB6B2.exe	34
PID 2724 wrote to memory of 2728	2724	DEMBF2.exe	36
PID 2724 wrote to memory of 2728	2724	DEMBF2.exe	36
PID 2724 wrote to memory of 2728	2724	DEMBF2.exe	36
PID 2724 wrote to memory of 2728	2724	DEMBF2.exe	36
PID 2728 wrote to memory of 2956	2728	DEM6143.exe	38
PID 2728 wrote to memory of 2956	2728	DEM6143.exe	38
PID 2728 wrote to memory of 2956	2728	DEM6143.exe	38
PID 2728 wrote to memory of 2956	2728	DEM6143.exe	38
PID 2956 wrote to memory of 2140	2956	DEMB683.exe	40
PID 2956 wrote to memory of 2140	2956	DEMB683.exe	40
PID 2956 wrote to memory of 2140	2956	DEMB683.exe	40
PID 2956 wrote to memory of 2140	2956	DEMB683.exe	40
PID 2140 wrote to memory of 2188	2140	DEMCDC.exe	42
PID 2140 wrote to memory of 2188	2140	DEMCDC.exe	42
PID 2140 wrote to memory of 2188	2140	DEMCDC.exe	42
PID 2140 wrote to memory of 2188	2140	DEMCDC.exe	42

C:\Users\Admin\AppData\Local\Temp\01014541c6ac4abd4560f100d41f4560_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01014541c6ac4abd4560f100d41f4560_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\DEMB6B2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB6B2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\DEMBF2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBF2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\DEM6143.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6143.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\DEMB683.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB683.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Users\Admin\AppData\Local\Temp\DEMCDC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCDC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\DEM623C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM623C.exe"
        7⤵
        Executes dropped EXE
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6143.exe

Filesize
15KB

MD5
b096f43576e6510d29e30eac479fd6dc

SHA1
cbe736dee84865e187f76b7a6ac33d81504e08eb

SHA256
578c1f717299e6e62be76bdcabd2e23aefa08a2ba8a253b93693913f92df61a9

SHA512
bfe5225d343fef1dafce2c6ee0775be8c16aabef2d9e49445fd7c9cf901bfa485275e9f4e8c7e2adc5a212b6954fb8634e68363e130551b78d9479bb1f581c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM623C.exe

Filesize
15KB

MD5
2df2ba4784eb9db8b6b819ee88ffd04d

SHA1
a8ab90cd32815e6832c20cf2be9a5f31e28fc808

SHA256
ba613826fcf1fca285493a72e7a336dc7849129e599ebfcbefda419adcdeaea8

SHA512
56540f1f4505bd0ece987cf28a8dd1b647418bf125cf84d97df39acc5273579e96b41c8f0c94112a841fbe1cec48d60d2475d9aaeba775d96de2308612d7abd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB6B2.exe

Filesize
15KB

MD5
512acd3003faf2126e25992d63b3c7c7

SHA1
9540870e322414b7ae0925ac502fe39b42fb05df

SHA256
8bee592fa8e6c7f3a516817a41f56b7ce8c72913919af452632b4ae3f4c20a7f

SHA512
86d24658630dae3323a2a149be840ae5fc491ce0d8252a9c6ff95c6c420455e2e050afe2a9590759fc954eaa68e12903929ceaf8b1da48072b3803a98c09a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBF2.exe

Filesize
15KB

MD5
660b88207b109cb9c7a756195d03994e

SHA1
10eb6fd0f4c567366c06904e87a7136e9fe750f2

SHA256
d3fe8bbb19baaf391d0e14d7449a627d1b733e40dc6669ef6d22c368389fee3c

SHA512
b90119467e0c23b1c9eaa9a87522836aac706e646add301f707ec545a3ad5997fdffb936aed796ee3d27a01aff7e85946714bc8a3f39c076518f5550c383aff2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB683.exe

Filesize
15KB

MD5
e0fec439b2dbac184fa08a3db9a42148

SHA1
134e6e6c510c053322e6c81b4ff8fff8ee54e9aa

SHA256
32e2390e43de04aacaed7b039c8c5cacef8209325dd302a5bc09fe309c414993

SHA512
5be31c13b7f09e8f1ed1d69fdb6ecb9b1bb16b62c6e233746585706d77f6fd922847166e5c559e31910092f8e6b4310d7435272aea730e1ccd323ed28790d5d9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCDC.exe

Filesize
15KB

MD5
9bcb5e8e6855c27337ab6ad149a5c263

SHA1
e674e5620136a44174ca7a0d8741c3606d66d051

SHA256
5d49d43b79e36bb7d07ff2af08822a8d19741011138d205e3417ba4695bc6ab5

SHA512
4e300481fbd51d2eb5112a004ebda4e64417001f262243fd64ac4be05353c94b3442d027b66ce97e61b8dd88955a36b7cadb69eadbaec6162b72685facb52c1e

Download Submit

Analysis

Sharing