a34146e76587fd5f85fcd4a5285dc8fdb9eb647adee972ca2c40c5d4d8fa4b20

General

Target

0f1f1ce43d059062ef8798bf6f7a0b27_JaffaCakes118.exe
Size

14KB
MD5

0f1f1ce43d059062ef8798bf6f7a0b27
SHA1

8143ffb4c07c43eea42287dc39dcd65274fdc004
SHA256

a34146e76587fd5f85fcd4a5285dc8fdb9eb647adee972ca2c40c5d4d8fa4b20
SHA512

786a714b43f9010f2adf9aebdc0de61ed41c81b337ffa022884968d0c89d34680a466afcfec139f04d6e1d3ff0ca16fb43d30123657e40b9decca5f2ddf801d1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY48B:hDXWipuE+K3/SSHgxmF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2792	DEM4F77.exe
2632	DEMA544.exe
1656	DEMFB50.exe
2544	DEM50AF.exe
2376	DEMA5E0.exe
2156	DEMFB40.exe

Loads dropped DLL 6 IoCs

pid	Process
3052	0f1f1ce43d059062ef8798bf6f7a0b27_JaffaCakes118.exe
2792	DEM4F77.exe
2632	DEMA544.exe
1656	DEMFB50.exe
2544	DEM50AF.exe
2376	DEMA5E0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f1f1ce43d059062ef8798bf6f7a0b27_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4F77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA544.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFB50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM50AF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA5E0.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2792	3052	0f1f1ce43d059062ef8798bf6f7a0b27_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2792	3052	0f1f1ce43d059062ef8798bf6f7a0b27_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2792	3052	0f1f1ce43d059062ef8798bf6f7a0b27_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2792	3052	0f1f1ce43d059062ef8798bf6f7a0b27_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2632	2792	DEM4F77.exe	33
PID 2792 wrote to memory of 2632	2792	DEM4F77.exe	33
PID 2792 wrote to memory of 2632	2792	DEM4F77.exe	33
PID 2792 wrote to memory of 2632	2792	DEM4F77.exe	33
PID 2632 wrote to memory of 1656	2632	DEMA544.exe	35
PID 2632 wrote to memory of 1656	2632	DEMA544.exe	35
PID 2632 wrote to memory of 1656	2632	DEMA544.exe	35
PID 2632 wrote to memory of 1656	2632	DEMA544.exe	35
PID 1656 wrote to memory of 2544	1656	DEMFB50.exe	37
PID 1656 wrote to memory of 2544	1656	DEMFB50.exe	37
PID 1656 wrote to memory of 2544	1656	DEMFB50.exe	37
PID 1656 wrote to memory of 2544	1656	DEMFB50.exe	37
PID 2544 wrote to memory of 2376	2544	DEM50AF.exe	39
PID 2544 wrote to memory of 2376	2544	DEM50AF.exe	39
PID 2544 wrote to memory of 2376	2544	DEM50AF.exe	39
PID 2544 wrote to memory of 2376	2544	DEM50AF.exe	39
PID 2376 wrote to memory of 2156	2376	DEMA5E0.exe	41
PID 2376 wrote to memory of 2156	2376	DEMA5E0.exe	41
PID 2376 wrote to memory of 2156	2376	DEMA5E0.exe	41
PID 2376 wrote to memory of 2156	2376	DEMA5E0.exe	41

C:\Users\Admin\AppData\Local\Temp\0f1f1ce43d059062ef8798bf6f7a0b27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f1f1ce43d059062ef8798bf6f7a0b27_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\DEM4F77.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4F77.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\DEMA544.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA544.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\DEMFB50.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFB50.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\DEM50AF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM50AF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Users\Admin\AppData\Local\Temp\DEMA5E0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA5E0.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\DEMFB40.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFB40.exe"
        7⤵
        Executes dropped EXE
        
        PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM50AF.exe

Filesize
14KB

MD5
46048c1cceaa126f66818fedc239659d

SHA1
23a2a8b7b0e72dab6e9a735416d9bf598da2d568

SHA256
3920f8a9e91ee0fba80c096808bd3c5409946578bbbd0b8bd103a0f40adff9e4

SHA512
bc63e545531c92be9aa43c0c4967907e79dd37c26897153446fd21765de7cf358d47501c47e5ef71721a2168d0f8bf13ef2d6d6655a2b9ee02d1a1a1e53dfa09

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA544.exe

Filesize
14KB

MD5
7d63e3df60b424066d01fa194009a697

SHA1
1f371dae2aff6e64ebe16d8ffc73923b44d35503

SHA256
ab9023948caca7f3973c73f11e05c3a32974c5739a782dc620ec73b7d80f676b

SHA512
dbea525e8c398c232e2ba23c21649fbc896edca2f3db72bdb51ca953b48b6d88e38132e9890364fcb197b51ccaea37c0303d9aed0ebc97ca0308caf84c74a0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFB40.exe

Filesize
14KB

MD5
45f28fdbcbd57c286b3d7b308f441648

SHA1
ce79f3ff6e741d74cf12c8342d235356b4154aa6

SHA256
6032dbdea9ec14371d459687fa231546b526643f71354f6a003418a6af231765

SHA512
72b190ca7a8e189aa7cfce61cb384eb04987bce4f51f526ac9f49a052088a87a4580bc6bfa8f962efe92b7aa6106ea881afa32dd3b0b1923ddcb9267a5c4ddd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFB50.exe

Filesize
14KB

MD5
195703ff5be6377900a5e1494735d6b3

SHA1
ef137e38085117a8170642e777fcc363211b3bd5

SHA256
b5464ed2255fd64b611af8485017fc8954ec1d12324ed4e36b98d44aca3d4c4d

SHA512
323a6c299b4ac27462b7f4ceb04a15e803bc1e2adc9460e09e19e58b54a9b65480399f65136bf8717dc677df6c596652d8c63c7765d69e1f09d9325b85f0a648

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4F77.exe

Filesize
14KB

MD5
c30092ec968355f03af2318d1adc2a79

SHA1
ff5ecd35208edc74801038a283d0f6112b39d67c

SHA256
a67fc965eaa286e9955357a207e64a5b40ef5ee60095f0d856f023cc1cf4cf8e

SHA512
06f86cec3d02c49b6c0d5b8326f374df4cdd6e357dc042bbe56de824e5511a1d6daaa1063efe18fadd5f994926515c16aeeb945758c7e603a3dded6ae24b1818

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA5E0.exe

Filesize
14KB

MD5
e49124df9d55b5fa843c4227a135ae5f

SHA1
a665a743f00f4b80474bbb6ee67864c4185f02be

SHA256
e4ce7e17f5613fc84a85c21029491f3eccf02e2f8d2531d6a9d663b3c7442fa5

SHA512
36ca4cb9ea20913af493f059f03db2b15f6efae309956ce2ec6ad0212c174c9e66d2bff4cce8c52efe37750dfb67df7ae5a5ffda8a4732bd7aa31b5abdccc7cd

Download Submit

Analysis

Sharing