5e6ab6edfa5faa86458d5f92fdd3f70f5ca34643ecc8a77f6cdbc007cf2162b0

General

Target

2b45d306748783877e2f062672373e6d_JaffaCakes118.exe
Size

14KB
MD5

2b45d306748783877e2f062672373e6d
SHA1

f53e55804eee1806514078c92b0693e5e710b10d
SHA256

5e6ab6edfa5faa86458d5f92fdd3f70f5ca34643ecc8a77f6cdbc007cf2162b0
SHA512

7c19aacbd64d2d57900d7f2c54949aab88e670affa26e8f84276738dd9d91d0e917e269b3fcbe581064eef0311948ea51437d91e069a9d6f8cb2307b7b3f1c80
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhf:hDXWipuE+K3/SSHgxh

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2368	DEMCF12.exe
2480	DEM24C0.exe
2696	DEM7ABB.exe
2852	DEMD0A7.exe
3064	DEM2665.exe
2580	DEM7BA5.exe

Loads dropped DLL 6 IoCs

pid	Process
1648	2b45d306748783877e2f062672373e6d_JaffaCakes118.exe
2368	DEMCF12.exe
2480	DEM24C0.exe
2696	DEM7ABB.exe
2852	DEMD0A7.exe
3064	DEM2665.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b45d306748783877e2f062672373e6d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCF12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM24C0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7ABB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD0A7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2665.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2368	1648	2b45d306748783877e2f062672373e6d_JaffaCakes118.exe	32
PID 1648 wrote to memory of 2368	1648	2b45d306748783877e2f062672373e6d_JaffaCakes118.exe	32
PID 1648 wrote to memory of 2368	1648	2b45d306748783877e2f062672373e6d_JaffaCakes118.exe	32
PID 1648 wrote to memory of 2368	1648	2b45d306748783877e2f062672373e6d_JaffaCakes118.exe	32
PID 2368 wrote to memory of 2480	2368	DEMCF12.exe	34
PID 2368 wrote to memory of 2480	2368	DEMCF12.exe	34
PID 2368 wrote to memory of 2480	2368	DEMCF12.exe	34
PID 2368 wrote to memory of 2480	2368	DEMCF12.exe	34
PID 2480 wrote to memory of 2696	2480	DEM24C0.exe	36
PID 2480 wrote to memory of 2696	2480	DEM24C0.exe	36
PID 2480 wrote to memory of 2696	2480	DEM24C0.exe	36
PID 2480 wrote to memory of 2696	2480	DEM24C0.exe	36
PID 2696 wrote to memory of 2852	2696	DEM7ABB.exe	38
PID 2696 wrote to memory of 2852	2696	DEM7ABB.exe	38
PID 2696 wrote to memory of 2852	2696	DEM7ABB.exe	38
PID 2696 wrote to memory of 2852	2696	DEM7ABB.exe	38
PID 2852 wrote to memory of 3064	2852	DEMD0A7.exe	40
PID 2852 wrote to memory of 3064	2852	DEMD0A7.exe	40
PID 2852 wrote to memory of 3064	2852	DEMD0A7.exe	40
PID 2852 wrote to memory of 3064	2852	DEMD0A7.exe	40
PID 3064 wrote to memory of 2580	3064	DEM2665.exe	42
PID 3064 wrote to memory of 2580	3064	DEM2665.exe	42
PID 3064 wrote to memory of 2580	3064	DEM2665.exe	42
PID 3064 wrote to memory of 2580	3064	DEM2665.exe	42

C:\Users\Admin\AppData\Local\Temp\2b45d306748783877e2f062672373e6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b45d306748783877e2f062672373e6d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\DEMCF12.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCF12.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\DEM24C0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM24C0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\DEM7ABB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7ABB.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\DEMD0A7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD0A7.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Users\Admin\AppData\Local\Temp\DEM2665.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2665.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\DEM7BA5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7BA5.exe"
        7⤵
        Executes dropped EXE
        
        PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM24C0.exe

Filesize
14KB

MD5
da847e439ab5a9c4136abbc9fbbaba27

SHA1
ab8d978ce32319df63d7e011b7ac0a813d68c370

SHA256
9a58e88dfd59df5eb5682cb73e978417d22c4f4ce8e5221a2a499cc587b2973f

SHA512
3f0e93101d894f58959c5c3042cba4ed436368546169c73f9170ecd478c31455a625cb615a29c804b41c881368be39e2479855c8bccdb01830b969a1926418f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7ABB.exe

Filesize
14KB

MD5
9f7706f276ace3e1cefc32fbc6656e3c

SHA1
eadc91ba4c030b4e7dd85ae509a3c5ac7fdf1483

SHA256
0e8f7dc6bdab95eaa91f31ed9ef2a2141118a7355c799b35283efff53add5453

SHA512
05b40297b6905f0c31bd9ec8f4f4066e7f11279008e571020ba082a2ac7c1d0d65632241452fe1dfae5e7e80d9f6bf29af4a8790db9d5917606e7a4abce90113

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2665.exe

Filesize
14KB

MD5
63300de36e2ffda00d549f947d929312

SHA1
99c20adb01251e8fe2232d8468a5d0001e428ba3

SHA256
67fddaa4f3ba377536893e705c363a41c00b72866dd01c7adc0504987989a818

SHA512
c1d90408c5478f4f999b1dbae5995fad360065ce71557c3ca88be9a9352af4a898dcaefa81ecaaccde5851299edfd1140286e4a4ce629e1aa83752f26da5e753

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7BA5.exe

Filesize
14KB

MD5
ba1795ca9798afe52abcb914bb9990f8

SHA1
237e853481fefefe26792e63cd52e04b06c3f992

SHA256
21bfd11952100214a3d1d790dc71418dde5d1fe4652cdf46522ab21f30b3cae0

SHA512
48f33aaafe7007025924a2537eb9c374604a58d38298d7c824fd91240f512af0b4d5f6a9ba99d242d8ebe9ab02e2d83a625c700e88b48c0cce4ad6dfc31d06c9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCF12.exe

Filesize
14KB

MD5
49c18277424d2621d1ddb9b70cf321bb

SHA1
c002e6f08b89d100db5f7779a33a0b593e51e7c6

SHA256
168de7765a2d4e7c40bbb9b8dad8c1a4a715a287f080bd46c10fd1ffc0d29ae6

SHA512
ab7da2e1472ea93217e72e95971dda4771ce96c17b5e9033d9669ad2ade744b79fa4787ce58da655b08924c31ceabedb822c69fc8316216ebd61449ed8f7fdf1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD0A7.exe

Filesize
14KB

MD5
cfdae06c40f33a082937620dfcca9dbc

SHA1
7b830338be63bfff8ae0a38e3f939d89a639e7db

SHA256
73e781801a23960c82c6a5ab5eaabc4d0bb0e89fbfce20c19d1c8f724cbba0b0

SHA512
e398914976af2f82397bb2f4107605f6e74b7f12750345e03c93bae8f69b1e997165cd4533110f758d422ae95fbc3710f536ed9547bf171116c314c9fbd9c40a

Download Submit

Analysis

Sharing