7cdc7c3b1150d794ad0c84fb14757b8662aa522f8896abbd910f9f0d27a305fe

General

Target

020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe
Size

13KB
MD5

020a66f7c7ca9542d434b5e38874fb0d
SHA1

d1e8b96e90f5cc0553517d839b7143e5b6292ebf
SHA256

7cdc7c3b1150d794ad0c84fb14757b8662aa522f8896abbd910f9f0d27a305fe
SHA512

8c409161640655ff9b278290a7f4627054a061d003618e6352d7fd22978adb2114e69240bc8dcaaed10de99689810675597b81bb65cfce0ce0a6bcb4ecd51e64
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh0:hDXWipuE+K3/SSHgx2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2324	DEM85C3.exe
1712	DEMDB42.exe
2212	DEM310F.exe
1580	DEM868E.exe
1956	DEMDC3C.exe
1632	DEM3228.exe

Loads dropped DLL 6 IoCs

pid	Process
2508	020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe
2324	DEM85C3.exe
1712	DEMDB42.exe
2212	DEM310F.exe
1580	DEM868E.exe
1956	DEMDC3C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM85C3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDB42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM310F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM868E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDC3C.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2324	2508	020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2324	2508	020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2324	2508	020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2324	2508	020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe	32
PID 2324 wrote to memory of 1712	2324	DEM85C3.exe	34
PID 2324 wrote to memory of 1712	2324	DEM85C3.exe	34
PID 2324 wrote to memory of 1712	2324	DEM85C3.exe	34
PID 2324 wrote to memory of 1712	2324	DEM85C3.exe	34
PID 1712 wrote to memory of 2212	1712	DEMDB42.exe	36
PID 1712 wrote to memory of 2212	1712	DEMDB42.exe	36
PID 1712 wrote to memory of 2212	1712	DEMDB42.exe	36
PID 1712 wrote to memory of 2212	1712	DEMDB42.exe	36
PID 2212 wrote to memory of 1580	2212	DEM310F.exe	38
PID 2212 wrote to memory of 1580	2212	DEM310F.exe	38
PID 2212 wrote to memory of 1580	2212	DEM310F.exe	38
PID 2212 wrote to memory of 1580	2212	DEM310F.exe	38
PID 1580 wrote to memory of 1956	1580	DEM868E.exe	40
PID 1580 wrote to memory of 1956	1580	DEM868E.exe	40
PID 1580 wrote to memory of 1956	1580	DEM868E.exe	40
PID 1580 wrote to memory of 1956	1580	DEM868E.exe	40
PID 1956 wrote to memory of 1632	1956	DEMDC3C.exe	42
PID 1956 wrote to memory of 1632	1956	DEMDC3C.exe	42
PID 1956 wrote to memory of 1632	1956	DEMDC3C.exe	42
PID 1956 wrote to memory of 1632	1956	DEMDC3C.exe	42

C:\Users\Admin\AppData\Local\Temp\020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\DEM85C3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM85C3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\DEM310F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM310F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\DEM868E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM868E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\DEMDC3C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDC3C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\DEM3228.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3228.exe"
        7⤵
        Executes dropped EXE
        
        PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM310F.exe

Filesize
14KB

MD5
3882cd4d472e00e9ed218107d43ba4e7

SHA1
52fedad6cd4183588f10f22b3aaf6df5b18f8379

SHA256
7753c7d1236136bf1f376799fe467c4be3c145f66a7b93fd48550fb1c1d48c51

SHA512
8b5903dd4d97c47f382e09272aa8bc3c02287291ce8c8385adcd37bf7481b24f581fbbd9addff55ca67321c36fb0dc7a02763ce3c7adf8837d740fa14dbf5515

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3228.exe

Filesize
14KB

MD5
ee229477fa07ac503bacdba62f7c3172

SHA1
1cefb09e0376a7eac24fea1ccbbd24360198cea9

SHA256
44c88c8f8ba06511d249eaf9b5d03538ae4d02c497fd59f475e8be7a5a98e4e5

SHA512
0af02890ab55e538ef892ac946f9b8fd25025fbbd2ef18799e46bd4fb58613c91492231761c03fa879dc27f2443cef5ffebc580871f255c465727bd42b99caf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe

Filesize
14KB

MD5
dc83a981d766970bbd5c6b6117911009

SHA1
c4ffecd96d19bd1ca365a856de943c539c4f38f8

SHA256
c7d4805a80c481a27e4ef0a6ca9c7153b66ee1a8d9b2054b58e85bb1f97acfbc

SHA512
738189fedef7280450e5f754d9edeb505c8f8f46a136fc65a44ea7686042f163de5c01d2dc5cf4e8b61693b64c96e37873513632e261634871c6bf1c3159b949

Download Submit
\Users\Admin\AppData\Local\Temp\DEM85C3.exe

Filesize
13KB

MD5
43d7c2a8bf42128ca35be7865974cd98

SHA1
0f568884cc8b98c9076283abd3eb122f4905cdec

SHA256
7e275171d7bced07d387492daeb2e054d014692a235e3063f1daab1e61155f79

SHA512
19a9034629303c809b39949a0ef8934bf7079d14e0a42f64798cc4c47439aeede4e670cdcbf854d0acd8c0e8346b2663602be4b317c1649b83d9368ddb264ae5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM868E.exe

Filesize
14KB

MD5
b4a5a711a9924b04b49d70031bcfd231

SHA1
d29c7b370e110e872d1c5894b7869ae88be87e1b

SHA256
e93cb25d8e047bc6a9f62f77498aea1ad9c34df750320cf9a9a1a884b0c41dae

SHA512
ca920d75e99dfce33f38c8e1de98bb1bfaa9d8d769be878cd1eb9d838beb3be34cd1e1f1433f09f0c2b8a76064bed089b762eb29322e0e4d354feb6c7b3b2c23

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDC3C.exe

Filesize
14KB

MD5
2cfbbbbda01143ca6318d99d2340c40f

SHA1
ffc259ca122b9526af927ec5393337f92bda3ec5

SHA256
a44ed176eae0ec42bd60612637e2cec844653874da42a4437b8083ba941cc34a

SHA512
30236f2352bb4a91ad99becb0ddd783e4032f5465a9596a38b0d6eb7a39aba9868cff4dec3ca463bbdeeff3fa441160f06593da5a8c78a9f0efb59e800b0fdac

Download Submit

Analysis

Sharing