587e0023b3509e6ffffcd31530414a617f146de145fd0f91719ab2d3c385f2f1

General

Target

13b12d4c781f78dc2f28c90bac5ed137_JaffaCakes118.exe
Size

14KB
MD5

13b12d4c781f78dc2f28c90bac5ed137
SHA1

1eb19f195278be3b7fdaa5f0045d9ad06a830bdc
SHA256

587e0023b3509e6ffffcd31530414a617f146de145fd0f91719ab2d3c385f2f1
SHA512

98cf083ea675bb9fe205478731db36860a3452f432663242e705096629a7a4f8b0301e5b190ca9cb00e8e94caf4f13127cc7e9c1aeade63a9165359db6175e0b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRGU:hDXWipuE+K3/SSHgxSU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2896	DEME1B8.exe
2904	DEM3736.exe
2680	DEM8C77.exe
2780	DEME1A8.exe
1700	DEM3794.exe
2196	DEM8CF4.exe

Loads dropped DLL 6 IoCs

pid	Process
1628	13b12d4c781f78dc2f28c90bac5ed137_JaffaCakes118.exe
2896	DEME1B8.exe
2904	DEM3736.exe
2680	DEM8C77.exe
2780	DEME1A8.exe
1700	DEM3794.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME1B8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3736.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8C77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME1A8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3794.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13b12d4c781f78dc2f28c90bac5ed137_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2896	1628	13b12d4c781f78dc2f28c90bac5ed137_JaffaCakes118.exe	32
PID 1628 wrote to memory of 2896	1628	13b12d4c781f78dc2f28c90bac5ed137_JaffaCakes118.exe	32
PID 1628 wrote to memory of 2896	1628	13b12d4c781f78dc2f28c90bac5ed137_JaffaCakes118.exe	32
PID 1628 wrote to memory of 2896	1628	13b12d4c781f78dc2f28c90bac5ed137_JaffaCakes118.exe	32
PID 2896 wrote to memory of 2904	2896	DEME1B8.exe	34
PID 2896 wrote to memory of 2904	2896	DEME1B8.exe	34
PID 2896 wrote to memory of 2904	2896	DEME1B8.exe	34
PID 2896 wrote to memory of 2904	2896	DEME1B8.exe	34
PID 2904 wrote to memory of 2680	2904	DEM3736.exe	36
PID 2904 wrote to memory of 2680	2904	DEM3736.exe	36
PID 2904 wrote to memory of 2680	2904	DEM3736.exe	36
PID 2904 wrote to memory of 2680	2904	DEM3736.exe	36
PID 2680 wrote to memory of 2780	2680	DEM8C77.exe	39
PID 2680 wrote to memory of 2780	2680	DEM8C77.exe	39
PID 2680 wrote to memory of 2780	2680	DEM8C77.exe	39
PID 2680 wrote to memory of 2780	2680	DEM8C77.exe	39
PID 2780 wrote to memory of 1700	2780	DEME1A8.exe	41
PID 2780 wrote to memory of 1700	2780	DEME1A8.exe	41
PID 2780 wrote to memory of 1700	2780	DEME1A8.exe	41
PID 2780 wrote to memory of 1700	2780	DEME1A8.exe	41
PID 1700 wrote to memory of 2196	1700	DEM3794.exe	43
PID 1700 wrote to memory of 2196	1700	DEM3794.exe	43
PID 1700 wrote to memory of 2196	1700	DEM3794.exe	43
PID 1700 wrote to memory of 2196	1700	DEM3794.exe	43

C:\Users\Admin\AppData\Local\Temp\13b12d4c781f78dc2f28c90bac5ed137_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13b12d4c781f78dc2f28c90bac5ed137_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\DEME1B8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME1B8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\DEM3736.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3736.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\DEM8C77.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8C77.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\DEME1A8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME1A8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Users\Admin\AppData\Local\Temp\DEM3794.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3794.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\DEM8CF4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8CF4.exe"
        7⤵
        Executes dropped EXE
        
        PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3736.exe

Filesize
14KB

MD5
4d5f87e4ef43b16a65892753836de8d4

SHA1
76219d5788eee2e390fcc6fa1dc5bd01277509ee

SHA256
919f0081c8f529819399d1b12eb7e5685922a71110e3e36996d470c6f21b9bc7

SHA512
7a82fedf9abd7380752b41937773cafff2accd294b6d3dc4781e2cde81fabc394e4a77e3011efa6e21ee12987c8583f875332d3719a0ea1a7f0fab8a3d89d11a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3794.exe

Filesize
14KB

MD5
a4e52805a2f24538f910984e5af371cc

SHA1
9059f1e0182675ff3cca8692891083e3b1b953e7

SHA256
b140d2c6f09f367ebd8f34c299fa4fcb89ff65f67204d4c66d147dd5807678a2

SHA512
4d822911c3777ae4233b191367fb86c5d70366f7c604fb5961205a42a2c048c751442947abe1418bf448a169cdd03dd3835ac81bb745790d11bb26e9c438370a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8C77.exe

Filesize
14KB

MD5
fdab9b3f53b30313052a21ee6919c520

SHA1
584fa0794ceecbd5e079acd7031bda869ccc5dde

SHA256
744d8e41558102a6470cc2cf84ade794bf3cfea24b608f6358ee668cc43d451a

SHA512
3b19227f19768c064c53dda57ce83cf092442bd20884c6ef21966d2ce715be7650b92b27d915f867209e0044879b1f71f6d90eda03442b60a275a603e374f8ec

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8CF4.exe

Filesize
14KB

MD5
4db38d03fefcc1b0d484146f86147ad0

SHA1
1f9f557096ac41c59b62d4479bfcad9cd70f0188

SHA256
056e106e4f363deb997604ea680809992737ed5a188188504c2a405362c73c0a

SHA512
76b0745b0496cbbf2a5dc28fdc0bad8a4423bc6ed47e605b3e80c96a9440e17516e07f9b764f83c4e095fb7580e4856bf2b8bfab32a905a750f1f346ea6fd20f

Download Submit
\Users\Admin\AppData\Local\Temp\DEME1A8.exe

Filesize
14KB

MD5
c25c4678e1e64d40db82ee49f0312c4b

SHA1
1251dfef41b8cf135262cdee82b19b78417fa557

SHA256
476e1de2e76c911c4ed86b4745f469cbf385d757035d4dad8ccbc65ed22237b5

SHA512
15e5d823ac417bfb903399f279dcdcfc5f17b54504e67f0182149df9279c89a7aa7ef611f06fc620aaa5c849d0b701ad1a86868f30f71fcaaffd51d83ef2b4c7

Download Submit
\Users\Admin\AppData\Local\Temp\DEME1B8.exe

Filesize
14KB

MD5
e0bac7058a2b9d982958e2a1781a91b2

SHA1
b1adfb51ba1e1b0427420a58d0e9cfaa42f04398

SHA256
fddcf57468d814d1fb7806724a1f5d738ab6afc1f1da46dbc8f1c62c3ab08ed2

SHA512
9165f15b0070a21af44f4870aea1629140cedd9bc5b0560ab06441d39600fc84c4f5386c9b166b30e993c60554afd06e32e1d1b93dc60a5bf521be9564748105

Download Submit

Analysis

Sharing