cb0cb5250c490f9ef86765e509f7eed24e094bbccd7682290ee8ba216a293ec0

General

Target

29806262f2866ad3834e4d5856f4b198_JaffaCakes118.exe
Size

15KB
MD5

29806262f2866ad3834e4d5856f4b198
SHA1

393940584268acc11b92498591b125ec5a3f39b5
SHA256

cb0cb5250c490f9ef86765e509f7eed24e094bbccd7682290ee8ba216a293ec0
SHA512

6fb6ccd48ae0588b048a7d4c7d2c591b4cbecf7448820681380b21802bd613423fa68ea21e97ba2cb88a59ff50cc13c5f192d2d8370fb7c003fa1ae4c145b2ef
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxA:hDXWipuE+K3/SSHgxmHa

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1804	DEMA93A.exe
2392	DEMFE7B.exe
2704	DEM5409.exe
1676	DEMA959.exe
632	DEMFEAA.exe
2088	DEM54B5.exe

Loads dropped DLL 6 IoCs

pid	Process
2972	29806262f2866ad3834e4d5856f4b198_JaffaCakes118.exe
1804	DEMA93A.exe
2392	DEMFE7B.exe
2704	DEM5409.exe
1676	DEMA959.exe
632	DEMFEAA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFEAA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29806262f2866ad3834e4d5856f4b198_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA93A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFE7B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5409.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA959.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1804	2972	29806262f2866ad3834e4d5856f4b198_JaffaCakes118.exe	32
PID 2972 wrote to memory of 1804	2972	29806262f2866ad3834e4d5856f4b198_JaffaCakes118.exe	32
PID 2972 wrote to memory of 1804	2972	29806262f2866ad3834e4d5856f4b198_JaffaCakes118.exe	32
PID 2972 wrote to memory of 1804	2972	29806262f2866ad3834e4d5856f4b198_JaffaCakes118.exe	32
PID 1804 wrote to memory of 2392	1804	DEMA93A.exe	34
PID 1804 wrote to memory of 2392	1804	DEMA93A.exe	34
PID 1804 wrote to memory of 2392	1804	DEMA93A.exe	34
PID 1804 wrote to memory of 2392	1804	DEMA93A.exe	34
PID 2392 wrote to memory of 2704	2392	DEMFE7B.exe	36
PID 2392 wrote to memory of 2704	2392	DEMFE7B.exe	36
PID 2392 wrote to memory of 2704	2392	DEMFE7B.exe	36
PID 2392 wrote to memory of 2704	2392	DEMFE7B.exe	36
PID 2704 wrote to memory of 1676	2704	DEM5409.exe	38
PID 2704 wrote to memory of 1676	2704	DEM5409.exe	38
PID 2704 wrote to memory of 1676	2704	DEM5409.exe	38
PID 2704 wrote to memory of 1676	2704	DEM5409.exe	38
PID 1676 wrote to memory of 632	1676	DEMA959.exe	40
PID 1676 wrote to memory of 632	1676	DEMA959.exe	40
PID 1676 wrote to memory of 632	1676	DEMA959.exe	40
PID 1676 wrote to memory of 632	1676	DEMA959.exe	40
PID 632 wrote to memory of 2088	632	DEMFEAA.exe	42
PID 632 wrote to memory of 2088	632	DEMFEAA.exe	42
PID 632 wrote to memory of 2088	632	DEMFEAA.exe	42
PID 632 wrote to memory of 2088	632	DEMFEAA.exe	42

C:\Users\Admin\AppData\Local\Temp\29806262f2866ad3834e4d5856f4b198_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29806262f2866ad3834e4d5856f4b198_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\DEMA93A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA93A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\DEMFE7B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFE7B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\DEM5409.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5409.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\DEMA959.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA959.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Users\Admin\AppData\Local\Temp\DEMFEAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFEAA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\DEM54B5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM54B5.exe"
        7⤵
        Executes dropped EXE
        
        PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMFE7B.exe

Filesize
15KB

MD5
a2001b8a35db187d823299916076ec80

SHA1
dade9f3f20285d2ec2ffa98743f0b36d78eca6a4

SHA256
4a92aa9bfcae9d2d56a965fed6052f015d510f2e1c02d326114ca2053b8bb025

SHA512
28e08be3f3a91a8502c4272da59d165934b3821b54236f85cf8ed01fe222199fddd935bb6f0e8f23b597fd76ea313b8d5d74b1da1bb24c88516ed0d0f2a86354

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5409.exe

Filesize
15KB

MD5
3ffbe035d7702c93274041b37768588c

SHA1
76185621d6a6e354046564d414fa3549f5beee5a

SHA256
aa3d8272cd5123a25810d2ffdb16214841f8fc34c925656385525e48e5678307

SHA512
00e45c7c6d8caef78422d24e2c22fe376983f99000b07b754a3ce60171b3294cd280572f68c3c3cd7a08801d5a88eb84920067c4bde95e54a37ad4886aec2dac

Download Submit
\Users\Admin\AppData\Local\Temp\DEM54B5.exe

Filesize
15KB

MD5
84dafce02e7bed4075f44e9668778222

SHA1
d129cdf5b6c85edf92f92699843c603ad7537ab5

SHA256
932cf367268243b28e435b14e38fe18b75d837ef35955f5f35a0b9187127546c

SHA512
061d5e34091850e36dbac6de75e272b9e9c35b817df1e98f85e419acbf112979c03e407b41cb4591530b82fa12133b4e56cc6befc037fe03e8c2874f722c5478

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA93A.exe

Filesize
15KB

MD5
f947bb5a3b44a7ff752d8d5410080dd8

SHA1
e039c23a03527a2b10d4a915022d8c0eb65c4607

SHA256
b65099338b6d2c13fc76299048dd259fc4c23b2532543c26bbaee026cd2521fb

SHA512
fa02572bcafb3e52f3f2bb313283b91754453bc7b82746ce6c106a04e6152490890c18e0d4e337fcee79c2c8e219e78cb6e46d294593caa63489588fc104c31f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA959.exe

Filesize
15KB

MD5
8040649534ff4f12d39de0e2b9b6bdb6

SHA1
1c687a38fdcc7f7c81819e25d1d786609f251404

SHA256
4cc31f5f0556f5159ef45e1edb8d0fb9be3441cb1172b68b6c236e87205ffe2c

SHA512
cedbcd2608ac09e2149b1a4ecc1538162043c75df51137c2eb7219581d2416de99ce0e86878485d962f84c332c1117e31c519353173ccfaf18ed401068954eec

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFEAA.exe

Filesize
15KB

MD5
5041130a805f48cc5cf264bf25ddb66e

SHA1
680fed45eb855d17dd9255f279e593d2ce8be97e

SHA256
a9fe452bd7c1e4e61fa0fbb569341ba47fc4754ac769a4e964fb66810dc55be1

SHA512
c531bc110ee48dbf4ba780925c9715a0a776b7237f98f0ec12a268fa36e354adc39b90aa3a1284049ed069d3cbfbc597798055b5b0334bf39b8f22d469b944e8

Download Submit

Analysis

Sharing