45f2db7fb385a0b897ced85ad47b0dfe282b217864cf8c30eac5b5c06b632b3d

General

Target

17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe
Size

14KB
MD5

17e83badf5d724560a8a2463ea52e916
SHA1

0857485e02cd49c0c77a38788211e718f6129b78
SHA256

45f2db7fb385a0b897ced85ad47b0dfe282b217864cf8c30eac5b5c06b632b3d
SHA512

fc59563f2c43890d78ce3f53b83ea6b59f580b34707b8520961399ad35b6b078f3388be7393ded90646f08eb768a623e28c85251e9292946fef38cf4afb8a5de
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYi:hDXWipuE+K3/SSHgxmi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2744	DEM3C64.exe
2544	DEM93E6.exe
1876	DEMEA11.exe
1252	DEM40F6.exe
2168	DEM97EC.exe
2192	DEMEE07.exe

Loads dropped DLL 6 IoCs

pid	Process
2732	17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe
2744	DEM3C64.exe
2544	DEM93E6.exe
1876	DEMEA11.exe
1252	DEM40F6.exe
2168	DEM97EC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM93E6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEA11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM40F6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM97EC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3C64.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2744	2732	17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2744	2732	17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2744	2732	17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2744	2732	17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe	31
PID 2744 wrote to memory of 2544	2744	DEM3C64.exe	33
PID 2744 wrote to memory of 2544	2744	DEM3C64.exe	33
PID 2744 wrote to memory of 2544	2744	DEM3C64.exe	33
PID 2744 wrote to memory of 2544	2744	DEM3C64.exe	33
PID 2544 wrote to memory of 1876	2544	DEM93E6.exe	35
PID 2544 wrote to memory of 1876	2544	DEM93E6.exe	35
PID 2544 wrote to memory of 1876	2544	DEM93E6.exe	35
PID 2544 wrote to memory of 1876	2544	DEM93E6.exe	35
PID 1876 wrote to memory of 1252	1876	DEMEA11.exe	37
PID 1876 wrote to memory of 1252	1876	DEMEA11.exe	37
PID 1876 wrote to memory of 1252	1876	DEMEA11.exe	37
PID 1876 wrote to memory of 1252	1876	DEMEA11.exe	37
PID 1252 wrote to memory of 2168	1252	DEM40F6.exe	39
PID 1252 wrote to memory of 2168	1252	DEM40F6.exe	39
PID 1252 wrote to memory of 2168	1252	DEM40F6.exe	39
PID 1252 wrote to memory of 2168	1252	DEM40F6.exe	39
PID 2168 wrote to memory of 2192	2168	DEM97EC.exe	42
PID 2168 wrote to memory of 2192	2168	DEM97EC.exe	42
PID 2168 wrote to memory of 2192	2168	DEM97EC.exe	42
PID 2168 wrote to memory of 2192	2168	DEM97EC.exe	42

C:\Users\Admin\AppData\Local\Temp\17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\DEM3C64.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3C64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\DEM93E6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM93E6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\DEMEA11.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEA11.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Users\Admin\AppData\Local\Temp\DEM40F6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM40F6.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1252
      - C:\Users\Admin\AppData\Local\Temp\DEM97EC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM97EC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\DEMEE07.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEE07.exe"
        7⤵
        Executes dropped EXE
        
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM93E6.exe

Filesize
14KB

MD5
0037ae6a6ac1664dc4c766f8ae82cae8

SHA1
04af201466bd71bef2d624dc91e6d003e1a9031e

SHA256
27028c7c245d5b1567359ca35fa914b28252e87dc25d288433ff0a68b05750e1

SHA512
c3a15394dce863d3e0d0455a521c0b97d8d44633c1136ff9087892dd0162fbc73ebbf2eff125aaa6d5274fc788db2cae87b2f2a5096aaf390e217975f28e367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEE07.exe

Filesize
14KB

MD5
b21b6ad902e0c2d5da8d1e7cd63905f7

SHA1
9f258695ec0e03670fd4fba603bf3d562f6da0a1

SHA256
e10d6deea810d315a648beb49fa7e91d57646c858757a196ce6f5ab3a7ef4152

SHA512
990f76568e66db7db102bd6b8311045b71ae3b439857402babf95d5a755e04468220e04b95f19fa48d62fa40126dbde04a83e9bbb1ed6e3df1dbf3ac06107463

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3C64.exe

Filesize
14KB

MD5
d35a0ad7a1b4fd0f069ea7aba684925f

SHA1
3679f8b306fd8dc5309201d2da18bc32e0849beb

SHA256
5d39d3f90156261b1667d4e1e56d94bd6cfa4196d6e812992a41ee51ce88216e

SHA512
778bb6ca67e17069c77304320fc73086586a1532be806efbe5b12910a5c337e98e210a86786483baba1e349aa1a40916be1054198164b15c5a84eabadc3ea9a7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM40F6.exe

Filesize
14KB

MD5
1a523fc868aac2975170698da9fc6741

SHA1
8f1e4554af631d4775efb886e37c356f127294af

SHA256
8aaee84ef71a40047cf188c7f78b902396c1022e2717cab1d2c4da17f35228e1

SHA512
d9aeadea71490c97b90484adcc14f987071ce6a880347f769faa2580ca909e97a3d9d6ced0b2317722579584de8e94763e2d1e0a4e52ca1fc5a9beba63dca068

Download Submit
\Users\Admin\AppData\Local\Temp\DEM97EC.exe

Filesize
14KB

MD5
971a5a7f17cec9b1ceaba4fa12ade234

SHA1
81838037439ce4ffb884fc52356aba9ba3a0659b

SHA256
140a8ebb8981ce6d50196f4ed45ffa497278341915af0a0f007b35d74321bd00

SHA512
d904512914397708eb16b717c2980d6e4f9fde71aa8ecfb817f88ad971f3c1f1fa1297f508b5574a59b4270fefa23f48cf460bfd0fce219adbdaa8b57ec7dd92

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEA11.exe

Filesize
14KB

MD5
b7acd5e0138e7007d5b1676cf2c3b409

SHA1
3c8d0917eff5b52f86fa308b862456a53ef34c82

SHA256
23e345dacb329ec8f7a62e860759fdd71a29058e4c132a618963ae5d5771fc15

SHA512
203220c01d4fb0a9d884146ae8494e33bfee5d1821633f1ad50156d41fc5be0acc81200012e3890ad2f03335cb4c0aeaf2e1379bebabf9e8452c2f8d22086b3f

Download Submit

Analysis

Sharing