708e2fa07fb077ea8eb6595f83917d88a6cee28a93eed357b2a3a53fd9906382

General

Target

06ef29470b4665740e0d808bdc8069f4_JaffaCakes118.exe
Size

13KB
MD5

06ef29470b4665740e0d808bdc8069f4
SHA1

72dbe7885187690351ab25d18d16e4f73c784816
SHA256

708e2fa07fb077ea8eb6595f83917d88a6cee28a93eed357b2a3a53fd9906382
SHA512

f8b7322011e671616cee8df01a60be4a8f8fc482ec5671bee6a4b04f9364a514a2bfee14c7514f60e46bdac36eb9f3b0fa9c8b089cf37f017409555c88711701
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0H:hDXWipuE+K3/SSHgx4H

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2972	DEMC4C5.exe
2356	DEM19E7.exe
2656	DEM6F18.exe
1120	DEMC4B6.exe
2916	DEM1A06.exe
2136	DEM6F47.exe

Loads dropped DLL 6 IoCs

pid	Process
2100	06ef29470b4665740e0d808bdc8069f4_JaffaCakes118.exe
2972	DEMC4C5.exe
2356	DEM19E7.exe
2656	DEM6F18.exe
1120	DEMC4B6.exe
2916	DEM1A06.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC4B6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1A06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06ef29470b4665740e0d808bdc8069f4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC4C5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM19E7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6F18.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2972	2100	06ef29470b4665740e0d808bdc8069f4_JaffaCakes118.exe	32
PID 2100 wrote to memory of 2972	2100	06ef29470b4665740e0d808bdc8069f4_JaffaCakes118.exe	32
PID 2100 wrote to memory of 2972	2100	06ef29470b4665740e0d808bdc8069f4_JaffaCakes118.exe	32
PID 2100 wrote to memory of 2972	2100	06ef29470b4665740e0d808bdc8069f4_JaffaCakes118.exe	32
PID 2972 wrote to memory of 2356	2972	DEMC4C5.exe	34
PID 2972 wrote to memory of 2356	2972	DEMC4C5.exe	34
PID 2972 wrote to memory of 2356	2972	DEMC4C5.exe	34
PID 2972 wrote to memory of 2356	2972	DEMC4C5.exe	34
PID 2356 wrote to memory of 2656	2356	DEM19E7.exe	36
PID 2356 wrote to memory of 2656	2356	DEM19E7.exe	36
PID 2356 wrote to memory of 2656	2356	DEM19E7.exe	36
PID 2356 wrote to memory of 2656	2356	DEM19E7.exe	36
PID 2656 wrote to memory of 1120	2656	DEM6F18.exe	38
PID 2656 wrote to memory of 1120	2656	DEM6F18.exe	38
PID 2656 wrote to memory of 1120	2656	DEM6F18.exe	38
PID 2656 wrote to memory of 1120	2656	DEM6F18.exe	38
PID 1120 wrote to memory of 2916	1120	DEMC4B6.exe	40
PID 1120 wrote to memory of 2916	1120	DEMC4B6.exe	40
PID 1120 wrote to memory of 2916	1120	DEMC4B6.exe	40
PID 1120 wrote to memory of 2916	1120	DEMC4B6.exe	40
PID 2916 wrote to memory of 2136	2916	DEM1A06.exe	42
PID 2916 wrote to memory of 2136	2916	DEM1A06.exe	42
PID 2916 wrote to memory of 2136	2916	DEM1A06.exe	42
PID 2916 wrote to memory of 2136	2916	DEM1A06.exe	42

C:\Users\Admin\AppData\Local\Temp\06ef29470b4665740e0d808bdc8069f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06ef29470b4665740e0d808bdc8069f4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\DEMC4C5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC4C5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\DEM19E7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM19E7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\DEM6F18.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6F18.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\DEMC4B6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC4B6.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Users\Admin\AppData\Local\Temp\DEM1A06.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1A06.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\DEM6F47.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6F47.exe"
        7⤵
        Executes dropped EXE
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM19E7.exe

Filesize
13KB

MD5
2ca26428bb3ee62aa8381d29e7509d2d

SHA1
45696515a9f9352108b7e3aa72fdd9308d8ec122

SHA256
e4de98eb3671f78a33605a75e9e2e84e2d61886c7f1243fa630d0a76f97e5a07

SHA512
07a8c6e74c935d08013b9308127931b0422a6bd7fd29f609e07d43630a944162db5d94f4cd16c148be09eafe5d0dff5332d50a06646981f309b21109bc89e7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6F18.exe

Filesize
13KB

MD5
27181e9057765ee3d5317649b71e9259

SHA1
29aa5972f79f3e2ef42f0e8c43698881b583fbf6

SHA256
f36455fbe7a37ac50c6580000914e970a1f120899bc87faae49ded2e00e281b5

SHA512
b9ffcfd26132e8b3cd9ac36b832921eb78ac39d2f232b971c12728811a7d2a082a2bf4704db11fe273f6f6883057f964b0143d6130f986edd6aba300b0449994

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC4B6.exe

Filesize
13KB

MD5
d7055c1bd1f37d6be8e8521026c2a639

SHA1
4ea0ae6ae8c6e806528242511cfca884c7f17452

SHA256
c6be3091c6b87fd2ab8ffb4e5ce3f5ffdec2ace8a21a7dfbc590940ae130031d

SHA512
7a6483b4a9dc5df06c95eb32a735332cc8818c0c3435e5d788f683ad498b5901b8408f0ddd3c951908a05e4735ee9ad10f4b3c8e0cd170dde12da9cdbe71d0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC4C5.exe

Filesize
13KB

MD5
c8d43ff6f057c36cb9da657f07784072

SHA1
dfdba5a42a3faebf893beb2c69e836729f78f63d

SHA256
9a91c1257e81c5440d1f42ac1c573e90b2c7ac64e884b6c9072cfaf2b40072a8

SHA512
0ea16c4be0cc389e65fef71481dd28540d12304ddca3583b724a006fb4b590cc5f053cdf16d6068f76d3db2a2309ea365e731f39c22988e5c393bc01798c95b1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1A06.exe

Filesize
13KB

MD5
e114b4e3b188f97f5be45849eb2c3c6d

SHA1
cd828ee5f12275d18fd0fe7f5858909118ef0e2f

SHA256
03459d69918d1b17b7cccf7214c5578037fd060a154997f2d5a505ab2e3a73e3

SHA512
e1831c77ff3bd46eb7dca616c0c1e216246e0c179242a02bfe85c8c95d51f81ae9ee13b1bf82eead981e94147b1298cb05483b9dacd7c0857867a50e724fa30e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6F47.exe

Filesize
13KB

MD5
8c4aad2f8c0da9c808f76c774ecae4fd

SHA1
24f2b60a3d233170b8477f3c1e8083f5ec5c3b82

SHA256
f465f1ce1f3bab2b262ccfe4c3b3d0ca4531521445b16f9dbaa9340502d75c93

SHA512
5da93b24f112d0b713757d23a923149a6873041368b32ce2cd7c7fb19497220e8997567ebc15f32fab5bbb4ffbc52e5014188116b0c9f10a29455fcc1133d05a

Download Submit

Analysis

Sharing