1014b6ff9c9a4e8b83d4bd707980f337566a9ee34c971dc7cf537cb2d4ca88ca

General

Target

2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe
Size

14KB
MD5

2a27e93605c5d0168a5d8a10be858013
SHA1

2dff4df9f05d87cf24714cfbb0de9bbc11291923
SHA256

1014b6ff9c9a4e8b83d4bd707980f337566a9ee34c971dc7cf537cb2d4ca88ca
SHA512

f9ad3272c95905e618cc7114156e61236991e755f255799cdf4556cb3bb4afe73552df6b88d2d4ad88ae4fe7452eade12a06ca3780b38aef6ee6bdff66b7613c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZKa:hDXWipuE+K3/SSHgx3b

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2784	DEMEF20.exe
2568	DEM44CD.exe
2100	DEM99EF.exe
324	DEMEF10.exe
1912	DEM449E.exe
1804	DEM99F0.exe

Loads dropped DLL 6 IoCs

pid	Process
2224	2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe
2784	DEMEF20.exe
2568	DEM44CD.exe
2100	DEM99EF.exe
324	DEMEF10.exe
1912	DEM449E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM44CD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM99EF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEF10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM449E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEF20.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2784	2224	2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2784	2224	2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2784	2224	2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2784	2224	2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe	31
PID 2784 wrote to memory of 2568	2784	DEMEF20.exe	33
PID 2784 wrote to memory of 2568	2784	DEMEF20.exe	33
PID 2784 wrote to memory of 2568	2784	DEMEF20.exe	33
PID 2784 wrote to memory of 2568	2784	DEMEF20.exe	33
PID 2568 wrote to memory of 2100	2568	DEM44CD.exe	35
PID 2568 wrote to memory of 2100	2568	DEM44CD.exe	35
PID 2568 wrote to memory of 2100	2568	DEM44CD.exe	35
PID 2568 wrote to memory of 2100	2568	DEM44CD.exe	35
PID 2100 wrote to memory of 324	2100	DEM99EF.exe	38
PID 2100 wrote to memory of 324	2100	DEM99EF.exe	38
PID 2100 wrote to memory of 324	2100	DEM99EF.exe	38
PID 2100 wrote to memory of 324	2100	DEM99EF.exe	38
PID 324 wrote to memory of 1912	324	DEMEF10.exe	40
PID 324 wrote to memory of 1912	324	DEMEF10.exe	40
PID 324 wrote to memory of 1912	324	DEMEF10.exe	40
PID 324 wrote to memory of 1912	324	DEMEF10.exe	40
PID 1912 wrote to memory of 1804	1912	DEM449E.exe	42
PID 1912 wrote to memory of 1804	1912	DEM449E.exe	42
PID 1912 wrote to memory of 1804	1912	DEM449E.exe	42
PID 1912 wrote to memory of 1804	1912	DEM449E.exe	42

C:\Users\Admin\AppData\Local\Temp\2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\DEMEF20.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEF20.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\DEM44CD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM44CD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\DEM99EF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM99EF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Users\Admin\AppData\Local\Temp\DEMEF10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEF10.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:324
      - C:\Users\Admin\AppData\Local\Temp\DEM449E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM449E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\DEM99F0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM99F0.exe"
        7⤵
        Executes dropped EXE
        
        PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM44CD.exe

Filesize
14KB

MD5
e10e13844450565ad54ad83561ef9492

SHA1
4f4a20994b8548a59a47b352eeffbf80e9127a91

SHA256
6f65b1067db2b989707bc462428ba6ac5f2b21100634e50d589825297456aa17

SHA512
2f003e4e3ba35676fa8360a720b59ea5cd7eb9cb12973552cf5f8fb4944eee1fc808789394a597a64410f85f9b169ffa6afc0f46f690c3ef2076ae139380e46c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM449E.exe

Filesize
14KB

MD5
89a1796211d6727875db94be505a1efb

SHA1
85c6a4037c06078135fafa3605e12bdea496a5c0

SHA256
a9b5d871cd5eae8eabc95b569a52b8e16ed6d9e4fd266a31b42f721036ee138f

SHA512
8013fd788242259d16b3f3c9025a44b841fffb865b05ae9c86256e5614d29e3ebc72f4a776217986fb007d9f9e3c48044b695d01036d6ba13139a5aacd5df8f6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM99EF.exe

Filesize
14KB

MD5
ba0eff8b59a1cf9c8020ab9c2c888bc6

SHA1
f3f232d3376de9dea71bbbec75a94629c8767569

SHA256
07af16bccd599e4949b9ad0f801db6fe14aed5d40f92084b4af7e50ba4c35d32

SHA512
19752ccb80a596b1d57a8e2510bbdcd7dc1603ec7f9c447823d7325e8da1e9793d53b5eb6f5d7a1147889e4543bdea130eca6ae10bb706a55cb817641fae1f1a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM99F0.exe

Filesize
14KB

MD5
3e766724c474a975feeb6164208dea6a

SHA1
5861b75ecbaeab074834b1d527d4f1f14e305e67

SHA256
4e22f64c7d182fd1989ee4357cefdca006cf9d88b90bc5aa082f2986503569fd

SHA512
9814c085261d5e9d9d97e3ede93e0bfd26d1236f31c57f4c9b653d7bc24436fccb50c0a4d8c3aeb40a28ce3a8ef90fed3692902df71a6ddcb151ea23f09a93d4

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEF10.exe

Filesize
14KB

MD5
5993838448bc18b42fba96fc7429bd62

SHA1
133f9218e05f2d5805f453eb30544bebb642678a

SHA256
ecacfc98b713537ba510024827d677b4e211123d2f40d967b2f814a88a8de7b2

SHA512
e739e943f448423f533a0bac34857e9f68f78b7c16629b99729b48d6886cf2d24e327632a0a01c0ad1f6c36006330db5122bf2400aa3bead809b9bf95d0f87f3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEF20.exe

Filesize
14KB

MD5
42dc3f046489c15082458e169b700e37

SHA1
c2f47a0f283d4cd081997be41f59d5f101b5fa7c

SHA256
9d43d02e64b4cee8e997b7722df28ba1e4f9af22ed46c34de8048ef97b974389

SHA512
e0838d062c94bea0cac0561086b61a42d824e2bcd54e5fe199d6d4f36735d516af6aaf37dafd67b0336715250c977c1328ea0b772a83422d82da5d4a83839f56

Download Submit

Analysis

Sharing