2b005ae999d86a6ecc9a5916771fdb0e374b4fb9407beec81f19dbc9bd9291d4

General

Target

0caad446dc95451bb5deaba916d0c2fe_JaffaCakes118.exe
Size

14KB
MD5

0caad446dc95451bb5deaba916d0c2fe
SHA1

22313c290ec209dbe6b97d5af283a1cb4d7a9800
SHA256

2b005ae999d86a6ecc9a5916771fdb0e374b4fb9407beec81f19dbc9bd9291d4
SHA512

cf34bc2410503a67c7c32cf980c78de8f8b8b05dba2f18b07bb6db03ada97db57b89c5b4bca5e735642c0d59865a2f9d8599917eee27ef1cc94345ffbdec45a3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYMpg:hDXWipuE+K3/SSHgxmMpg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2752	DEM7BB5.exe
584	DEMD26C.exe
2096	DEM276E.exe
1588	DEM7C70.exe
1188	DEMD1E0.exe
2976	DEM27CC.exe

Loads dropped DLL 6 IoCs

pid	Process
2844	0caad446dc95451bb5deaba916d0c2fe_JaffaCakes118.exe
2752	DEM7BB5.exe
584	DEMD26C.exe
2096	DEM276E.exe
1588	DEM7C70.exe
1188	DEMD1E0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0caad446dc95451bb5deaba916d0c2fe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7BB5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD26C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM276E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7C70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD1E0.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2752	2844	0caad446dc95451bb5deaba916d0c2fe_JaffaCakes118.exe	32
PID 2844 wrote to memory of 2752	2844	0caad446dc95451bb5deaba916d0c2fe_JaffaCakes118.exe	32
PID 2844 wrote to memory of 2752	2844	0caad446dc95451bb5deaba916d0c2fe_JaffaCakes118.exe	32
PID 2844 wrote to memory of 2752	2844	0caad446dc95451bb5deaba916d0c2fe_JaffaCakes118.exe	32
PID 2752 wrote to memory of 584	2752	DEM7BB5.exe	34
PID 2752 wrote to memory of 584	2752	DEM7BB5.exe	34
PID 2752 wrote to memory of 584	2752	DEM7BB5.exe	34
PID 2752 wrote to memory of 584	2752	DEM7BB5.exe	34
PID 584 wrote to memory of 2096	584	DEMD26C.exe	36
PID 584 wrote to memory of 2096	584	DEMD26C.exe	36
PID 584 wrote to memory of 2096	584	DEMD26C.exe	36
PID 584 wrote to memory of 2096	584	DEMD26C.exe	36
PID 2096 wrote to memory of 1588	2096	DEM276E.exe	38
PID 2096 wrote to memory of 1588	2096	DEM276E.exe	38
PID 2096 wrote to memory of 1588	2096	DEM276E.exe	38
PID 2096 wrote to memory of 1588	2096	DEM276E.exe	38
PID 1588 wrote to memory of 1188	1588	DEM7C70.exe	40
PID 1588 wrote to memory of 1188	1588	DEM7C70.exe	40
PID 1588 wrote to memory of 1188	1588	DEM7C70.exe	40
PID 1588 wrote to memory of 1188	1588	DEM7C70.exe	40
PID 1188 wrote to memory of 2976	1188	DEMD1E0.exe	42
PID 1188 wrote to memory of 2976	1188	DEMD1E0.exe	42
PID 1188 wrote to memory of 2976	1188	DEMD1E0.exe	42
PID 1188 wrote to memory of 2976	1188	DEMD1E0.exe	42

C:\Users\Admin\AppData\Local\Temp\0caad446dc95451bb5deaba916d0c2fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0caad446dc95451bb5deaba916d0c2fe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\DEM7BB5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7BB5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\DEMD26C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD26C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Users\Admin\AppData\Local\Temp\DEM276E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM276E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\DEM7C70.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7C70.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Users\Admin\AppData\Local\Temp\DEMD1E0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD1E0.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\DEM27CC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM27CC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7C70.exe

Filesize
14KB

MD5
860d64d4b8a34ccc08b29b21702defd5

SHA1
3f403609044ff087cf4e6c142c6fdc8be3209db9

SHA256
2e67ca1fd47ad6a9ecb2f076fff621f2d50e875f1288fbf8505d2714f1ea1a64

SHA512
9c32cbce46a1a796109ce1abe91a9b4c214564f5bf45838031599eabc1384058404ecdb17a8d1f43d7e2101e9dccb6aea5c1154a995c4b12bad9c08c19518380

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD26C.exe

Filesize
14KB

MD5
97339f948fbc0440bb2c25d78e6dcdb6

SHA1
b89351b55ca9937f7ad077624fcf301aa03c23f1

SHA256
5f6c5fffc8d93fdc41b887c822113698c49a0aace8ee3edb39a20220f051ed09

SHA512
ef0ae868b707a3944aabd73ef4fd7628f4d0d1e8cbcf5af4b2b69042fd518cbdf6adef697d421715be77b553e4ca751bb8afdddd295a47c8fd1e638c7160aff6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM276E.exe

Filesize
14KB

MD5
b6192d5907ecf38d7bc9d3bda84071a4

SHA1
04a7d31a68fa546bf1b34b76a129a1191cd13908

SHA256
00d2b9de3295126345c005e10b459dcc589285576345ed80ec5587d105043510

SHA512
9925d89df2207ae0cd3585c05fe24db100d617381d9d1490a1900a7d459f7cd7f9d63f814890fa19e4192f3e496b6a10f0b2ae065e7803af74d140696d902d26

Download Submit
\Users\Admin\AppData\Local\Temp\DEM27CC.exe

Filesize
14KB

MD5
b8743787c67f2adab0987c71f89a97d4

SHA1
7783cf2cbaf1fe5819f257a5722791a2f98bb153

SHA256
ca2100298c81a1acdc1415297b9bbaa547b585e8817622d57f4197cb9307436f

SHA512
32bc736181ac90c71cc48aa83a3037b9da28668e572c457b00a05f0f9ee22d8f07c6a4e5018c2398c0a4dd785d92e173c276328e34b105834a0e10bbfd3d7d51

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7BB5.exe

Filesize
14KB

MD5
33551ba01401d92ea61088bad05579b9

SHA1
3f88dafe7f38645348b1ff754457e0a4f1515899

SHA256
e90bae2b3a0f6fcbc1f5366ad603e2f12f4ef74550fcf55954c1540cb534404f

SHA512
adcea9fc7b512f826afcc0ef609e103c9065a75e1f2b13363ed0fc03d3cf7fff7502d6ce1c1a1e6a1c93c809f3257f25543075784178de35a4fd0c586f5c2f50

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD1E0.exe

Filesize
14KB

MD5
661c7dddbcfb9f8abf22462735eb8687

SHA1
9a32e6ed686558a774c56b51d523350f69f2f464

SHA256
7b667a4e8620b4df2b675edcf9b37f7e2dbfe594cbdb5e908ddfbf033c099746

SHA512
6d1c3d2a50dee063b6e27f94b6c1236f7e8dd015552b90b7735742f0f85bf8190e76005a1b37f6ff2605f68094a5be99baad65fd931ff67b9b3a18e29531bdd7

Download Submit

Analysis

Sharing