60856fe8482547c19e743a1ccfa6264c8d2f6584ab2764019c43d32df46d7cd4

General

Target

17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe
Size

14KB
MD5

17ce1129878d4a18b153c487f87f4f50
SHA1

bbf24086466ed820af34d2e7ba46b91096c32477
SHA256

60856fe8482547c19e743a1ccfa6264c8d2f6584ab2764019c43d32df46d7cd4
SHA512

d57aa78751492e176f50302b8061676ed957dcd08c041627d1dff438cea2a7eb50f88a6c2b01ab8c185a01bf510123c1d84ed03be3d75b74d30b60d38ab61ae1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh0:hDXWipuE+K3/SSHgxS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2344	DEMAB6C.exe
2320	DEM7E.exe
2492	DEM55AE.exe
2608	DEMAB5C.exe
2016	DEM6E.exe
2004	DEM55AF.exe

Loads dropped DLL 6 IoCs

pid	Process
2948	17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe
2344	DEMAB6C.exe
2320	DEM7E.exe
2492	DEM55AE.exe
2608	DEMAB5C.exe
2016	DEM6E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM55AE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAB5C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAB6C.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2344	2948	17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2344	2948	17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2344	2948	17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2344	2948	17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2320	2344	DEMAB6C.exe	33
PID 2344 wrote to memory of 2320	2344	DEMAB6C.exe	33
PID 2344 wrote to memory of 2320	2344	DEMAB6C.exe	33
PID 2344 wrote to memory of 2320	2344	DEMAB6C.exe	33
PID 2320 wrote to memory of 2492	2320	DEM7E.exe	35
PID 2320 wrote to memory of 2492	2320	DEM7E.exe	35
PID 2320 wrote to memory of 2492	2320	DEM7E.exe	35
PID 2320 wrote to memory of 2492	2320	DEM7E.exe	35
PID 2492 wrote to memory of 2608	2492	DEM55AE.exe	37
PID 2492 wrote to memory of 2608	2492	DEM55AE.exe	37
PID 2492 wrote to memory of 2608	2492	DEM55AE.exe	37
PID 2492 wrote to memory of 2608	2492	DEM55AE.exe	37
PID 2608 wrote to memory of 2016	2608	DEMAB5C.exe	39
PID 2608 wrote to memory of 2016	2608	DEMAB5C.exe	39
PID 2608 wrote to memory of 2016	2608	DEMAB5C.exe	39
PID 2608 wrote to memory of 2016	2608	DEMAB5C.exe	39
PID 2016 wrote to memory of 2004	2016	DEM6E.exe	41
PID 2016 wrote to memory of 2004	2016	DEM6E.exe	41
PID 2016 wrote to memory of 2004	2016	DEM6E.exe	41
PID 2016 wrote to memory of 2004	2016	DEM6E.exe	41

C:\Users\Admin\AppData\Local\Temp\17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\DEMAB6C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAB6C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\DEM7E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\DEM55AE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM55AE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Users\Admin\AppData\Local\Temp\DEMAB5C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAB5C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Users\Admin\AppData\Local\Temp\DEM6E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\DEM55AF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM55AF.exe"
        7⤵
        Executes dropped EXE
        
        PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM55AE.exe

Filesize
14KB

MD5
95e306c390e8e93899baea978a8b6e2c

SHA1
6854cb1a1315b56ee81269b32cc27baf9ba2583d

SHA256
272967146ce70a827cdba6ee54a0b5a1b632b4b477fb8aa9650649eef65a7830

SHA512
081381f5e5475cc90cdb235b4e70637a5512daf3fbbb8db9c307e44ef55ad463c680ff525c44ef7965cd5078962c4541a28a43f926af75b4ccadbecc6160494f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7E.exe

Filesize
14KB

MD5
ad53615ca1c33f31ca46b1e089990528

SHA1
7365de3f4188ee34260862273014333c2ff437b9

SHA256
bc53cc7d5d9b8b0e97b1dff47d02a251ba3c3ac3600780042c13487bf39f55cb

SHA512
46cdd6ea19a66e1a23a6cb48925e7051c2283913e3a75eba8eed723c001ebcbdb003d0fca588fa90cfc441473ac6493d5f6f6bf6c21f198555f59a0acf8ddd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAB5C.exe

Filesize
14KB

MD5
d3c0f80dd3dacc50908154accad4ec84

SHA1
d3c039214af7071ddfadc7c6d82ef16bcc3494ab

SHA256
1f1a025c54ea71371d5536b08e32b091e27523b90835d3aeb6a5ac4a558e959a

SHA512
c0579e02d69f0638a00a5286b630088ea2d67a72edb6edad7ecfb3ad19b4bac5d13f56a44420728e6d1c435d50c0686996f1e169424a6ff0210e826b77398b9b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM55AF.exe

Filesize
14KB

MD5
85a0e753caa58aa26a7eec4ea194e3e6

SHA1
05b6e14d747e582d471341f5ca210f3c8560c12a

SHA256
05de131c57aa55ce975d1c57305951f45fa569ea351dedf325e1a14f41208633

SHA512
56f40739df7cdbe253827893f48895fa7d00bbaf2dbe74a1b796e3e402a497a33002bae88c05b15310b4ce6d5d3aa9f40141ec67451c550ec8767fa3ee198ac7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6E.exe

Filesize
14KB

MD5
0295ccf6136150915ce31af89bf4374d

SHA1
0438c91e7739a4f3c79fbade87c575219091122b

SHA256
92202b09267a404f8b2436d878a5d64487a72c98db49cf6d28587aa762217a1c

SHA512
8cfd7a9c6ab8616778b1c46916e279f1ce2057b2c6898b8e4721e422167d5b4bc0c45c0376adcf55f324de0cd4efe4d574bf140efc48224455a2e1616d3a35d7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAB6C.exe

Filesize
14KB

MD5
4a88bc0a1487a192558c6e36e4937dd8

SHA1
0f19d9150147e8a6a4aba788c308f640a485a07f

SHA256
010db036a41ad0c2792fd5efb8b269e6db31abb3a55baa7e883507f337d41216

SHA512
7c4dc33c3b0e77c0d0127d7bd33984929c990bf5be6fc5e5db8f8c50c98c428cdd440498c6937605ee02364ec3ade12aef6f91bcbe6d41af8538c6b5577dd488

Download Submit

Analysis

Sharing