e42bfc8d2fc0645cd3abfa1ae4d5dca6d230458257f2e93ca427397e353c05c2

General

Target

2b8dfe9269a6c880335c4496d3a06599_JaffaCakes118.exe
Size

15KB
MD5

2b8dfe9269a6c880335c4496d3a06599
SHA1

408a18ed9d484027584c1606d28cc5c3f823ccb3
SHA256

e42bfc8d2fc0645cd3abfa1ae4d5dca6d230458257f2e93ca427397e353c05c2
SHA512

dab210c4c5ad75d3cdc8c3cca12294a9dbb2e0ca638dd6e93f6845d18872955b3c581fff3d2d1388a3d4870df3d374be63dcb72abf5b44e32cf8364df5740823
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+LoF:hDXWipuE+K3/SSHgxmHj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2448	DEM3820.exe
2956	DEM8E6A.exe
2312	DEME58E.exe
2584	DEM3C16.exe
2188	DEM9212.exe
2580	DEME87B.exe

Loads dropped DLL 6 IoCs

pid	Process
1956	2b8dfe9269a6c880335c4496d3a06599_JaffaCakes118.exe
2448	DEM3820.exe
2956	DEM8E6A.exe
2312	DEME58E.exe
2584	DEM3C16.exe
2188	DEM9212.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3C16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9212.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b8dfe9269a6c880335c4496d3a06599_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3820.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8E6A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME58E.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2448	1956	2b8dfe9269a6c880335c4496d3a06599_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2448	1956	2b8dfe9269a6c880335c4496d3a06599_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2448	1956	2b8dfe9269a6c880335c4496d3a06599_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2448	1956	2b8dfe9269a6c880335c4496d3a06599_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2956	2448	DEM3820.exe	32
PID 2448 wrote to memory of 2956	2448	DEM3820.exe	32
PID 2448 wrote to memory of 2956	2448	DEM3820.exe	32
PID 2448 wrote to memory of 2956	2448	DEM3820.exe	32
PID 2956 wrote to memory of 2312	2956	DEM8E6A.exe	34
PID 2956 wrote to memory of 2312	2956	DEM8E6A.exe	34
PID 2956 wrote to memory of 2312	2956	DEM8E6A.exe	34
PID 2956 wrote to memory of 2312	2956	DEM8E6A.exe	34
PID 2312 wrote to memory of 2584	2312	DEME58E.exe	36
PID 2312 wrote to memory of 2584	2312	DEME58E.exe	36
PID 2312 wrote to memory of 2584	2312	DEME58E.exe	36
PID 2312 wrote to memory of 2584	2312	DEME58E.exe	36
PID 2584 wrote to memory of 2188	2584	DEM3C16.exe	38
PID 2584 wrote to memory of 2188	2584	DEM3C16.exe	38
PID 2584 wrote to memory of 2188	2584	DEM3C16.exe	38
PID 2584 wrote to memory of 2188	2584	DEM3C16.exe	38
PID 2188 wrote to memory of 2580	2188	DEM9212.exe	40
PID 2188 wrote to memory of 2580	2188	DEM9212.exe	40
PID 2188 wrote to memory of 2580	2188	DEM9212.exe	40
PID 2188 wrote to memory of 2580	2188	DEM9212.exe	40

C:\Users\Admin\AppData\Local\Temp\2b8dfe9269a6c880335c4496d3a06599_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b8dfe9269a6c880335c4496d3a06599_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\DEM3820.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3820.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\DEM8E6A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8E6A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\DEME58E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME58E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Users\Admin\AppData\Local\Temp\DEM3C16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3C16.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Users\Admin\AppData\Local\Temp\DEM9212.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9212.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\DEME87B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME87B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8E6A.exe

Filesize
15KB

MD5
5d24720a8e12e88e6282c618b9263133

SHA1
aa07305c1fb896a080c818190b84e0275bd87096

SHA256
6f9f0d6f7adb60e5a70be9059f85a5268aeee1c8f046f4bd185b162dbb624fae

SHA512
56b05dee626c230b496ef8f5e34c90d9e8fae9ac1a0bef2c8c20f45cfb52fb3793c1b3b8f0ead72ad4a6da80f2326502485c1ec33bf7b9ea39dda46dee5e60a2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3820.exe

Filesize
15KB

MD5
f034f965d6d401c765ea2ccb1341644a

SHA1
c66535004a9f8a315913fd75212272ecf7e7d9cb

SHA256
2ace8a7f365617fe6b151612877fcfd5ff4d48319f26fc298485a436d70a744a

SHA512
ae11a28142925b9fea3225d89de014aeac834b0ad380dc3fee7d880212072440a4fe025087a7e29243b4bbccd56e7c1f20f762ffa31ad90b41eb33faa49019f6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3C16.exe

Filesize
15KB

MD5
41d721f04b09a41bcd64c75522dc1a68

SHA1
0e4a2f9acf1209fcf39e9ee3084afbfb9a9bd9f3

SHA256
48c94edbedf3d1b8c482cc4bc9ad342d5db8586f1e5314d5b1c8066db1f5ba2e

SHA512
217f54b1a9eda0fc697724a01408043503e7668ac147f7ee9add1a3fadee92b8fb01c2c043ef9ef409cc8d73604fc0094ac534592a08c3bb3582dd39c421c0ca

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9212.exe

Filesize
15KB

MD5
d818f9f9aecdc75ce96b533bbcc60544

SHA1
ff0e8be3c7b8d9a4874eae4b3b10e81d69b2a940

SHA256
e1422a3f8818e4c8a8382c5011bb11345b67a1cbdd9c2ac9c3f8bf93d5f784ba

SHA512
92690cc098bad96530687e6063f3f848b26f18be8dcb87e4b9876290f5f5fca07fea627bfa790a2e19a24c4eef7c982735b21cbd90a2050b78624c43656755d7

Download Submit
\Users\Admin\AppData\Local\Temp\DEME58E.exe

Filesize
15KB

MD5
088395aa518f81ce9dde48cb0fc92275

SHA1
fbf3e380fe9f8c78cedde41d6440615d114da6ba

SHA256
ad672abe9df38ac0143196f538547f6c97d63adb3964bdd38a2796ce4b0b13b7

SHA512
f3c6e44612f19059ea7af8b6f1cb110a8036e16f1474d3fd3ba1a69b6b5966e1b8788fb1a6afd4ed33b4555f14f5d97a5ac203d252c650ecdf4e4209eda54dd8

Download Submit
\Users\Admin\AppData\Local\Temp\DEME87B.exe

Filesize
15KB

MD5
e3f38f9b7d2b895b383fd62a41655262

SHA1
058630c6ca53da89bb1abec7a1d49092a483b7ae

SHA256
bef7b0e224918bd4550c61c04c2d0213a394221e93d28a429351a4d83dde4ed8

SHA512
038d18031ae807685ec64e0826698e4c86210ab44116bdb7d22b305d00806a69f28630d9dd7616a879905d9da318a0878d1c34eadc6ec07e3d7025f739ab6703

Download Submit

Analysis

Sharing