dcbe4961f821649f6f2bae08e74e34793db2ee0e71afdccadf2c802b92fef43b

General

Target

142baae8dc263349b29935e994c83b8e_JaffaCakes118.exe
Size

14KB
MD5

142baae8dc263349b29935e994c83b8e
SHA1

39d60f4b676374b0cab277deb0b0914d24081690
SHA256

dcbe4961f821649f6f2bae08e74e34793db2ee0e71afdccadf2c802b92fef43b
SHA512

079ba7179ed1bd0a5a0c052f74e0388d16111772ab60b54c1a0058d159e2d4bff0f405ec346fef09b99adf49afde9250e52578b9ef166191c9889634525888b5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5C:hDXWipuE+K3/SSHgxl5C

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2972	DEM2BE1.exe
3056	DEM8141.exe
1764	DEMD681.exe
2328	DEM2C1F.exe
588	DEM81BD.exe
1956	DEMD77B.exe

Loads dropped DLL 6 IoCs

pid	Process
1884	142baae8dc263349b29935e994c83b8e_JaffaCakes118.exe
2972	DEM2BE1.exe
3056	DEM8141.exe
1764	DEMD681.exe
2328	DEM2C1F.exe
588	DEM81BD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	142baae8dc263349b29935e994c83b8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2BE1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8141.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD681.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2C1F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM81BD.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2972	1884	142baae8dc263349b29935e994c83b8e_JaffaCakes118.exe	31
PID 1884 wrote to memory of 2972	1884	142baae8dc263349b29935e994c83b8e_JaffaCakes118.exe	31
PID 1884 wrote to memory of 2972	1884	142baae8dc263349b29935e994c83b8e_JaffaCakes118.exe	31
PID 1884 wrote to memory of 2972	1884	142baae8dc263349b29935e994c83b8e_JaffaCakes118.exe	31
PID 2972 wrote to memory of 3056	2972	DEM2BE1.exe	33
PID 2972 wrote to memory of 3056	2972	DEM2BE1.exe	33
PID 2972 wrote to memory of 3056	2972	DEM2BE1.exe	33
PID 2972 wrote to memory of 3056	2972	DEM2BE1.exe	33
PID 3056 wrote to memory of 1764	3056	DEM8141.exe	36
PID 3056 wrote to memory of 1764	3056	DEM8141.exe	36
PID 3056 wrote to memory of 1764	3056	DEM8141.exe	36
PID 3056 wrote to memory of 1764	3056	DEM8141.exe	36
PID 1764 wrote to memory of 2328	1764	DEMD681.exe	38
PID 1764 wrote to memory of 2328	1764	DEMD681.exe	38
PID 1764 wrote to memory of 2328	1764	DEMD681.exe	38
PID 1764 wrote to memory of 2328	1764	DEMD681.exe	38
PID 2328 wrote to memory of 588	2328	DEM2C1F.exe	40
PID 2328 wrote to memory of 588	2328	DEM2C1F.exe	40
PID 2328 wrote to memory of 588	2328	DEM2C1F.exe	40
PID 2328 wrote to memory of 588	2328	DEM2C1F.exe	40
PID 588 wrote to memory of 1956	588	DEM81BD.exe	42
PID 588 wrote to memory of 1956	588	DEM81BD.exe	42
PID 588 wrote to memory of 1956	588	DEM81BD.exe	42
PID 588 wrote to memory of 1956	588	DEM81BD.exe	42

C:\Users\Admin\AppData\Local\Temp\142baae8dc263349b29935e994c83b8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\142baae8dc263349b29935e994c83b8e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\DEM2BE1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2BE1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\DEM8141.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8141.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\DEMD681.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD681.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\DEM2C1F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2C1F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Users\Admin\AppData\Local\Temp\DEM81BD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM81BD.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\DEMD77B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD77B.exe"
        7⤵
        Executes dropped EXE
        
        PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2BE1.exe

Filesize
14KB

MD5
e97b7884dbffe93319eff8beb5f38cae

SHA1
9785774c124bc8b1b4154c0ccb5db23f996cf27a

SHA256
7c65d0f10225c28760c53a051d9796a1e79a75ab15dcdacd5676d5c2c98a2b18

SHA512
55c7516cfd04e5ef684223979fec8dbeeeeed7464cdd8cae7c24bfc09a9423739d324724f11154de82e763121b0627b67a03069a4f2b727ac358da2d5ac1cb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2C1F.exe

Filesize
14KB

MD5
15fe3b8c25289620cf4d639993443697

SHA1
d61319ff8069bd58461f10effff29f3e000df13e

SHA256
6a1d4a0ea959190fa2edad55210566ce6add196a86fb8ddcdb75c705dee4c12e

SHA512
41b3144be8b0c97ef918b0e898fe502ead9b6d5b0ae4f77b18ff603a9f294178160ffe5581c017158f72b93c1b9591d0498316eacb8274b716412411a9010d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8141.exe

Filesize
14KB

MD5
9c16524066bd5ad524a7a6aaf958b663

SHA1
c4b9effa5775eb954838c70f6691852aaac21a2f

SHA256
78f02865e45103324234b6d8e855d62c54585e9eb1c46f5d2a45a17578434a5b

SHA512
fbc685e1918c16e727ade14b43f7c22acbb57a4142b93916d8ee401324ea6a306e49a4426e5fcf25e29eb5cb6b2706ee8d272bac7e57213a817c90a3c4735caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM81BD.exe

Filesize
14KB

MD5
71dca23d0a9a15e8931b65133ae08a8f

SHA1
34feb24c05d56e277dcc541583d0a33091d00b0b

SHA256
02aaa5b3f0f269dac2cc11a69d37f5d6a20b87aced6986344ec27d00380b9aab

SHA512
13c837fc27ffb89d1ab06111033b2427c504b904d73bf7d4a9baccdb3fb71710eb2efdb48b3e762ecc6e466dff6c0ef94fa98d47c587c01462994559f2509e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD681.exe

Filesize
14KB

MD5
55609494ac49b73f719985b8f14333b9

SHA1
22607b53cd2348c21d6f26d958387c7a4629aa44

SHA256
fe4481983c8e873d8f971b4ee3842b8b9075f9517aeb209c3451c05211127e34

SHA512
f9a56c8d50d691cb37c5cda3bc4bf47f8e79b0103435b574360f86f4c2c79dbdefd368380ff1c9da844793dee91ab89e8773c93feb415528283d4a5f36043eaf

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD77B.exe

Filesize
14KB

MD5
cfad9a319f72752a75d67557fb641047

SHA1
99725b449d4eb0bbb5780e42ce11340339265087

SHA256
9ca179ad30efff7ea5bc122f3b233cb6c879fcfbe0431166568f29ef329a8083

SHA512
292af3c920211f84066101264150de8f5618b722cb5c200f7ecadcab56f6f39ceb0919612518179fdb9eee21bd7d76f106624a08769349728f4a9475c306f754

Download Submit

Analysis

Sharing