3a0d8054661d05c9f750ab896ccf0a3eef368e054687071313e2bc069fff214c

General

Target

2783d750fda4f9223c8feee069927750_JaffaCakes118.exe
Size

14KB
MD5

2783d750fda4f9223c8feee069927750
SHA1

4fe80d87980f36ccb4d1e610cc9f4a79c25b22da
SHA256

3a0d8054661d05c9f750ab896ccf0a3eef368e054687071313e2bc069fff214c
SHA512

31e102b7b3fa0b5b4ab0675ba58b7e2435c046b2d8624681449de3c96e989c2811560f5c7479eb7f09aa15baf7c242373a11ec2aa1441e524a9c2f14b94639d1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRt:hDXWipuE+K3/SSHgxx

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2748	DEM6B5.exe
2692	DEM5C24.exe
2756	DEMB210.exe
2872	DEM780.exe
2412	DEM5D2D.exe
2176	DEMB29D.exe

Loads dropped DLL 6 IoCs

pid	Process
2020	2783d750fda4f9223c8feee069927750_JaffaCakes118.exe
2748	DEM6B5.exe
2692	DEM5C24.exe
2756	DEMB210.exe
2872	DEM780.exe
2412	DEM5D2D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM780.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5D2D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2783d750fda4f9223c8feee069927750_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6B5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5C24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB210.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2748	2020	2783d750fda4f9223c8feee069927750_JaffaCakes118.exe	31
PID 2020 wrote to memory of 2748	2020	2783d750fda4f9223c8feee069927750_JaffaCakes118.exe	31
PID 2020 wrote to memory of 2748	2020	2783d750fda4f9223c8feee069927750_JaffaCakes118.exe	31
PID 2020 wrote to memory of 2748	2020	2783d750fda4f9223c8feee069927750_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2692	2748	DEM6B5.exe	33
PID 2748 wrote to memory of 2692	2748	DEM6B5.exe	33
PID 2748 wrote to memory of 2692	2748	DEM6B5.exe	33
PID 2748 wrote to memory of 2692	2748	DEM6B5.exe	33
PID 2692 wrote to memory of 2756	2692	DEM5C24.exe	35
PID 2692 wrote to memory of 2756	2692	DEM5C24.exe	35
PID 2692 wrote to memory of 2756	2692	DEM5C24.exe	35
PID 2692 wrote to memory of 2756	2692	DEM5C24.exe	35
PID 2756 wrote to memory of 2872	2756	DEMB210.exe	37
PID 2756 wrote to memory of 2872	2756	DEMB210.exe	37
PID 2756 wrote to memory of 2872	2756	DEMB210.exe	37
PID 2756 wrote to memory of 2872	2756	DEMB210.exe	37
PID 2872 wrote to memory of 2412	2872	DEM780.exe	39
PID 2872 wrote to memory of 2412	2872	DEM780.exe	39
PID 2872 wrote to memory of 2412	2872	DEM780.exe	39
PID 2872 wrote to memory of 2412	2872	DEM780.exe	39
PID 2412 wrote to memory of 2176	2412	DEM5D2D.exe	41
PID 2412 wrote to memory of 2176	2412	DEM5D2D.exe	41
PID 2412 wrote to memory of 2176	2412	DEM5D2D.exe	41
PID 2412 wrote to memory of 2176	2412	DEM5D2D.exe	41

C:\Users\Admin\AppData\Local\Temp\2783d750fda4f9223c8feee069927750_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2783d750fda4f9223c8feee069927750_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\DEM6B5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6B5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\DEM5C24.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5C24.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\DEMB210.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB210.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Users\Admin\AppData\Local\Temp\DEM780.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM780.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
      - C:\Users\Admin\AppData\Local\Temp\DEM5D2D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5D2D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\DEMB29D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB29D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5C24.exe

Filesize
14KB

MD5
ca7aee174b44e3fd6696866db1a48227

SHA1
1e71485ed17c982e375cfd3dcf44af1d846901bc

SHA256
ad0546ae55deeac96b201ddd0be3e733abcd9e6fb2462cce13732305679d59a5

SHA512
c20bab94fee110f2baa90fa33c9cf813c26320c97839a6b33726bc2fc718ba26287f0dd2b9c9bba2ed824630309110e0da562f0df3b37f347bdaa1951e1857e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6B5.exe

Filesize
14KB

MD5
dfdf02de31d8f4bc7fdccd3fdc9632f0

SHA1
5a85d12d6a47c27c7f2fa666ba1c7969a18f3459

SHA256
54454e53f3f195b9cb4b5a7705a3428021275668061c35885a8188c0440f05e8

SHA512
1d02af58d6c068a6e24f3cc1a95060c6589f2aa2ba5030b8413413e303b908225b7e4aaf1d1856979893da47988686323135aa2658e68cacdf3969a8d8e5476f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB210.exe

Filesize
14KB

MD5
9ff5652333a6ee0c40bee301bb474642

SHA1
337738efa0acfc5d844db5140e6ada82e38db63b

SHA256
f7c9b1ac4570ec7606f4b102ce2db94dcc1c4cf20197728ec79c6afd07dab379

SHA512
a35b1a5ef7e53929bd11fe0444c291da710412d541abb864112349f4b0b0cad352bafc4ca65cc59cf9db17ba03aa2d3ea1c20c6ca93d7cdd57f5e6d9c7ff7bdf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5D2D.exe

Filesize
14KB

MD5
0ebbbe91c7355884084bad7be4a9f2e9

SHA1
efb033fb626d1bd963a6f603653e41a15342531f

SHA256
d5f2c9cd024bff8457cb6674cd27f9913b6594e5f6fcf8a216b6eeb22439f126

SHA512
c3a03829dff4d6016e52d59d8ed16d0d0021504f774162567c3ed7a478f6f5628dcb37f84b0b2fe740f5bea318945493c7a4c4daa31d500052e4f6381de04880

Download Submit
\Users\Admin\AppData\Local\Temp\DEM780.exe

Filesize
14KB

MD5
bbe7c3e0e53180584d620c1feb36f373

SHA1
9fefe1fcd3e3c189802adff24b328c6ac2dedcdf

SHA256
5de63cba7936462ffab0d35ca5fc255ee4eb442c9cf7f039c6be1de2bd6c6d98

SHA512
d5ed54eaec2c663cd0de1052107b656722a2445d7418aa23fb2964638eb5a6612250b18b4433414abf5a9cc54e0498e068073283c58a6ba7260e45c05c7488a1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB29D.exe

Filesize
14KB

MD5
a6f87f0c5e5df198e27c8a460d32a0e4

SHA1
d1385ffd1d9d1989d4862c30c4716ca2cf3874d0

SHA256
5fdd5165466683b5a4e738f576293e26df4b27d1733cbdb37b43c9c14f59c0d5

SHA512
9f218ffa9cacf007c649e4962ceffa9ee0d4976e4f8f911f85305864ab0d13610298b83be1670ddf63604753953170abd9f15d51cbb95009cfd5cb9c8879735d

Download Submit

Analysis

Sharing