a71e2f7a38cb6f08ca219cb416e3003af2cfb4a05e52c398f5723d9d5b7fc42f

General

Target

28664accde46696d651f6109f684254e_JaffaCakes118.exe
Size

14KB
MD5

28664accde46696d651f6109f684254e
SHA1

43de1bb66957ea2c533a3ad1e7d16f1ea981df76
SHA256

a71e2f7a38cb6f08ca219cb416e3003af2cfb4a05e52c398f5723d9d5b7fc42f
SHA512

64148390e361af06fcea22bf9b271df70bd8efc5986d891187c8afd850b8e272e6ec9931e3fb39ca6e00e51bbd630d58dba3166d5b24ca381af03952f2a7865c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYWmbS5:hDXWipuE+K3/SSHgxmWmbS5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2716	DEMDF76.exe
2712	DEM34F5.exe
2652	DEM8A65.exe
1972	DEMDFA5.exe
1704	DEM3524.exe
2852	DEM8A93.exe

Loads dropped DLL 6 IoCs

pid	Process
2336	28664accde46696d651f6109f684254e_JaffaCakes118.exe
2716	DEMDF76.exe
2712	DEM34F5.exe
2652	DEM8A65.exe
1972	DEMDFA5.exe
1704	DEM3524.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3524.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28664accde46696d651f6109f684254e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDF76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM34F5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8A65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDFA5.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2716	2336	28664accde46696d651f6109f684254e_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2716	2336	28664accde46696d651f6109f684254e_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2716	2336	28664accde46696d651f6109f684254e_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2716	2336	28664accde46696d651f6109f684254e_JaffaCakes118.exe	32
PID 2716 wrote to memory of 2712	2716	DEMDF76.exe	34
PID 2716 wrote to memory of 2712	2716	DEMDF76.exe	34
PID 2716 wrote to memory of 2712	2716	DEMDF76.exe	34
PID 2716 wrote to memory of 2712	2716	DEMDF76.exe	34
PID 2712 wrote to memory of 2652	2712	DEM34F5.exe	36
PID 2712 wrote to memory of 2652	2712	DEM34F5.exe	36
PID 2712 wrote to memory of 2652	2712	DEM34F5.exe	36
PID 2712 wrote to memory of 2652	2712	DEM34F5.exe	36
PID 2652 wrote to memory of 1972	2652	DEM8A65.exe	38
PID 2652 wrote to memory of 1972	2652	DEM8A65.exe	38
PID 2652 wrote to memory of 1972	2652	DEM8A65.exe	38
PID 2652 wrote to memory of 1972	2652	DEM8A65.exe	38
PID 1972 wrote to memory of 1704	1972	DEMDFA5.exe	41
PID 1972 wrote to memory of 1704	1972	DEMDFA5.exe	41
PID 1972 wrote to memory of 1704	1972	DEMDFA5.exe	41
PID 1972 wrote to memory of 1704	1972	DEMDFA5.exe	41
PID 1704 wrote to memory of 2852	1704	DEM3524.exe	43
PID 1704 wrote to memory of 2852	1704	DEM3524.exe	43
PID 1704 wrote to memory of 2852	1704	DEM3524.exe	43
PID 1704 wrote to memory of 2852	1704	DEM3524.exe	43

C:\Users\Admin\AppData\Local\Temp\28664accde46696d651f6109f684254e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28664accde46696d651f6109f684254e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\DEMDF76.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMDF76.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\DEM34F5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM34F5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\DEM8A65.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8A65.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\DEMDFA5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDFA5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Users\Admin\AppData\Local\Temp\DEM3524.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3524.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\DEM8A93.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8A93.exe"
        7⤵
        Executes dropped EXE
        
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM34F5.exe

Filesize
14KB

MD5
7802e8a7e1d652bcdac38a48f53f0d6e

SHA1
5f26a54ba1d94e3774322925ecefab6072e661de

SHA256
162cd389265bdc9494f7f444c0ba584f284100d7e4fe4013ab965685b3283000

SHA512
be5426fa282636def94038c5c88508c98cab1d70ae1c004ee9e719fe3daa0105eb3446e142d5995bfbb0946c64613b1454ffc7201abe7d69ec58e1aeba5d01ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8A65.exe

Filesize
14KB

MD5
af592102986a7d90f63fe576003dceae

SHA1
93d102e98469925d349a440e7ba5262440f15306

SHA256
96123bf6daf6ee4becdde0389a1e09c527274b82972ca028dc8a4d44ce41b910

SHA512
cb8fe77e0b9560f20b4a570e0d4f23bce38c5bc0fa645d310cda259299e133bbcdee7635e33ec2d01767f3a347c4fbc7bf2174ed72a52daec43f210713c8faf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDFA5.exe

Filesize
14KB

MD5
e8d307d2ff1918fa551b8a945e44b3ba

SHA1
6aaf7057e26b4c19f753fb7a8200bfd9f3b2f61d

SHA256
8d9434ab60ba6e2fb78243032c8892addb3170fb5629b826a5c97d606820dfbc

SHA512
ce2565906fc64b366ea7a5cbed50209a241f5e1a9b5c89da560da513da201516fe0b33530eb021d8b058c270ed12c020bfd3e0b82b8f29d0101d4b9d66f40fc0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3524.exe

Filesize
14KB

MD5
0ec559d54843a7c7d1e30da49faf883a

SHA1
045e7f640d50a94c0465d72e6b08eaa899b57bc6

SHA256
6ac657de59f2910a138c51007383ffbea5172956d69fb9f86e560b73eaf46498

SHA512
e9e07f01a2f0748e88fe3ae2509d83fdc6d3a09961385eaa48d76bf0f223eac305bfb6624d984bb19ae3ef978e7ee00168454bffe01f7ac77314dde1dc35f623

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8A93.exe

Filesize
14KB

MD5
5a21592771276bb09c875d98c62a6996

SHA1
468f27c5f658844edad0e19ea52dee245ad95e12

SHA256
c989a63bcaba25713c0ac465e49cfe5526565b1d930ad48a57ff886db8542b48

SHA512
6150cd18082a9175b932873e0af4d3a5b52a3aa4406a112566c70328a55fe27cdc3da3b19fd501afd3caacb99347b9e9e7eb7c2b2275bc6d7b0b6c99b0ba7693

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDF76.exe

Filesize
14KB

MD5
27bbd92831a65ca1827ecf000af993f2

SHA1
3c69e4caeb9ac887cce88b7cd145c2dbdd163371

SHA256
d4297c409d2aab4cd8c566912bfb82952def1077e7882832c3d028049a44a3a7

SHA512
01e997c04b8529829d3425213291649b3a7946c4c6c47a50f4318f3afd11241fb664d8744ed1e36cf7fe2db1b97aa18a6d93b7db24830d696a973a02bf144d08

Download Submit

Analysis

Sharing