417b104d6a3581efbcc56cc0e2cbca8a1860f4a9dcd290e44f6290dfbbb89774

General

Target

0b60508c9c591ed232688dbcdb511d4e_JaffaCakes118.exe
Size

14KB
MD5

0b60508c9c591ed232688dbcdb511d4e
SHA1

ed0280b75133ecbc3de500af43b5047bfd8494a0
SHA256

417b104d6a3581efbcc56cc0e2cbca8a1860f4a9dcd290e44f6290dfbbb89774
SHA512

42f648ce997e1daa8b02f77324107c8e53d6155170049ef0afefbbd05d7aa3766759aa4f1f33e55c9674d5d7bcbe85a83766862f228bd496f580588934b252d6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRm:hDXWipuE+K3/SSHgxy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2864	DEMBFD6.exe
2592	DEM170A.exe
2616	DEM6D53.exe
360	DEMC35F.exe
2768	DEM1A35.exe
2040	DEM7178.exe

Loads dropped DLL 6 IoCs

pid	Process
2084	0b60508c9c591ed232688dbcdb511d4e_JaffaCakes118.exe
2864	DEMBFD6.exe
2592	DEM170A.exe
2616	DEM6D53.exe
360	DEMC35F.exe
2768	DEM1A35.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC35F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1A35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b60508c9c591ed232688dbcdb511d4e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBFD6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM170A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6D53.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2864	2084	0b60508c9c591ed232688dbcdb511d4e_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2864	2084	0b60508c9c591ed232688dbcdb511d4e_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2864	2084	0b60508c9c591ed232688dbcdb511d4e_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2864	2084	0b60508c9c591ed232688dbcdb511d4e_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2592	2864	DEMBFD6.exe	34
PID 2864 wrote to memory of 2592	2864	DEMBFD6.exe	34
PID 2864 wrote to memory of 2592	2864	DEMBFD6.exe	34
PID 2864 wrote to memory of 2592	2864	DEMBFD6.exe	34
PID 2592 wrote to memory of 2616	2592	DEM170A.exe	36
PID 2592 wrote to memory of 2616	2592	DEM170A.exe	36
PID 2592 wrote to memory of 2616	2592	DEM170A.exe	36
PID 2592 wrote to memory of 2616	2592	DEM170A.exe	36
PID 2616 wrote to memory of 360	2616	DEM6D53.exe	38
PID 2616 wrote to memory of 360	2616	DEM6D53.exe	38
PID 2616 wrote to memory of 360	2616	DEM6D53.exe	38
PID 2616 wrote to memory of 360	2616	DEM6D53.exe	38
PID 360 wrote to memory of 2768	360	DEMC35F.exe	40
PID 360 wrote to memory of 2768	360	DEMC35F.exe	40
PID 360 wrote to memory of 2768	360	DEMC35F.exe	40
PID 360 wrote to memory of 2768	360	DEMC35F.exe	40
PID 2768 wrote to memory of 2040	2768	DEM1A35.exe	42
PID 2768 wrote to memory of 2040	2768	DEM1A35.exe	42
PID 2768 wrote to memory of 2040	2768	DEM1A35.exe	42
PID 2768 wrote to memory of 2040	2768	DEM1A35.exe	42

C:\Users\Admin\AppData\Local\Temp\0b60508c9c591ed232688dbcdb511d4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b60508c9c591ed232688dbcdb511d4e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\DEMBFD6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBFD6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\DEM170A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM170A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\DEM6D53.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6D53.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\DEMC35F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC35F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:360
      - C:\Users\Admin\AppData\Local\Temp\DEM1A35.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1A35.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\DEM7178.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7178.exe"
        7⤵
        Executes dropped EXE
        
        PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM170A.exe

Filesize
14KB

MD5
dbebbf02356597da3eebfd66628357e5

SHA1
2fcae34807523c95108478f6410d64e21eec505d

SHA256
3316e63553ea2be4cd5bceb51ed2a35175b0e64c124b6b7d54a4e97771a3606f

SHA512
1b9b459d211453e835ac619597c4277317a840e27cc9c4448306501fc78e981317e4f71236cab15a7037e9131b5684d6bbd2e9c5a9e3dff60a451fdf83cece8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1A35.exe

Filesize
14KB

MD5
a2b1dd4eab54f1d1572a35f76b70e58a

SHA1
237c047c70a1e7e752703d5e4890bdefda570336

SHA256
27a1c8a8da106537baf13b4c327f20e01d60cf365d1d212e99d40ff8752dddbd

SHA512
d5a2ecbb0995dc6f0c07c113e6bb2f4363c7382d3dc12445843cf24151450f15d30c11e1cc8e7df3bca721a73d6febbf3923f1fbd3a1ae7fcf661b42aa6eed1e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6D53.exe

Filesize
14KB

MD5
30cbc43825e740286bb0c06b517e8768

SHA1
07da334e9144313d6389aa380d5b6ebe9752759a

SHA256
426b0cec43280b03092c43258cf0a7c49a8a4898556b1b89a25df801d94698f6

SHA512
c9aaa8f017098289385fc1f20fc0b8b472573684b9040d1f454565da3917b0fccaf823f9847a11a814114398cf2ed022ba6dda635f25f95723319116dea6bb9a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7178.exe

Filesize
14KB

MD5
caee1a8b177a515fe9a29dc921fca827

SHA1
a0585d3c0bc4be39e9f3d7c1924a9376809aa78b

SHA256
b1c7f68a8f9fb5a2e06c531fcc46e15dc48c62ac8593c4ae06c3414474de2ce8

SHA512
2f6221276a62e8cbd5a865c8346df5f4b3bdfa42bd5173349594589e424c4ebfab2d12f29e1258ffa1e02059b82a5d599086a2dab952a4dd4c9a93b1c50991a9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBFD6.exe

Filesize
14KB

MD5
d3fef20c6b984d77a7679e4aabd44bea

SHA1
277ae3cc9c731039bbde4b2c9f36cfd52ad1af16

SHA256
9289ff72f06f20b61e1ff76749686e168e6ca57b6f16116576265455026d0219

SHA512
d155983237edeb1f05ab02df96871784ec284008f60cf679c9b0f4cea4c165e32c3af9e3ff94823b17ab50b0e2d2964215268ca75f47129fb5afb800e4f5df28

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC35F.exe

Filesize
14KB

MD5
60255a74916afc6ddec8a74086d6a0f4

SHA1
d182bc71fb5ec491d3729b618f9f24e99f54f078

SHA256
e969133e3370bfd58a69fa707f4b918cd498e4f6ac6d0c15356fe1d22ba01d3f

SHA512
e816affe8cd3f4011f47fe9807c705e377bcbca765dd46f890ffacbc34843072555242a9210a06a9470308dff9087504084c5448998a762a9945b18886ae5a78

Download Submit

Analysis

Sharing