367f6b7e132cd558935f5feebe6b2c0d5c5eb851c224b71894c4768d15d85eae

General

Target

2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe
Size

14KB
MD5

2b5a0d4c023678b5f128a69973db55f7
SHA1

297d1f047b3f19ab6eacf3cd3b06e95df4f4cf9f
SHA256

367f6b7e132cd558935f5feebe6b2c0d5c5eb851c224b71894c4768d15d85eae
SHA512

cd65cb4de1fc7a973d96cf78d514c6f5c4842b9789ae76947084e1147a0471a39a3b91a68bfe42d460fc83078963c2e4a8be6615f5e89d21585de453e1cdb90f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYjG:hDXWipuE+K3/SSHgxma

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2916	DEM8B3F.exe
2724	DEME0CE.exe
3020	DEM363D.exe
980	DEM8B9D.exe
1856	DEME0CF.exe
1252	DEM360E.exe

Loads dropped DLL 6 IoCs

pid	Process
1016	2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe
2916	DEM8B3F.exe
2724	DEME0CE.exe
3020	DEM363D.exe
980	DEM8B9D.exe
1856	DEME0CF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8B3F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME0CE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM363D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8B9D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME0CF.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2916	1016	2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe	31
PID 1016 wrote to memory of 2916	1016	2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe	31
PID 1016 wrote to memory of 2916	1016	2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe	31
PID 1016 wrote to memory of 2916	1016	2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2724	2916	DEM8B3F.exe	33
PID 2916 wrote to memory of 2724	2916	DEM8B3F.exe	33
PID 2916 wrote to memory of 2724	2916	DEM8B3F.exe	33
PID 2916 wrote to memory of 2724	2916	DEM8B3F.exe	33
PID 2724 wrote to memory of 3020	2724	DEME0CE.exe	35
PID 2724 wrote to memory of 3020	2724	DEME0CE.exe	35
PID 2724 wrote to memory of 3020	2724	DEME0CE.exe	35
PID 2724 wrote to memory of 3020	2724	DEME0CE.exe	35
PID 3020 wrote to memory of 980	3020	DEM363D.exe	37
PID 3020 wrote to memory of 980	3020	DEM363D.exe	37
PID 3020 wrote to memory of 980	3020	DEM363D.exe	37
PID 3020 wrote to memory of 980	3020	DEM363D.exe	37
PID 980 wrote to memory of 1856	980	DEM8B9D.exe	39
PID 980 wrote to memory of 1856	980	DEM8B9D.exe	39
PID 980 wrote to memory of 1856	980	DEM8B9D.exe	39
PID 980 wrote to memory of 1856	980	DEM8B9D.exe	39
PID 1856 wrote to memory of 1252	1856	DEME0CF.exe	41
PID 1856 wrote to memory of 1252	1856	DEME0CF.exe	41
PID 1856 wrote to memory of 1252	1856	DEME0CF.exe	41
PID 1856 wrote to memory of 1252	1856	DEME0CF.exe	41

C:\Users\Admin\AppData\Local\Temp\2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\DEM8B3F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8B3F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\DEME0CE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME0CE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\DEM363D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM363D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\DEM8B9D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8B9D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:980
      - C:\Users\Admin\AppData\Local\Temp\DEME0CF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME0CF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\DEM360E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM360E.exe"
        7⤵
        Executes dropped EXE
        
        PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8B3F.exe

Filesize
15KB

MD5
22a7423e375e1982b5b67194f7a664d7

SHA1
783d8c2c8537e8248e4bff69d6184f0501817998

SHA256
cc05ac7c8b37374ab901958a554c3e01b25295a678bbd229173f5014758fa676

SHA512
fde180102db9bffb077515af949e1487bfff90951ca0c19ecb7cbbb8d4960f223721c50795d7fc3600e5c2f2d0158502459ba7fdad579c1a8cdd49e5455fcdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME0CE.exe

Filesize
15KB

MD5
65b8e9815bc3d74ed30fd4a132dec4af

SHA1
ccd1ba0f1a2e9db745b81a8850babe1ab0715eb5

SHA256
5eafbd8e25dc830d1de6aebbe47eafaff505eb9fbe7479b0a6059e102e5cea8b

SHA512
91292e1c9abcb0f38af567ebd483f378a02f18440f11d5921ea7de1286b3ed7462be1f46ade14689a7c6fc4fbb3008d85a37c26fb54439c4817e6753bb9a409b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM360E.exe

Filesize
15KB

MD5
c422419510dd8d36cea104e3b910794f

SHA1
1af568201ef3114b2d3e8033d26486f2b8b75239

SHA256
6065e3dd33168c8374f6d68d1e17065bd162f549292b2606913a146519dfda1a

SHA512
38d4c255603f46bb38652a85a9e8e9ce482e96e681b205b403dc141abc5e91502e63447f78184faed348c8135fb3a02d8f8f11e8572d9856b92511bf759b6b97

Download Submit
\Users\Admin\AppData\Local\Temp\DEM363D.exe

Filesize
15KB

MD5
f04509ff5d1ea04978583ff4ef135a26

SHA1
781a64087c1821545754d199bef4d1ff02029e1d

SHA256
8f56c2237baea20b778ea2e8dd4c59c609fb0a5c0a2b9df404b2664e1bb39968

SHA512
2a606b6e865fa5b8f6fe55ded7aa943b0314351e8d94b6a7ad3de66e9c71ce63e1c59472ffbe0ca3b4a8db0a6224400cd15dfd59a06738cb81d7b1886d7bc088

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8B9D.exe

Filesize
15KB

MD5
ecbd1fd8193917771f5da0ca625fcc3e

SHA1
da4160c75560cbec56f19ed9843c5c112f14fae9

SHA256
ccf6aae340153d305924ffe2978617d5bebc02d4b115c81c22ad19c7277b33fb

SHA512
cb3f0393ab8f3e01ef95a522d8180c70250add2c883418e455794aa5160c15e5e6c5af164edbcd5cc54bbcd9df54c9eb5af91b4008f4f45a69996d468bb32ca2

Download Submit
\Users\Admin\AppData\Local\Temp\DEME0CF.exe

Filesize
15KB

MD5
55db478b96891871cd818597bc96f525

SHA1
7abbcbda49ddb96ac544fc2f18bc0219b5dcaa9f

SHA256
6f5d497c271e0a37368aad4bf33529501e1263e1db4347fc61faf8ae92272a08

SHA512
3a10134b6afaba2fcef4b0397fb54d0450e6274c72daa4d96ca5c21e8c789493565337c2f13a6ae003a34ec5a629a65875839d231360a644febc30dfb2638725

Download Submit

Analysis

Sharing