122f58ee576e218087563b2e7010a2cb0324b1c9eb04946773f0e8c96f90fb45

General

Target

27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe
Size

14KB
MD5

27a289531660a32c1cec535bee86e28d
SHA1

4abcbd17dfd0731031f31f40475dab345ff70b9c
SHA256

122f58ee576e218087563b2e7010a2cb0324b1c9eb04946773f0e8c96f90fb45
SHA512

47d08df47bd013a0074c8dd062c22145820bec02cdf47b37de237b4eb2c6c7306de96e66355afc4cf0a42e41232b2fa0dc1c46bacaef212787c030fabe9124b0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv56:hDXWipuE+K3/SSHgxl56

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2256	DEMAA34.exe
2768	DEMFA.exe

Loads dropped DLL 3 IoCs

pid	Process
2176	27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe
2256	DEMAA34.exe
2768	DEMFA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAA34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFA.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2256	2176	27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2256	2176	27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2256	2176	27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2256	2176	27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe	30
PID 2256 wrote to memory of 2768	2256	DEMAA34.exe	32
PID 2256 wrote to memory of 2768	2256	DEMAA34.exe	32
PID 2256 wrote to memory of 2768	2256	DEMAA34.exe	32
PID 2256 wrote to memory of 2768	2256	DEMAA34.exe	32
PID 2768 wrote to memory of 2108	2768	DEMFA.exe	34
PID 2768 wrote to memory of 2108	2768	DEMFA.exe	34

C:\Users\Admin\AppData\Local\Temp\27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\DEMAA34.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAA34.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\DEMFA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\DEM57C1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM57C1.exe"
      4⤵
      PID:2108
    - - C:\Users\Admin\AppData\Local\Temp\DEMAD6F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAD6F.exe"
        5⤵
        
        PID:2088
      - C:\Users\Admin\AppData\Local\Temp\DEM3D8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3D8.exe"
        6⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\DEM5957.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5957.exe"
        7⤵
        
        PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3D8.exe

Filesize
14KB

MD5
b100854d92f5ab038d6ffb3e2ff3c584

SHA1
a96fe7f7745c58ca5e15053354e5d916086d1ea2

SHA256
8dd9063739f4160d082cdd9b806767ad6c064074cd0c7dbcd82a798c77aa9b1e

SHA512
34937e6b680dcd9272bf10ed2cdcd6b697e0c8bf74393424c423a104d0fa53d6b27a3fd4a1a539237d0f075067b99b4c5ee2ff2f58e9f4aec87d7fbf99427cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5957.exe

Filesize
14KB

MD5
f1a33571eec670178ecfb9ca4d4f9698

SHA1
fe51673da0b44f2c79d67b504b0a1d283b7fca17

SHA256
afa00b3f247b984a13fbeb9c3fec104296bf93a83a1ad8303d03d99b5083a593

SHA512
440cf67ab1f02f2b63a752c011b11143b0e753295c908806beb106bebc3467132a9a35f4811f8f5cdecb7989bbeea1b9b36050a9c2d793142007949163e6309b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAD6F.exe

Filesize
14KB

MD5
46fd965f0b16e80f4a5b7a6e5438dcf0

SHA1
9b35aee05f8e2de3b3ee2a9098924d7f50a29c39

SHA256
5db97b3e5477021c2f37a1610243f332ebac77e2c2e8b1e77deb8a4f2f73f4da

SHA512
608c74b96885b0e2d1fb50dac80c095d75b98d2b65dd0bf4766fb91ca1bdda175d43e217e3a6593133f66430b89bd0c87994efc476b6f9b36f86f0b18055ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFA.exe

Filesize
14KB

MD5
4cffb53f3eb0dd18dd0affd0887b55fd

SHA1
d6cee08445b12cddcb48d26910cf8e0c0fb5ac65

SHA256
29e1e6252a987a95cff3ee1f0a63fc778375addc44e7ff16a312fc95c6db2481

SHA512
744e0a64d8ccdae8c91b9f055b57e9cd49a5ecae0065b146ae63ba96c2f62379bf094bc03e3a819f51e24c2a0d5e361d80d615a5c5375909a3300c616cfc2c65

Download Submit
\Users\Admin\AppData\Local\Temp\DEM57C1.exe

Filesize
14KB

MD5
50f7899247e6d48cb625dd9a47ed0bb7

SHA1
2a9e7fb60215bac8c48b194346434dc246d7b629

SHA256
5919c8a79614cb1c606327ff0f37546f558a4cf77dbd07d2eef5cc721a444e8d

SHA512
b08da6a883c37276e07efda726f8c3e2c93364089164602894e6db9f84ffe65de4a35119d97de12f5621a095aa64b6c4e4562c947fb6b67d0bbddb245ec2ac57

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAA34.exe

Filesize
14KB

MD5
24d961a400ca0e38e3937eacecce484d

SHA1
4e3dab66d56296a43d227d63a0c8fd417ebf1133

SHA256
0eddcba533e1c93c64d0717cbaf116535ca82d80170ac7a8aebf0fe15127c217

SHA512
eeda5ebd117cd44d937fe145ca1ccf6f2c4021e8065b32b58a508e58036317acf745f7ad220fbf6dc0567a0e2e5de7dc67c433a8c505dd306a261fb28d47983e

Download Submit

Analysis

Sharing