4538ffe0be30256444bbd7101f0f124c8a98ce1d0b480779734fba6afedf629c

General

Target

29e2ba3ac5e900c3dda3cf5121e6c673_JaffaCakes118.exe
Size

14KB
MD5

29e2ba3ac5e900c3dda3cf5121e6c673
SHA1

e72c3d6f10cdca920465e4bd9048f78656403ee3
SHA256

4538ffe0be30256444bbd7101f0f124c8a98ce1d0b480779734fba6afedf629c
SHA512

9034c7d57f1c4d8f9ea77d645428a4a4a4ef99d6c8c5294dc2d26cb14025ca9601108f2926e93f377cfd4b28cceeb9a4b5f0ee4cf4d0bb6056d432aa903b2fe0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhO:hDXWipuE+K3/SSHgxg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2904	DEM7BF3.exe
2420	DEMD1B1.exe
1696	DEM26E2.exe
2248	DEM7C13.exe
3052	DEMD124.exe
2072	DEM2665.exe

Loads dropped DLL 6 IoCs

pid	Process
2748	29e2ba3ac5e900c3dda3cf5121e6c673_JaffaCakes118.exe
2904	DEM7BF3.exe
2420	DEMD1B1.exe
1696	DEM26E2.exe
2248	DEM7C13.exe
3052	DEMD124.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM26E2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7C13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29e2ba3ac5e900c3dda3cf5121e6c673_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7BF3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD1B1.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2904	2748	29e2ba3ac5e900c3dda3cf5121e6c673_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2904	2748	29e2ba3ac5e900c3dda3cf5121e6c673_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2904	2748	29e2ba3ac5e900c3dda3cf5121e6c673_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2904	2748	29e2ba3ac5e900c3dda3cf5121e6c673_JaffaCakes118.exe	31
PID 2904 wrote to memory of 2420	2904	DEM7BF3.exe	33
PID 2904 wrote to memory of 2420	2904	DEM7BF3.exe	33
PID 2904 wrote to memory of 2420	2904	DEM7BF3.exe	33
PID 2904 wrote to memory of 2420	2904	DEM7BF3.exe	33
PID 2420 wrote to memory of 1696	2420	DEMD1B1.exe	35
PID 2420 wrote to memory of 1696	2420	DEMD1B1.exe	35
PID 2420 wrote to memory of 1696	2420	DEMD1B1.exe	35
PID 2420 wrote to memory of 1696	2420	DEMD1B1.exe	35
PID 1696 wrote to memory of 2248	1696	DEM26E2.exe	37
PID 1696 wrote to memory of 2248	1696	DEM26E2.exe	37
PID 1696 wrote to memory of 2248	1696	DEM26E2.exe	37
PID 1696 wrote to memory of 2248	1696	DEM26E2.exe	37
PID 2248 wrote to memory of 3052	2248	DEM7C13.exe	40
PID 2248 wrote to memory of 3052	2248	DEM7C13.exe	40
PID 2248 wrote to memory of 3052	2248	DEM7C13.exe	40
PID 2248 wrote to memory of 3052	2248	DEM7C13.exe	40
PID 3052 wrote to memory of 2072	3052	DEMD124.exe	42
PID 3052 wrote to memory of 2072	3052	DEMD124.exe	42
PID 3052 wrote to memory of 2072	3052	DEMD124.exe	42
PID 3052 wrote to memory of 2072	3052	DEMD124.exe	42

C:\Users\Admin\AppData\Local\Temp\29e2ba3ac5e900c3dda3cf5121e6c673_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29e2ba3ac5e900c3dda3cf5121e6c673_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\DEM7BF3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7BF3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\DEMD1B1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD1B1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\DEM26E2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM26E2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Users\Admin\AppData\Local\Temp\DEM7C13.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7C13.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Users\Admin\AppData\Local\Temp\DEMD124.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD124.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\DEM2665.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2665.exe"
        7⤵
        Executes dropped EXE
        
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7C13.exe

Filesize
14KB

MD5
4e6f118a9618984fce9b7fc9b4bd00e1

SHA1
f3084caf0b755cf5117f97d02ac5a74b9ec673a2

SHA256
30bc9b66145bd76ab0748144cd34aa1a92ccc4ad29f430043234b8b81ba94508

SHA512
7501607beeca2406256273d175cd761cd68d24b7ddfe3a16f2e082f2ef73fe8a646e40f8e57ebc6de8a036f1faa9a1d4ed3e487f459cea402677e813005f23b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD1B1.exe

Filesize
14KB

MD5
91e58d11615d8b2e7aae897139957737

SHA1
c95ed645332913e70a0af1b9f7ca9f80aaeb62a7

SHA256
f121d78a14faa25c673d3228fb48ad047919bc5d6b54dff02ef21725b5d484fb

SHA512
4066f43bc36e45fea4c7ae5c258d1dc679a0f85b97582bdfdfbcc642ee2bf644e39abe85cdde79fc389374d7d5fc93a055d4b32893061ece177448cb73c106a1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2665.exe

Filesize
14KB

MD5
2bc5e47173f8a56d759e73250331a641

SHA1
c01a5adf53938544b5b8dfb762814c0877a4d3c7

SHA256
e912c490280dbc52089df3ccffa6d96477ee908de67eed92cbbac6f2b0431399

SHA512
06f7afa7e31bfab8a77f67a631647818ae51adea3fe439244b840496087d008e8dcf6be6178fe9a8bd0276abfbd7bdd0550edc7005b9fb98ae0a747c32289d62

Download Submit
\Users\Admin\AppData\Local\Temp\DEM26E2.exe

Filesize
14KB

MD5
0fa0c7f5db9791ed9a2d890c726ce28f

SHA1
cd52501c65906fef84f41ba1c999366fe5e16cff

SHA256
8d14a8d320ffac63e9ba95d25ec50bafc6c8cbe65bceab44f8bd9d9311ce22bb

SHA512
d0b3102812bc4796ee32e179bbdc791050cc20b49d75567e5bf8a48f9224a8b2389aa813c427659ed7e782aef021a3ca7716b175c29bc7a22adef341d995fa6a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7BF3.exe

Filesize
14KB

MD5
64b4809d7db12bc350ee1fad892f903e

SHA1
1f3054755320a8d5858f22e557a1b7a648ffd413

SHA256
1fcda118d4f2315f8b3cab8db217b8b13c7a7d1d3cffe1d6a15c5ecab1a42883

SHA512
cfe582179d1b916e96e0871d43f6c17eef0d9ca197e396a10ef77941c2077c4dc50895f7ec89887fa037837661de89622e50ff50da23c91eef57d6adcf98062f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD124.exe

Filesize
14KB

MD5
848372b73c7a87c600b9c4e066179739

SHA1
36dd7144acee921abe22079c7573c9ab3198a48d

SHA256
1abfe8b19bee770b264f4433d88f10c2c62496d1c9c1b5e16e7b9d2d214a333d

SHA512
ad0511877a592de8f9884cd1083477d1d0cb7eebbe859ef7516079c01babeb25fe461fc3ef2483427d5294c5502556c9c869d934c6d7f33bc621a3f249cc4052

Download Submit

Analysis

Sharing