54b0f53f5c6de527ce92be03467dde8bd4a7694c39c1290350121f4d8a2447c5

General

Target

09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe
Size

14KB
MD5

09b766597c897a0eb8ed58cca3bbed34
SHA1

6135a1013963463c62b1b361be40704bcc037176
SHA256

54b0f53f5c6de527ce92be03467dde8bd4a7694c39c1290350121f4d8a2447c5
SHA512

896c7713588682def338a78dc2730ffc4c9a44190499c397c51f3ca5a3dcab05976e84dc1fddde781139ffa9e8dfdbf8a2db0d308ae3221c7661afdbce0ad8ca
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyO00:hDXWipuE+K3/SSHgxmyOH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2268	DEME743.exe
2196	DEM3C74.exe
2472	DEM91E3.exe
332	DEME6E6.exe
2156	DEM3C07.exe
1292	DEM91B5.exe

Loads dropped DLL 6 IoCs

pid	Process
2700	09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe
2268	DEME743.exe
2196	DEM3C74.exe
2472	DEM91E3.exe
332	DEME6E6.exe
2156	DEM3C07.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME743.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3C74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM91E3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME6E6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3C07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2268	2700	09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2268	2700	09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2268	2700	09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2268	2700	09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2196	2268	DEME743.exe	34
PID 2268 wrote to memory of 2196	2268	DEME743.exe	34
PID 2268 wrote to memory of 2196	2268	DEME743.exe	34
PID 2268 wrote to memory of 2196	2268	DEME743.exe	34
PID 2196 wrote to memory of 2472	2196	DEM3C74.exe	36
PID 2196 wrote to memory of 2472	2196	DEM3C74.exe	36
PID 2196 wrote to memory of 2472	2196	DEM3C74.exe	36
PID 2196 wrote to memory of 2472	2196	DEM3C74.exe	36
PID 2472 wrote to memory of 332	2472	DEM91E3.exe	39
PID 2472 wrote to memory of 332	2472	DEM91E3.exe	39
PID 2472 wrote to memory of 332	2472	DEM91E3.exe	39
PID 2472 wrote to memory of 332	2472	DEM91E3.exe	39
PID 332 wrote to memory of 2156	332	DEME6E6.exe	41
PID 332 wrote to memory of 2156	332	DEME6E6.exe	41
PID 332 wrote to memory of 2156	332	DEME6E6.exe	41
PID 332 wrote to memory of 2156	332	DEME6E6.exe	41
PID 2156 wrote to memory of 1292	2156	DEM3C07.exe	43
PID 2156 wrote to memory of 1292	2156	DEM3C07.exe	43
PID 2156 wrote to memory of 1292	2156	DEM3C07.exe	43
PID 2156 wrote to memory of 1292	2156	DEM3C07.exe	43

C:\Users\Admin\AppData\Local\Temp\09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\DEME743.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME743.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\DEM3C74.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3C74.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\DEM91E3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM91E3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\DEME6E6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME6E6.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:332
      - C:\Users\Admin\AppData\Local\Temp\DEM3C07.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3C07.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\DEM91B5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM91B5.exe"
        7⤵
        Executes dropped EXE
        
        PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3C74.exe

Filesize
14KB

MD5
b73fad3d7517d981949f5268dacd1104

SHA1
eb8e35e4c95bb4d670a5e927381beb4eb1da1446

SHA256
792f27740cd722d99c3cd9743dcc569962dea940f0c3925159f00ece6c5fc8b8

SHA512
ddcad4bbdeff9d2728c898432e816424ae7776e57e03a1c9e0ea66e57dffe0daca0da1983c9608c5bf33f3c0482d667a9b6bf5913e9d76c35f44c69904e8941a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM91E3.exe

Filesize
14KB

MD5
7464ac311990706d5141c00e071c102e

SHA1
47a4ca98d11cdfbcd99d42349edc98ce7f042a6d

SHA256
f572a313ffc8b83d4587813b0863664527d89630bb6805e974bae2badb08fa5c

SHA512
975144c71f72d1983a2fa88b5ffd45e93063961effd94c9e60acd2bcef4e91591a5544d46cd7c2f41591f237955f98c2d1342ae8b074d1ae567fc607ad4b88e4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3C07.exe

Filesize
14KB

MD5
6c46dacfee07089ffce9942f5062e0bb

SHA1
48bf4649b6c60c54eb0e54a68ef88ae747423225

SHA256
2dcd90a6bb5eea6c80d4125f0d92e9de5be543e062a2ec72db0c72ed9c6641a3

SHA512
f99f396e180266def12478dd75c9ee02fc976733fbeecf31feaaca4bd8f94d11d7ef33b9804184b09ae210ac33d17a640528e596df9055b5d43dadae8be264cc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM91B5.exe

Filesize
14KB

MD5
ec6009d41866997bf1eb62383cae41b7

SHA1
44870c6e2293c6af21adf1a1539d2ebccf7989cb

SHA256
060764a672d2ac75ef25f6df7c532c6eb3bda33161996dbfed65c93341e81e7e

SHA512
b028d8106638d706770192197e98bb11ba5af951c1a2f4da3546303d7dde8dac54b9c32263d618befa35ce475767b3a73e1316bb2fa4dde8446cb9e97c32af32

Download Submit
\Users\Admin\AppData\Local\Temp\DEME6E6.exe

Filesize
14KB

MD5
92393ae9082c255fddeb86ad158d3ff1

SHA1
0bd81110cb5c609997b15a939b4b3ca69508ffb3

SHA256
0d5df54a308d3e123ebe9b4f1ae41b4ddbcaa78d1d5a709f624c9ed3770ea588

SHA512
79073a6043fae22499ac640e150d5cdec294b38b9406dad688c4a557d0e4d1bf9a47fb050e9c9e0b78177e1abe67aeeca6ef54b96ac98ee80b34f7cbba30d533

Download Submit
\Users\Admin\AppData\Local\Temp\DEME743.exe

Filesize
14KB

MD5
533241460820cbb57949280a299deda4

SHA1
3000db2d033049b69ad34fa44255849515d7eb20

SHA256
dc31a07bb81637a0bfa911d936171d408cf69eae0406dae00b2b05391dece36d

SHA512
259e4c541aff12bc86c49fdb631f78235e861d385db4706d5afe5053f229eda568a6b8561e28e30758d68f8500cf2f5974a923091a25c54648a2ff4cc91156a0

Download Submit

Analysis

Sharing