fec2572a6d416f435c97ffab6dcdf8b1eaea20eb0386f054850b319ffef86d75

General

Target

2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe
Size

14KB
MD5

2b7be53b885604ba6b04afd8f33ab830
SHA1

837891d1051fa77a06bc96ea13fec8938db9a7f5
SHA256

fec2572a6d416f435c97ffab6dcdf8b1eaea20eb0386f054850b319ffef86d75
SHA512

dabcf0ee190afe23f7d03db420413136cf50ea224f7706c14cfd53758db4c7e3d80e773aa1cb756c85aae360cb370453dd23bdc8cb3fcd8b59c876a213c7596e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYWmbX:hDXWipuE+K3/SSHgxmWmbX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2712	DEM9138.exe
2556	DEME84C.exe
1744	DEM3ED4.exe
2864	DEM94C1.exe
2076	DEMEB97.exe
3024	DEM4193.exe

Loads dropped DLL 6 IoCs

pid	Process
2876	2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe
2712	DEM9138.exe
2556	DEME84C.exe
1744	DEM3ED4.exe
2864	DEM94C1.exe
2076	DEMEB97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9138.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME84C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3ED4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM94C1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEB97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2712	2876	2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe	31
PID 2876 wrote to memory of 2712	2876	2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe	31
PID 2876 wrote to memory of 2712	2876	2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe	31
PID 2876 wrote to memory of 2712	2876	2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2556	2712	DEM9138.exe	33
PID 2712 wrote to memory of 2556	2712	DEM9138.exe	33
PID 2712 wrote to memory of 2556	2712	DEM9138.exe	33
PID 2712 wrote to memory of 2556	2712	DEM9138.exe	33
PID 2556 wrote to memory of 1744	2556	DEME84C.exe	35
PID 2556 wrote to memory of 1744	2556	DEME84C.exe	35
PID 2556 wrote to memory of 1744	2556	DEME84C.exe	35
PID 2556 wrote to memory of 1744	2556	DEME84C.exe	35
PID 1744 wrote to memory of 2864	1744	DEM3ED4.exe	37
PID 1744 wrote to memory of 2864	1744	DEM3ED4.exe	37
PID 1744 wrote to memory of 2864	1744	DEM3ED4.exe	37
PID 1744 wrote to memory of 2864	1744	DEM3ED4.exe	37
PID 2864 wrote to memory of 2076	2864	DEM94C1.exe	39
PID 2864 wrote to memory of 2076	2864	DEM94C1.exe	39
PID 2864 wrote to memory of 2076	2864	DEM94C1.exe	39
PID 2864 wrote to memory of 2076	2864	DEM94C1.exe	39
PID 2076 wrote to memory of 3024	2076	DEMEB97.exe	41
PID 2076 wrote to memory of 3024	2076	DEMEB97.exe	41
PID 2076 wrote to memory of 3024	2076	DEMEB97.exe	41
PID 2076 wrote to memory of 3024	2076	DEMEB97.exe	41

C:\Users\Admin\AppData\Local\Temp\2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\DEM9138.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9138.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\DEME84C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME84C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\DEM3ED4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3ED4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\DEM94C1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM94C1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Users\Admin\AppData\Local\Temp\DEMEB97.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEB97.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\DEM4193.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4193.exe"
        7⤵
        Executes dropped EXE
        
        PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEME84C.exe

Filesize
14KB

MD5
2eb52be4a3701f519effc4227d80ec32

SHA1
f39af6cbefa71bd0541f289d16d557aa39d52677

SHA256
ab91454c2924ab9defc5fa1074dfc03d42a84ab3a8885ca171823e0710b98f77

SHA512
5bff7418965c90da44b10ba8fc24dd520fc77629cd3ae2dce1879e7eda80b5c27d48b94d2274a09974e70de49ed695d04164b4adc0d7e07c201945333ba30dae

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3ED4.exe

Filesize
14KB

MD5
aad30c2e42ea518ab2d9700b79a36005

SHA1
60ed0ee74c958631cdc57b87024a615a25467fd4

SHA256
5edd41aa17aa9f230f243626af469765d4da687af4f0dad8498cab038e681d28

SHA512
3acfe4a5b64cd4f87ff5bcaea7dcbb74b3e39e079ef637fd3bd4ccee8c5d5170d3ff129f48ecc74709ac4e31b15818c5560b603c01dac0e837d3d61bffc0e73a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4193.exe

Filesize
14KB

MD5
599473969de45131bf222bd080d01f52

SHA1
8c48a7b572b059157ebb880e8ef9af4d0b9ca7cf

SHA256
7094ddd499066a5febf23855dde82388e09a0e17426c01e870538d5e674dccdc

SHA512
7b88eaf6a279b289d6df6a37e68cde7b09534eb9dabdffce115b60a1a44dda40dfa607f0d6eaaf44ed3b5d5cd22773d7be916d00d91c94210cc00bb0e231754d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9138.exe

Filesize
14KB

MD5
1b4de1d2a122b9f04fb7556fe28806bf

SHA1
7284a88bc41ba57ba36938fb4cb1b048fdc84c9c

SHA256
a606347179faa58f4186bfa617e3c30a1c333aa785ac51bf78a73b984a65d482

SHA512
41548cf9af47e7858dbc74cede930fc80f386c719cb89ee8caf5ae62545affb5ae147b3b729f6996c12a6a094b470620e960b02bec2d8ee45e5f9f8da67eb64b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM94C1.exe

Filesize
14KB

MD5
ec902ba8ec6f0eb05846d0e44e6c2783

SHA1
2df3c000e7f639320d07eb65ba772fed72480670

SHA256
7c532bb09c8fc8eb663c9c4119a9816de8cd5d61a46b991b5205220a66ae369c

SHA512
b7cf33dec571519409e0954465951a32cbd2ea97aa34628fa187e2f01b048209695c9bfda30d493b3235316d44450d6d723acd283affafd2e3fd91973a82729b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEB97.exe

Filesize
14KB

MD5
8cc10ea7e20d52cf01742fcc7417de42

SHA1
4d375dd8172a3a42b9a0d2a468117087a1dd79db

SHA256
7bf7da7ae464c17d895003f844573e3e0455042094624d773238df7ea51e4a0a

SHA512
0dcf1ce44d5c9977b0ccd2a42b3221116719f39108e6051884b51ece976527a458c732515f5dc13e1a250943c8991868cc2cbeaac429398fb7b460be0d59eb2e

Download Submit

Analysis

Sharing