2cd4e54465ecbc47f9e09ef920a05c43ff193f3a21be5fb041aa7174f26dedda

General

Target

2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe
Size

14KB
MD5

2a3c1a8e82a47138e1fdddf3e9f8bf8e
SHA1

bcf4cf04330416ee7f9dfe5bf8b1472664163cef
SHA256

2cd4e54465ecbc47f9e09ef920a05c43ff193f3a21be5fb041aa7174f26dedda
SHA512

12a95d7f642adbd7561316e93a92b1c5941cf34e7a03c8f7508304996b5250f1dc7212c8a16747e23342380e06f0ebdf8f9104e3317ae693b17dfbcec049d3b3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5m:hDXWipuE+K3/SSHgxmc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2724	DEM8556.exe
1784	DEMDA96.exe
3032	DEM2FF6.exe
1388	DEM8527.exe
1432	DEMDAB6.exe
2576	DEM2FB8.exe

Loads dropped DLL 6 IoCs

pid	Process
2532	2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe
2724	DEM8556.exe
1784	DEMDA96.exe
3032	DEM2FF6.exe
1388	DEM8527.exe
1432	DEMDAB6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8527.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDAB6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8556.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDA96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2FF6.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2724	2532	2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2724	2532	2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2724	2532	2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2724	2532	2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe	32
PID 2724 wrote to memory of 1784	2724	DEM8556.exe	34
PID 2724 wrote to memory of 1784	2724	DEM8556.exe	34
PID 2724 wrote to memory of 1784	2724	DEM8556.exe	34
PID 2724 wrote to memory of 1784	2724	DEM8556.exe	34
PID 1784 wrote to memory of 3032	1784	DEMDA96.exe	36
PID 1784 wrote to memory of 3032	1784	DEMDA96.exe	36
PID 1784 wrote to memory of 3032	1784	DEMDA96.exe	36
PID 1784 wrote to memory of 3032	1784	DEMDA96.exe	36
PID 3032 wrote to memory of 1388	3032	DEM2FF6.exe	38
PID 3032 wrote to memory of 1388	3032	DEM2FF6.exe	38
PID 3032 wrote to memory of 1388	3032	DEM2FF6.exe	38
PID 3032 wrote to memory of 1388	3032	DEM2FF6.exe	38
PID 1388 wrote to memory of 1432	1388	DEM8527.exe	40
PID 1388 wrote to memory of 1432	1388	DEM8527.exe	40
PID 1388 wrote to memory of 1432	1388	DEM8527.exe	40
PID 1388 wrote to memory of 1432	1388	DEM8527.exe	40
PID 1432 wrote to memory of 2576	1432	DEMDAB6.exe	42
PID 1432 wrote to memory of 2576	1432	DEMDAB6.exe	42
PID 1432 wrote to memory of 2576	1432	DEMDAB6.exe	42
PID 1432 wrote to memory of 2576	1432	DEMDAB6.exe	42

C:\Users\Admin\AppData\Local\Temp\2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\DEM8556.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8556.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\DEMDA96.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDA96.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\DEM2FF6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2FF6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Users\Admin\AppData\Local\Temp\DEM8527.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8527.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1388
      - C:\Users\Admin\AppData\Local\Temp\DEMDAB6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDAB6.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\DEM2FB8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2FB8.exe"
        7⤵
        Executes dropped EXE
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2FB8.exe

Filesize
14KB

MD5
1b9694656ce3d05436d3557fb365e215

SHA1
0e17893fa83b0f75f7ed95854f0c4ffaec3d97c8

SHA256
fc099d969f219c66495b363ab509c9201afb9d162ca1e8574810ca75289235b0

SHA512
9001417d9e9dcfd4835cb54d72f9266ed350566439723c68f47183f27d92335d675007da5998f5f035efe10eee0bf8f7197f7736e31fc472c3f0166c7125dcd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2FF6.exe

Filesize
14KB

MD5
dc85db5975c3b27215498b54f37ffc51

SHA1
93af526095b976128a1dc55ef7a7f014c75d021f

SHA256
adb7f6afaab3a209f726eca679aef50b9cbb2f47f174262252803b2020b267a6

SHA512
0ca9e4e5a864963f956fa314f36a7fe001c0987adc4a2c1dab6851cb87da4b734a382e9f743230efce229eab5113d4abee8b0c73f2fff89343645243bea83cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8556.exe

Filesize
14KB

MD5
872f8b05b65e831e14514e88318d059a

SHA1
e996f0198071e14cac18fdcd85e46183af604771

SHA256
f044abe1bf35955b8dbb898c84e879b213f7eb2c0a577bdf439896687d1d1ed4

SHA512
d9b93d21b97306996a7502b951fdbfb639b1a18528cf811891554ddd101f3aa6b226984e6b6bd5db2e8cb0d6e13988a111b3fe671347d2dc2186f89264ee116a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDA96.exe

Filesize
14KB

MD5
59282cff21be8a0d5a95fae33df5a23a

SHA1
1e40ed298d80d28ae172f8f752780f209b841990

SHA256
42095755ccc0aa422e9de17d1b6f0a3d5972fa924b0a09ffba722ade10186572

SHA512
db08bd12af016d94287f717117328610e2779f3100d4f9975e84886c59026b53f1f6075e5e09841a8fde382a50c77ff7404d1c70c12dec9bf29570ec42800c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDAB6.exe

Filesize
14KB

MD5
8e1d7a6b856a1f58fec17979e8cc4380

SHA1
4bf7e31bcd1a239bbdd2f8fe47bce42b85a750d6

SHA256
f49971eb495e78acad85328bd0fb8eb803aca942f9fd34a0c7e33202a0c039eb

SHA512
854e843b0879e002df7c66b8e98192bc4a8f91bf0de5c879c6adfb7e8a5b1b092ba5952041d6ec8dcd8fc49b8254872f482cf895ebc559abf7cb8d548f591fd1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8527.exe

Filesize
14KB

MD5
2eeba3028a32c625ef36ec89c64b08ad

SHA1
1a75e14ffe2e5e281a1526a1c40c9ba388b515b2

SHA256
7ecdd8cb0ecf327bcf8efbd1313cdd06cb416a0434be8ea800cf98def6f7f8a9

SHA512
3f199f070fa623da5981f4aaea6d232d4956aca22007b85561d071557ccf7228d18c0a0da5442ec44022929ddfa7e31abfa77e71f1b4495fcb7f1dc591717d39

Download Submit

Analysis

Sharing