1f4d41f2c43191f0d32f425d1f12dc44341a0cc422e4cb446f24ad3f552ab363

General

Target

0e9b852573b4fbe5ba57ef3aa26918c9_JaffaCakes118.exe
Size

13KB
MD5

0e9b852573b4fbe5ba57ef3aa26918c9
SHA1

444599e42de02a3103282147fb842f20fe83f4b1
SHA256

1f4d41f2c43191f0d32f425d1f12dc44341a0cc422e4cb446f24ad3f552ab363
SHA512

203c230b502423d31b6500e0b7c7992177e3c33e03b1f7e7b41462a4fb48a9680fa067cd074a647a400374c37c21f801a0aece08dcb0ebf10d1b0626fbc6442e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh9:hDXWipuE+K3/SSHgxf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2552	DEMFF94.exe
2632	DEM54E4.exe
2104	DEMAA72.exe
1488	DEM6E.exe
1824	DEM55DD.exe
2212	DEMAB4D.exe

Loads dropped DLL 6 IoCs

pid	Process
2652	0e9b852573b4fbe5ba57ef3aa26918c9_JaffaCakes118.exe
2552	DEMFF94.exe
2632	DEM54E4.exe
2104	DEMAA72.exe
1488	DEM6E.exe
1824	DEM55DD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM55DD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e9b852573b4fbe5ba57ef3aa26918c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFF94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM54E4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAA72.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2552	2652	0e9b852573b4fbe5ba57ef3aa26918c9_JaffaCakes118.exe	31
PID 2652 wrote to memory of 2552	2652	0e9b852573b4fbe5ba57ef3aa26918c9_JaffaCakes118.exe	31
PID 2652 wrote to memory of 2552	2652	0e9b852573b4fbe5ba57ef3aa26918c9_JaffaCakes118.exe	31
PID 2652 wrote to memory of 2552	2652	0e9b852573b4fbe5ba57ef3aa26918c9_JaffaCakes118.exe	31
PID 2552 wrote to memory of 2632	2552	DEMFF94.exe	33
PID 2552 wrote to memory of 2632	2552	DEMFF94.exe	33
PID 2552 wrote to memory of 2632	2552	DEMFF94.exe	33
PID 2552 wrote to memory of 2632	2552	DEMFF94.exe	33
PID 2632 wrote to memory of 2104	2632	DEM54E4.exe	35
PID 2632 wrote to memory of 2104	2632	DEM54E4.exe	35
PID 2632 wrote to memory of 2104	2632	DEM54E4.exe	35
PID 2632 wrote to memory of 2104	2632	DEM54E4.exe	35
PID 2104 wrote to memory of 1488	2104	DEMAA72.exe	37
PID 2104 wrote to memory of 1488	2104	DEMAA72.exe	37
PID 2104 wrote to memory of 1488	2104	DEMAA72.exe	37
PID 2104 wrote to memory of 1488	2104	DEMAA72.exe	37
PID 1488 wrote to memory of 1824	1488	DEM6E.exe	40
PID 1488 wrote to memory of 1824	1488	DEM6E.exe	40
PID 1488 wrote to memory of 1824	1488	DEM6E.exe	40
PID 1488 wrote to memory of 1824	1488	DEM6E.exe	40
PID 1824 wrote to memory of 2212	1824	DEM55DD.exe	42
PID 1824 wrote to memory of 2212	1824	DEM55DD.exe	42
PID 1824 wrote to memory of 2212	1824	DEM55DD.exe	42
PID 1824 wrote to memory of 2212	1824	DEM55DD.exe	42

C:\Users\Admin\AppData\Local\Temp\0e9b852573b4fbe5ba57ef3aa26918c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e9b852573b4fbe5ba57ef3aa26918c9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\DEMFF94.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMFF94.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\DEM54E4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM54E4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\DEMAA72.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAA72.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Users\Admin\AppData\Local\Temp\DEM6E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Users\Admin\AppData\Local\Temp\DEM55DD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM55DD.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\DEMAB4D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAB4D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM54E4.exe

Filesize
13KB

MD5
fd33da1beae51f474d469fb55676e818

SHA1
816aca4fdcf291a968e3f438e800527a3a6d9a6f

SHA256
35893a053ca9b1e2abe50fba10da55721528372939ff4df124473479af1dfd4f

SHA512
da6588e825231b9e9a3878ff37d33ea4500c69b75fb92d2347a8ce18481da6073c733b3e7ae5478db39541bc1363ffa618223fa797901f252d710f3b23313aab

Download Submit
\Users\Admin\AppData\Local\Temp\DEM55DD.exe

Filesize
13KB

MD5
e1514b5d8957eff12561b7d8399e7918

SHA1
9f9ac68105d19c5f618b9c54ec325fa2a008c9c4

SHA256
3bfc4563e9d2dca4b54b15a182589f25185c5ac8cf8284c6b9cedd654ee4a3bf

SHA512
414dc66311b67fd66bf958b8af620ffd55f84cc96c5ab3043a22a0f340559c596a43b45fa731cd13d2350022ec7fd13bd5122b966bd07b8cff3c0ecefe5c4a2e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6E.exe

Filesize
13KB

MD5
97977ed5700a419623f1dd059496ff94

SHA1
1331dbda9771c7955d7eb906e49bdbc1fe83e542

SHA256
da4d5423aea21ae36053bb47235f1d860c1e03bc66057dc94782951bd7dfd02f

SHA512
cad8ce89ef96abcef569a73b7d62805e4131905bef54383ca5b0af8da39c1ef5b5e9eeb211aa93ad2488fca4dce7b29f06c0bd13ef367b1ad90bddab47a8654a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAA72.exe

Filesize
13KB

MD5
5acb4148240d66223dba753aee9a143e

SHA1
4d106f6c75058bb6a9eb4efead75fe6051be1fee

SHA256
1d319c2fb9f38dfcc900adafd0dd7a8b9d8a001b4645ce1ad3037c59d9afd47d

SHA512
13d27373bf9021079af60aa2c5a881e6a97005d53c6a48e8f720fb003393ab7532ea1b401c962b7ebc0ba8000686a9fae1129e39aa83a4c37b7532aaceb02bcc

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAB4D.exe

Filesize
13KB

MD5
88acef2747c99debd024d212e8b7f0fd

SHA1
c980a17eed4755b9aeaa5fdb84608623f44213ba

SHA256
2e920f7d03918e553ef772f576cd2314550667e3fab5b9a234f882d57fbc257e

SHA512
ca667561aeabc1896fe3453a90ab400d8ce1fd102bf01aaff4c6d53950450be1cf5094edc6ec7961b6bfa7a518d86d174aed250b153fbf6444ebc3212100c12f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFF94.exe

Filesize
13KB

MD5
430c1f0aae1523bc388a41080239aefd

SHA1
54a2c4e337a2c301fa1fd5c2beb7f81c64f0dc83

SHA256
0f034966563edc4e1fea495e87418cb90ee994f45d59214609ba828f24bfa90e

SHA512
86af7ce14ad641516741ff85f4867757a3b6cc923b4dd97535b78a4214c2181fb370301e7a040fe3666794891e51ba3839a2578a1cdf3fb3c680c2a101b1b81a

Download Submit

Analysis

Sharing