b4aca56b71a4c62b1bb89d66b403ee0474f679460a4da66c3676c3ffd90bc27b

General

Target

2decdc767d826a04b1b564670a2c4190_JaffaCakes118.exe
Size

14KB
MD5

2decdc767d826a04b1b564670a2c4190
SHA1

bfb27272d3178bc01be0dd57c8ab854a0642f6d4
SHA256

b4aca56b71a4c62b1bb89d66b403ee0474f679460a4da66c3676c3ffd90bc27b
SHA512

e6a55a9dc99b52f4bc9e2e76262ed51b737265a6a6016301bd78d155a50262f6d946b503d3322f515372f5ded9d64d199c35b8bb5b6d29396994069544f2ce99
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhW:hDXWipuE+K3/SSHgx4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1928	DEMC4C5.exe
2612	DEM1A73.exe
2600	DEM6FC3.exe
2256	DEMC5A0.exe
836	DEM1B5D.exe
2220	DEM7159.exe

Loads dropped DLL 6 IoCs

pid	Process
2936	2decdc767d826a04b1b564670a2c4190_JaffaCakes118.exe
1928	DEMC4C5.exe
2612	DEM1A73.exe
2600	DEM6FC3.exe
2256	DEMC5A0.exe
836	DEM1B5D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC5A0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1B5D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2decdc767d826a04b1b564670a2c4190_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC4C5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1A73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6FC3.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1928	2936	2decdc767d826a04b1b564670a2c4190_JaffaCakes118.exe	32
PID 2936 wrote to memory of 1928	2936	2decdc767d826a04b1b564670a2c4190_JaffaCakes118.exe	32
PID 2936 wrote to memory of 1928	2936	2decdc767d826a04b1b564670a2c4190_JaffaCakes118.exe	32
PID 2936 wrote to memory of 1928	2936	2decdc767d826a04b1b564670a2c4190_JaffaCakes118.exe	32
PID 1928 wrote to memory of 2612	1928	DEMC4C5.exe	34
PID 1928 wrote to memory of 2612	1928	DEMC4C5.exe	34
PID 1928 wrote to memory of 2612	1928	DEMC4C5.exe	34
PID 1928 wrote to memory of 2612	1928	DEMC4C5.exe	34
PID 2612 wrote to memory of 2600	2612	DEM1A73.exe	36
PID 2612 wrote to memory of 2600	2612	DEM1A73.exe	36
PID 2612 wrote to memory of 2600	2612	DEM1A73.exe	36
PID 2612 wrote to memory of 2600	2612	DEM1A73.exe	36
PID 2600 wrote to memory of 2256	2600	DEM6FC3.exe	38
PID 2600 wrote to memory of 2256	2600	DEM6FC3.exe	38
PID 2600 wrote to memory of 2256	2600	DEM6FC3.exe	38
PID 2600 wrote to memory of 2256	2600	DEM6FC3.exe	38
PID 2256 wrote to memory of 836	2256	DEMC5A0.exe	40
PID 2256 wrote to memory of 836	2256	DEMC5A0.exe	40
PID 2256 wrote to memory of 836	2256	DEMC5A0.exe	40
PID 2256 wrote to memory of 836	2256	DEMC5A0.exe	40
PID 836 wrote to memory of 2220	836	DEM1B5D.exe	42
PID 836 wrote to memory of 2220	836	DEM1B5D.exe	42
PID 836 wrote to memory of 2220	836	DEM1B5D.exe	42
PID 836 wrote to memory of 2220	836	DEM1B5D.exe	42

C:\Users\Admin\AppData\Local\Temp\2decdc767d826a04b1b564670a2c4190_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2decdc767d826a04b1b564670a2c4190_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\DEMC4C5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC4C5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\DEM1A73.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1A73.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\DEM6FC3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6FC3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\DEMC5A0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC5A0.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Users\Admin\AppData\Local\Temp\DEM1B5D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1B5D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\DEM7159.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7159.exe"
        7⤵
        Executes dropped EXE
        
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1A73.exe

Filesize
14KB

MD5
d82b77dbc67afe92ae11941a1eab82ed

SHA1
c0510dbbb942b3507cec3047e02be2d6c3f2fc21

SHA256
779ce7f0de24d1e68fd6b3f6374c49048150ac695bea65dcbed88992e1d71d4b

SHA512
8ee1f25e386bf24a75fc75ea2f95b74caba0ecef7bfbeb99cc36b74e8b9c75cfb8937bddcb4ac43510acf2453364fa6984fd78a63b5f9bc07a61dc0072ca81d4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1B5D.exe

Filesize
14KB

MD5
1c00c7ced01e6da4b47d47c9bdf19d59

SHA1
997a6c913e736e40c6b69ff773643420610d9393

SHA256
81a49f0336ec11a1851dfa986ba129a20234ed29e82c35c65b93dba0473af178

SHA512
0b4c535095fcedf90a9ffe5deb40ef6593437e69bcd42276f8522d9e7322acabdc80f2b7a0d2c1cc8a43a15861057794d0eeb6d5808b38af5d16820eca2b8d98

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6FC3.exe

Filesize
14KB

MD5
e7719369eb776bd070f0c7fd9c6b7145

SHA1
bc256d7f4fef887bb90c669ca88c8f3595b385cf

SHA256
66d96792ef9b1d4e363c87d8122ed4fe5fca1b51e6c6cdd41cd4a2fbe920ee40

SHA512
88fe1d456ad390a6f1218332a1814a0f3f9ad17aa28d489d7c35e337dd290974676798e94ea043a45b6134512da9c89c8652462ed18d411a1cdd58fa0884d107

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7159.exe

Filesize
14KB

MD5
f7c29dc124d0efb54ac01822bb15abd2

SHA1
06341027d4fee6a536aa66dff246dda80541343b

SHA256
804ee3858cabbb8d1eaa5e453a3f2d04923ed62a586ac3bb53423e6c3b3d1b92

SHA512
5b208983ddba4f4b1ada31a28184a55638fa09f9764cd87a5ff952c96d5915e455af9f9a59fa355a638d89b017d85a184de9a7edefde69549072e99631081953

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC4C5.exe

Filesize
14KB

MD5
f7c16053b5b0b7885132896dfdfacb0f

SHA1
5853e35e663f288a7a3dc74a07d4ccc814d083b6

SHA256
4bc660624133a2559ac84553b83bdc2ea26734f5907dad9badac3130e2cae42a

SHA512
80e4fd55a1d98189135e4b028ac9833b77c820c9ee4a439f835122b7eeda3e67610cc48115f8a25ae5804c2079262bbe0952d3b3fb24672428f866cb7322802c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC5A0.exe

Filesize
14KB

MD5
7b84cd89d41e64b936039adf4bb87e70

SHA1
486d99785951f8f71840e8e92f3c5677d778c56d

SHA256
391cac02f81400c6b371a4b2f6234d502d362d2859b3e3eb5a256a6cb1d10d36

SHA512
6117473f285839e746f2cbbb7910948051f7c07a1f399876322a553f508c1a5649e167dfc08654679cb7334ee24295861a53e91d787a9f02c9bc8423448a1bb8

Download Submit

Analysis

Sharing