c5a5bf9e193db3a4fdbd9ff6774820fda4129458c45b6ea03eb0c4d21bda1f1f

General

Target

04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe
Size

14KB
MD5

04a6ac56418ed58ff297726d369817ac
SHA1

06d5798be725620259492c7e18adeb59c3016014
SHA256

c5a5bf9e193db3a4fdbd9ff6774820fda4129458c45b6ea03eb0c4d21bda1f1f
SHA512

bd13080a3771b90dc111e4867d5c38dadb78a98c665eea28d83d69e4b4e52bfac83f8e979b539dc694faf5af8787e86fb983d2d5f4805050e3993bf76115754a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYq:hDXWipuE+K3/SSHgxmq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2800	DEMF038.exe
2580	DEM4588.exe
2900	DEM9B17.exe
2620	DEMF048.exe
1840	DEM45A8.exe
2412	DEM9AD9.exe

Loads dropped DLL 6 IoCs

pid	Process
2644	04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe
2800	DEMF038.exe
2580	DEM4588.exe
2900	DEM9B17.exe
2620	DEMF048.exe
1840	DEM45A8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF048.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM45A8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4588.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9B17.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2800	2644	04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2800	2644	04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2800	2644	04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2800	2644	04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe	31
PID 2800 wrote to memory of 2580	2800	DEMF038.exe	33
PID 2800 wrote to memory of 2580	2800	DEMF038.exe	33
PID 2800 wrote to memory of 2580	2800	DEMF038.exe	33
PID 2800 wrote to memory of 2580	2800	DEMF038.exe	33
PID 2580 wrote to memory of 2900	2580	DEM4588.exe	35
PID 2580 wrote to memory of 2900	2580	DEM4588.exe	35
PID 2580 wrote to memory of 2900	2580	DEM4588.exe	35
PID 2580 wrote to memory of 2900	2580	DEM4588.exe	35
PID 2900 wrote to memory of 2620	2900	DEM9B17.exe	38
PID 2900 wrote to memory of 2620	2900	DEM9B17.exe	38
PID 2900 wrote to memory of 2620	2900	DEM9B17.exe	38
PID 2900 wrote to memory of 2620	2900	DEM9B17.exe	38
PID 2620 wrote to memory of 1840	2620	DEMF048.exe	40
PID 2620 wrote to memory of 1840	2620	DEMF048.exe	40
PID 2620 wrote to memory of 1840	2620	DEMF048.exe	40
PID 2620 wrote to memory of 1840	2620	DEMF048.exe	40
PID 1840 wrote to memory of 2412	1840	DEM45A8.exe	42
PID 1840 wrote to memory of 2412	1840	DEM45A8.exe	42
PID 1840 wrote to memory of 2412	1840	DEM45A8.exe	42
PID 1840 wrote to memory of 2412	1840	DEM45A8.exe	42

C:\Users\Admin\AppData\Local\Temp\04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\DEMF038.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF038.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\DEM4588.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4588.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\DEM9B17.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9B17.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\DEMF048.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF048.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Users\Admin\AppData\Local\Temp\DEM45A8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM45A8.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\DEM9AD9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9AD9.exe"
        7⤵
        Executes dropped EXE
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4588.exe

Filesize
14KB

MD5
df0775725304b3b795d75b1715992392

SHA1
aa2eb363fd97e69905ef4e91f3001878059b014a

SHA256
abe381934f1c8806c641517d6746c5167accac38a1d9a28a72ec822c757518fc

SHA512
726ec8389e903b88a69c6ebe9f7af42e462628e2b7ffc3ca6e82207c187225acc70b6fbef795f7eff6a2ce977b2325949c6684b0ac63b02d0134fb1e4bb2cf61

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9B17.exe

Filesize
14KB

MD5
1d89ad610d56767080b0676d274a9972

SHA1
b55154870c815e61470fc4795fa3c330404ba9d3

SHA256
c64567ac3ff89df3aacbd7ad3af8021a23078a178f95b6d79494a0316bf7dcf9

SHA512
a8434919c42093efbc77df08abd8f5558314364aefd2bc14081a3e0d702df946246a1bc4894fa104337412a8ed018de23684c49d6f3ffbb0b1013958bce95893

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF038.exe

Filesize
14KB

MD5
7093838a15067e815d104a2a428cf6d8

SHA1
e926d418c5a08cb563ded3ee02f9c35500dfa07e

SHA256
ff47a968447c477a6eaa6a61b7120fbd72cc66eac351372525e3118e53df4434

SHA512
5ad70a2a7ff17705fa3910d5d99b1697c9a7baf5d07044acb0be091cad1abbb5224f36fd64cf5805c57d03a88a07414edfe1fd93b575ebbcecfb88c14845265a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM45A8.exe

Filesize
14KB

MD5
4f51c1d3d5c9cc93c471bd54e211d55c

SHA1
d775963228c47fb01d6f8689d95af979508908c0

SHA256
27c37ef1ffdfc3ad525316865dfcf1a11f7498901d979150cd51389fffaf4e6a

SHA512
56f7067abde4dcc77c9370cfc52365148716461aeb0de7cb6336d493cb02f7febbbe1613c67ba4717d66c5ea538e32ea05ff3c0b746c6685be38030d08fbae93

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9AD9.exe

Filesize
14KB

MD5
3db937b50ad3f54865284f13ca65010d

SHA1
7204fc6a8735e5dc0b7b67ff40796183f1cf1eda

SHA256
9d3d0d5fe793e8ed7120d9c66c79166fabb2acc95a09c4dda3c234d920fc0a13

SHA512
b3d20097e1c486f185a626d0fb900c7d5af22584c98d2c1501f030fa5c3e4c598a2d1d4e906e998b17bfa4c155c2769d493fdc4cd1e10e94abec6a24bd4b4501

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF048.exe

Filesize
14KB

MD5
153584f9e9099191afafbe180d47135c

SHA1
2988396956e61067d7353a7227e9dbb4c70d7222

SHA256
6bd015e1bf0e54c6ce59d6af3771213c0287e9fcf5df90406f85c57a2a7fb1ce

SHA512
235de11a2fdb99aafaee60691dba650761bbc43163d662913d806a4682cf8aa53d699398d8c6f995dab342b66a9d3597c94158e90650158526459a5d7d2289cb

Download Submit

Analysis

Sharing