0196f43cfa9b355996005ff864ae05ed763c8e8cc465becd2b636892cb259c94

General

Target

1122a1fde4027b896cf2a1af48ae919d_JaffaCakes118.exe
Size

14KB
MD5

1122a1fde4027b896cf2a1af48ae919d
SHA1

0d650612e87f8caaacb3373775f3387c44f9d5a4
SHA256

0196f43cfa9b355996005ff864ae05ed763c8e8cc465becd2b636892cb259c94
SHA512

1ce65c76ce8c45770bd4540f787492750f84cc600a39e1c0dac032f54d666a3834d8ebe03b014e1495859e7d45bc53906856151bd3b746f34e627b6ad28c3aae
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlE:hDXWipuE+K3/SSHgxmlE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2584	DEMEDB9.exe
2600	DEM4328.exe
2920	DEM983A.exe
1408	DEMEDF7.exe
1356	DEM4347.exe
280	DEM98E5.exe

Loads dropped DLL 6 IoCs

pid	Process
2696	1122a1fde4027b896cf2a1af48ae919d_JaffaCakes118.exe
2584	DEMEDB9.exe
2600	DEM4328.exe
2920	DEM983A.exe
1408	DEMEDF7.exe
1356	DEM4347.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4328.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM983A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEDF7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4347.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1122a1fde4027b896cf2a1af48ae919d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEDB9.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2584	2696	1122a1fde4027b896cf2a1af48ae919d_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2584	2696	1122a1fde4027b896cf2a1af48ae919d_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2584	2696	1122a1fde4027b896cf2a1af48ae919d_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2584	2696	1122a1fde4027b896cf2a1af48ae919d_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2600	2584	DEMEDB9.exe	33
PID 2584 wrote to memory of 2600	2584	DEMEDB9.exe	33
PID 2584 wrote to memory of 2600	2584	DEMEDB9.exe	33
PID 2584 wrote to memory of 2600	2584	DEMEDB9.exe	33
PID 2600 wrote to memory of 2920	2600	DEM4328.exe	35
PID 2600 wrote to memory of 2920	2600	DEM4328.exe	35
PID 2600 wrote to memory of 2920	2600	DEM4328.exe	35
PID 2600 wrote to memory of 2920	2600	DEM4328.exe	35
PID 2920 wrote to memory of 1408	2920	DEM983A.exe	38
PID 2920 wrote to memory of 1408	2920	DEM983A.exe	38
PID 2920 wrote to memory of 1408	2920	DEM983A.exe	38
PID 2920 wrote to memory of 1408	2920	DEM983A.exe	38
PID 1408 wrote to memory of 1356	1408	DEMEDF7.exe	40
PID 1408 wrote to memory of 1356	1408	DEMEDF7.exe	40
PID 1408 wrote to memory of 1356	1408	DEMEDF7.exe	40
PID 1408 wrote to memory of 1356	1408	DEMEDF7.exe	40
PID 1356 wrote to memory of 280	1356	DEM4347.exe	42
PID 1356 wrote to memory of 280	1356	DEM4347.exe	42
PID 1356 wrote to memory of 280	1356	DEM4347.exe	42
PID 1356 wrote to memory of 280	1356	DEM4347.exe	42

C:\Users\Admin\AppData\Local\Temp\1122a1fde4027b896cf2a1af48ae919d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1122a1fde4027b896cf2a1af48ae919d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\DEMEDB9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEDB9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\DEM4328.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4328.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\DEM983A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM983A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Users\Admin\AppData\Local\Temp\DEMEDF7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEDF7.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Users\Admin\AppData\Local\Temp\DEM4347.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4347.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\DEM98E5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM98E5.exe"
        7⤵
        Executes dropped EXE
        
        PID:280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4328.exe

Filesize
14KB

MD5
feb26aaa056c9e01998c45c50fef94d8

SHA1
0bc864513bfe8929f25a4e59786b1996bc7ca75e

SHA256
89f604c1593541d18c6fe29f3c446da27deef011b537a27ba5c2b0adb5421e57

SHA512
3ad5d01ab515bdd4dd49de41f92f96034eb186da4bbf23551cec2700eb661dd35da02119febcd75c7eb75e410ae23537ed15bb30b5b2da39ddaa4ca1f9e34fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM983A.exe

Filesize
14KB

MD5
d3b3d1ddbc69ca66c5860520a5224652

SHA1
c73798aa1ad3f3c9dfe168dbfb1b1146d9cfb74b

SHA256
7dced3ca827d20d443c5b2502f9a110e26d466c0f25ec85ab15b533f8555efcd

SHA512
3f7c59da9484a15724f2b3de530b73eaaa49e6f94ac1d6c3c0000a96805623b82ee0016520d494acd92241d443ad6efb2f7ebf8d7390d19a872b1691073c5553

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEDB9.exe

Filesize
14KB

MD5
36cf73fdac0ddddb15e281086012ecb7

SHA1
f8c8a4af3b367dc510fc0895ced1ce0027c1973f

SHA256
3296e2b0e408e827d9bea06daf37d0a2a48ef965d210d4e021f8bf0d5dcfdf38

SHA512
a5cf19d51696ede15a28199131447a95c11e5bd6ff8e32be43213bdb22927b5a5db67c79aa774adc881b470ac34d39c21940c0263f217c4e4aea7e54c3e76662

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4347.exe

Filesize
14KB

MD5
ade3d77c1eacbe6df8b10a3d2081cb20

SHA1
4fc33cb12de3ff5d264577f7a697c5be53623987

SHA256
48233a6b909ec13b8983d2ecf134c27537249e0caa42eaf9cfb5e0eba078a496

SHA512
a7c9d60beb2568e0e43fe10d1fbe99bc68b90b47da7923704fb54693e3474fda9ec7b9728bbff3c92ef527b64b5efed8f46ad57932077f3f186dcf003721477e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM98E5.exe

Filesize
14KB

MD5
d711578b14893ba6d545db735846bf1f

SHA1
00fe592106d8f4a98024b1b5b9db94e11226a049

SHA256
808959789c21857c3bc7f78f03a9ef8324804190d86a71dc1e2acbd0fa92ea2f

SHA512
da47588bca4f29f47f359389a3532329bd5dd6af69eb8a8b322db88417d44bad1a77358bb35f0bb58f09adafac12f7444cf2d011be58a4eea9f88c48516992b7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEDF7.exe

Filesize
14KB

MD5
ae7f367729dac7a790a382b64de2305e

SHA1
75deca88a7600155b33baba654cf7c086f9f49df

SHA256
c0c5bde18dc9b0cc175413cdd25df0754dd2366aa73743ec015d792629498faf

SHA512
af8b69398a6425e9b9f58a673a4864ec4d7b1b3edc616f382d81610c54b5eec3e7cabdc55ddf2b3d7d57ad4d5feeda3c189792c0e7c06d9390e40b7a0ac27922

Download Submit

Analysis

Sharing