0436960101c4c1693441b19240e2bdd95d4c8a41875bc505244f9740912dd130

General

Target

0bdf8f79f93413468f64b48b0501ffac_JaffaCakes118.exe
Size

15KB
MD5

0bdf8f79f93413468f64b48b0501ffac
SHA1

2095288c215e5eb399f4728818215d8945784dec
SHA256

0436960101c4c1693441b19240e2bdd95d4c8a41875bc505244f9740912dd130
SHA512

c95fa5853cdcb920f30732fb8295b60ad9e8f1278681dc500feb95bdb43b1230535cb4ecffbdf0c87571d45e71cc06f0b89f4a1ce65aa5316d796d83164a9acb
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEC:hDXWipuE+K3/SSHgx5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2680	DEMF0D4.exe
2640	DEM4644.exe
2660	DEM9B55.exe
1412	DEMF096.exe
1844	DEM45B7.exe
1588	DEM9B07.exe

Loads dropped DLL 6 IoCs

pid	Process
2692	0bdf8f79f93413468f64b48b0501ffac_JaffaCakes118.exe
2680	DEMF0D4.exe
2640	DEM4644.exe
2660	DEM9B55.exe
1412	DEMF096.exe
1844	DEM45B7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bdf8f79f93413468f64b48b0501ffac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF0D4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4644.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9B55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF096.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM45B7.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2680	2692	0bdf8f79f93413468f64b48b0501ffac_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2680	2692	0bdf8f79f93413468f64b48b0501ffac_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2680	2692	0bdf8f79f93413468f64b48b0501ffac_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2680	2692	0bdf8f79f93413468f64b48b0501ffac_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2640	2680	DEMF0D4.exe	33
PID 2680 wrote to memory of 2640	2680	DEMF0D4.exe	33
PID 2680 wrote to memory of 2640	2680	DEMF0D4.exe	33
PID 2680 wrote to memory of 2640	2680	DEMF0D4.exe	33
PID 2640 wrote to memory of 2660	2640	DEM4644.exe	35
PID 2640 wrote to memory of 2660	2640	DEM4644.exe	35
PID 2640 wrote to memory of 2660	2640	DEM4644.exe	35
PID 2640 wrote to memory of 2660	2640	DEM4644.exe	35
PID 2660 wrote to memory of 1412	2660	DEM9B55.exe	38
PID 2660 wrote to memory of 1412	2660	DEM9B55.exe	38
PID 2660 wrote to memory of 1412	2660	DEM9B55.exe	38
PID 2660 wrote to memory of 1412	2660	DEM9B55.exe	38
PID 1412 wrote to memory of 1844	1412	DEMF096.exe	40
PID 1412 wrote to memory of 1844	1412	DEMF096.exe	40
PID 1412 wrote to memory of 1844	1412	DEMF096.exe	40
PID 1412 wrote to memory of 1844	1412	DEMF096.exe	40
PID 1844 wrote to memory of 1588	1844	DEM45B7.exe	42
PID 1844 wrote to memory of 1588	1844	DEM45B7.exe	42
PID 1844 wrote to memory of 1588	1844	DEM45B7.exe	42
PID 1844 wrote to memory of 1588	1844	DEM45B7.exe	42

C:\Users\Admin\AppData\Local\Temp\0bdf8f79f93413468f64b48b0501ffac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bdf8f79f93413468f64b48b0501ffac_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\DEMF0D4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF0D4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\DEM4644.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4644.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\DEM9B55.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9B55.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Users\Admin\AppData\Local\Temp\DEMF096.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF096.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Users\Admin\AppData\Local\Temp\DEM45B7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM45B7.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\DEM9B07.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9B07.exe"
        7⤵
        Executes dropped EXE
        
        PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4644.exe

Filesize
15KB

MD5
35fcdf11d52282fd14b967aa6c6f751d

SHA1
76fb745f300f97397299468ac3bfb101480fd67c

SHA256
5328aed604c8e3e2bba464da86534ff162e5b8f7e666f4523af3ce48c57ab7df

SHA512
f58af25c0753c15eb69d19057bcf6e514b98f03704b55520b3e293fb72938bb8c4a3dc25901c22e67367b32c74429de3383a0e6893bbca8cea9de3f304653627

Download Submit
\Users\Admin\AppData\Local\Temp\DEM45B7.exe

Filesize
15KB

MD5
26ee77f91df47de033b23bd8ee62fc43

SHA1
a4f8486a3aa9c43d49865ded2970151006206632

SHA256
ce73cacbfc0aa5bc83864e8ac2d4906bbebb4bc042cd971c2209af4d98d0c174

SHA512
e8f0b3314ee497132c66359c4d548c48b78a09ecf39f79e7e4898c2bc4e60c4dea32c63c30844e4b37a9515942eab1ac87f99b8cd2bcb0a3d7bf43a9cc0e43d2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9B07.exe

Filesize
15KB

MD5
5a7688b82d14c9b35235c0d806aa09ec

SHA1
e660cab5acc55aec3deee13e8b08b64e12a6a2f0

SHA256
f687648751fa253f9d6521ca9a9d7d3340ac05e82dfd49f4c935f3254a02261d

SHA512
ec5fb1e81f5750dce71948d4e55beaf92ac063815637acca2b393e6837d7cd5efe085d381ff7608b6e9a5e620020943dcec3bab81d01b3ae85ba8a5d611102e7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9B55.exe

Filesize
15KB

MD5
f8d23fe10ebe35b8dcc61a9dd303966b

SHA1
14bc998840e57c71514c5132e2d01c6fa315eae6

SHA256
6e090bc299508241577f187b340ab1177ec68058384be5d9dc45b72660bb17d8

SHA512
5630829c723846b151d416c8c65a0e9b6e5fb68744a7c26db4c747d6c0e505dea21b149d137e2755ce7e7f27b04e36bd9c903d1cc83ad242fa393149a3f0abce

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF096.exe

Filesize
15KB

MD5
983b14963d9d095230586009952b64c1

SHA1
dc855bfd05f586f9c591cc6ca818e37eddd26060

SHA256
a18f9c4097dc429c0c72ac8c811ce41ecd2504731d0112d0c7dc52f2ce10a977

SHA512
3b13ee00d10981f428e3ad780a5e44f25efef8b890492fae82f4c8bbc79437dc3054bdcb7324bce1836ea3c9a2f6da36ad605d6a8dc090b3b3dad01aeed4db6b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF0D4.exe

Filesize
15KB

MD5
71a022274cc40d7928290794aa371f4b

SHA1
e0bc36bee15cde30d7991f7f2ada1b0904092376

SHA256
9c5b4cd23523eb808e14040cbf2789fdc86ea14305d21f4b3b29815f5e1d0f3a

SHA512
14f78805a89e24a2f364344bb48eddfe1e9d2fc18f0b9683c483063c825f90c50bb835a0acdae4383af7b5eb6c9f3bf27115555ab9260f097e00e5e34daf39ab

Download Submit

Analysis

Sharing