191f696f3aa5e6222a4c40b8f7ed49b8a4f7a1b4101973e81e2b98fcd9247845

General

Target

023784baa5a1fb0ba65177ce08d80492_JaffaCakes118.exe
Size

14KB
MD5

023784baa5a1fb0ba65177ce08d80492
SHA1

b200b7e6f150eb6659aedaabd449030e6fe101f4
SHA256

191f696f3aa5e6222a4c40b8f7ed49b8a4f7a1b4101973e81e2b98fcd9247845
SHA512

60a0308133cb27895df67324a01208ed43e4c036b22fa86c1733fd8bba99f8ab280cc3d64b8cd27dd1f60815e2b3becd4d6068d28dd216fba1ba37515ff42d2a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJP:hDXWipuE+K3/SSHgx3P

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2724	DEM7EE0.exe
2672	DEMD4DC.exe
2040	DEM29EE.exe
2952	DEM7EFF.exe
1652	DEMD440.exe
2252	DEM2971.exe

Loads dropped DLL 6 IoCs

pid	Process
1672	023784baa5a1fb0ba65177ce08d80492_JaffaCakes118.exe
2724	DEM7EE0.exe
2672	DEMD4DC.exe
2040	DEM29EE.exe
2952	DEM7EFF.exe
1652	DEMD440.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	023784baa5a1fb0ba65177ce08d80492_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7EE0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD4DC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM29EE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7EFF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD440.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2724	1672	023784baa5a1fb0ba65177ce08d80492_JaffaCakes118.exe	32
PID 1672 wrote to memory of 2724	1672	023784baa5a1fb0ba65177ce08d80492_JaffaCakes118.exe	32
PID 1672 wrote to memory of 2724	1672	023784baa5a1fb0ba65177ce08d80492_JaffaCakes118.exe	32
PID 1672 wrote to memory of 2724	1672	023784baa5a1fb0ba65177ce08d80492_JaffaCakes118.exe	32
PID 2724 wrote to memory of 2672	2724	DEM7EE0.exe	34
PID 2724 wrote to memory of 2672	2724	DEM7EE0.exe	34
PID 2724 wrote to memory of 2672	2724	DEM7EE0.exe	34
PID 2724 wrote to memory of 2672	2724	DEM7EE0.exe	34
PID 2672 wrote to memory of 2040	2672	DEMD4DC.exe	36
PID 2672 wrote to memory of 2040	2672	DEMD4DC.exe	36
PID 2672 wrote to memory of 2040	2672	DEMD4DC.exe	36
PID 2672 wrote to memory of 2040	2672	DEMD4DC.exe	36
PID 2040 wrote to memory of 2952	2040	DEM29EE.exe	38
PID 2040 wrote to memory of 2952	2040	DEM29EE.exe	38
PID 2040 wrote to memory of 2952	2040	DEM29EE.exe	38
PID 2040 wrote to memory of 2952	2040	DEM29EE.exe	38
PID 2952 wrote to memory of 1652	2952	DEM7EFF.exe	40
PID 2952 wrote to memory of 1652	2952	DEM7EFF.exe	40
PID 2952 wrote to memory of 1652	2952	DEM7EFF.exe	40
PID 2952 wrote to memory of 1652	2952	DEM7EFF.exe	40
PID 1652 wrote to memory of 2252	1652	DEMD440.exe	42
PID 1652 wrote to memory of 2252	1652	DEMD440.exe	42
PID 1652 wrote to memory of 2252	1652	DEMD440.exe	42
PID 1652 wrote to memory of 2252	1652	DEMD440.exe	42

C:\Users\Admin\AppData\Local\Temp\023784baa5a1fb0ba65177ce08d80492_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\023784baa5a1fb0ba65177ce08d80492_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\DEM7EE0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7EE0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\DEMD4DC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD4DC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\DEM29EE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM29EE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Users\Admin\AppData\Local\Temp\DEM7EFF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7EFF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Users\Admin\AppData\Local\Temp\DEMD440.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD440.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\DEM2971.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2971.exe"
        7⤵
        Executes dropped EXE
        
        PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMD4DC.exe

Filesize
14KB

MD5
3068cb9e0ab127c65e56ef244eef4121

SHA1
1e792035a62cad32f4cebd456499c5356a26b016

SHA256
0de08c66e39759ed3b8a683c9134ee5d47782d383ea81f67fc069a316657c7e1

SHA512
7e41efb67c6612815a4a43185a2b50637a7cc5d353ec25f004f471577968b69b80e11341d001599dbe016807627e681e579153cd469b3590dc53a046afff27f0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2971.exe

Filesize
14KB

MD5
6a0e26246c7bc5148bc1ef1e388ea720

SHA1
d1ad8ecae91fb87842081cb8040de176bc669e3e

SHA256
02d558e46cfc076b629f3ec2940d697be74c5b183b5f4abd4ef6ad7a74558cce

SHA512
9bc09fb0516bc99fe2a61e41616073843e27231f8188ef07982576982feb4fb21de473c8c5aafe909aea90e386935608bdc31bf24cfd535656d5a1718e22b8bb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM29EE.exe

Filesize
14KB

MD5
28694fa081cb734fa85976fd0cfd22f6

SHA1
06fe28aa9f8f2b1305586acd92bd2dda78b16ea8

SHA256
207e286bccb8f32c60500fa832c3d83ea7aa19aa03554c4f58a51719a00238e2

SHA512
0d60bfe35e3227a51c7fa8db7817257860069008ca38e027a879a68a734619322b15fb100fc80b644969c88335d0d0de565003620b64315b41465127818af9e6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7EE0.exe

Filesize
14KB

MD5
fb8d5503bdbbd79beae75e38b65c72b2

SHA1
ebca0aaceb5893359bf952ff4aa23379090a215b

SHA256
2fd4f69f3e16710299cf0bb628a3f87589cbb2fd206719163d76d7f3e57df01d

SHA512
6fc3419778c4922d610f3d968a061681530ea9da06aa72734dfeea36778357c6c6aec3645728d9edddd0cb8aea9f33de7be9556872f758f2e0481fa6bf0ac9cf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7EFF.exe

Filesize
14KB

MD5
db3d7653f76502d3d33fa01bc1f83305

SHA1
62917a6fff89b42e22675a23ae5ed07dbbfdcb3a

SHA256
f6b20cbcaef5f68b9563ce4c82a5c632e78172c62738838f5fca97b88e75e6bd

SHA512
00712b5cecc541961bebaa45e21dfffb1f976a203d261abc0b7d9666562f7949fbc1d65f844feab592575ef824a825786d733ade33d1b935931e791b3b5157a6

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD440.exe

Filesize
14KB

MD5
8013557ef51161730d91854caa458036

SHA1
7d4b15ee4c61e401c5ff004415b269f3a6517148

SHA256
6d32b9dcdc8ecef28a19c7380e569239bc390dd751b43fe195c3265ba9af172a

SHA512
bc7c764bbeb1fa304deb4b5ea9f9134fea2ac62d579f209a7744962e54392f70b7eb8a715be242cf562e4505de29cd564326e989dbc9bf963ae9168f62a95690

Download Submit

Analysis

Sharing