333e6c381cf515d11f28828ee8a033540894e2f02d1afcb17d239039591ac9a7

General

Target

2f4998657c1318c014fac873cca43763_JaffaCakes118.exe
Size

14KB
MD5

2f4998657c1318c014fac873cca43763
SHA1

3b3c81356ff8d0f320abd267414332dad9887a2d
SHA256

333e6c381cf515d11f28828ee8a033540894e2f02d1afcb17d239039591ac9a7
SHA512

a941ee1248195948413a543d0ea5e83900d4fdb953974a5fdba8dd27fa77d6275df892010fa31fc2e25b44711bc5edd691ee91a89ce9fd1c3fec1012d8ec0adb
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0K6:hDXWipuE+K3/SSHgx4K6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2512	DEM8121.exe
2672	DEMD652.exe
1924	DEM2BC2.exe
2868	DEM8102.exe
2456	DEMD672.exe
1412	DEM2C2F.exe

Loads dropped DLL 6 IoCs

pid	Process
1904	2f4998657c1318c014fac873cca43763_JaffaCakes118.exe
2512	DEM8121.exe
2672	DEMD652.exe
1924	DEM2BC2.exe
2868	DEM8102.exe
2456	DEMD672.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD652.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2BC2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD672.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f4998657c1318c014fac873cca43763_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2512	1904	2f4998657c1318c014fac873cca43763_JaffaCakes118.exe	32
PID 1904 wrote to memory of 2512	1904	2f4998657c1318c014fac873cca43763_JaffaCakes118.exe	32
PID 1904 wrote to memory of 2512	1904	2f4998657c1318c014fac873cca43763_JaffaCakes118.exe	32
PID 1904 wrote to memory of 2512	1904	2f4998657c1318c014fac873cca43763_JaffaCakes118.exe	32
PID 2512 wrote to memory of 2672	2512	DEM8121.exe	34
PID 2512 wrote to memory of 2672	2512	DEM8121.exe	34
PID 2512 wrote to memory of 2672	2512	DEM8121.exe	34
PID 2512 wrote to memory of 2672	2512	DEM8121.exe	34
PID 2672 wrote to memory of 1924	2672	DEMD652.exe	36
PID 2672 wrote to memory of 1924	2672	DEMD652.exe	36
PID 2672 wrote to memory of 1924	2672	DEMD652.exe	36
PID 2672 wrote to memory of 1924	2672	DEMD652.exe	36
PID 1924 wrote to memory of 2868	1924	DEM2BC2.exe	38
PID 1924 wrote to memory of 2868	1924	DEM2BC2.exe	38
PID 1924 wrote to memory of 2868	1924	DEM2BC2.exe	38
PID 1924 wrote to memory of 2868	1924	DEM2BC2.exe	38
PID 2868 wrote to memory of 2456	2868	DEM8102.exe	40
PID 2868 wrote to memory of 2456	2868	DEM8102.exe	40
PID 2868 wrote to memory of 2456	2868	DEM8102.exe	40
PID 2868 wrote to memory of 2456	2868	DEM8102.exe	40
PID 2456 wrote to memory of 1412	2456	DEMD672.exe	42
PID 2456 wrote to memory of 1412	2456	DEMD672.exe	42
PID 2456 wrote to memory of 1412	2456	DEMD672.exe	42
PID 2456 wrote to memory of 1412	2456	DEMD672.exe	42

C:\Users\Admin\AppData\Local\Temp\2f4998657c1318c014fac873cca43763_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f4998657c1318c014fac873cca43763_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\DEM8121.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8121.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\DEMD652.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD652.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\DEM2BC2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2BC2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Users\Admin\AppData\Local\Temp\DEM8102.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8102.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Users\Admin\AppData\Local\Temp\DEMD672.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD672.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\DEM2C2F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2C2F.exe"
        7⤵
        Executes dropped EXE
        
        PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2BC2.exe

Filesize
14KB

MD5
5a4a62e4d6f1f3dd92881aff4df235a2

SHA1
f45e6aec5fbca1d1061f012afdf663edd960c518

SHA256
a36fa7b29666e388984c5e56bb0c419ba5bace6bc4c6ffd50e2fec062fd0b3ed

SHA512
2addd3876d0f7e69af2c93ee81b8aa8dc6ee4010feacb22ffa072c07521252ce329a91588f77fa69ad4035fcd0cd5f79a0f4e81d100e4b44c24491677b187bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8102.exe

Filesize
14KB

MD5
1b45c97227920a08bde8fd627e730f54

SHA1
880edda36b00951b197cb2ca3c65963939bcd9d0

SHA256
272f14c59d75d117435abea052d8ee84a3d45de23af62af2ad39ef0842fa9762

SHA512
b2d5130c2a05ff64704a679206a28310ee5a8d2cdfe79ce3f8c02a6f33c109eb3e37e5dfee1f16853a92b843bf200177e9d8be5723f48bee229b8e441aa5d01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8121.exe

Filesize
14KB

MD5
7a848ad72fdf1c0f2154c604937f3a26

SHA1
863628c7365dc1b4806f44c9861365ac0cca997f

SHA256
59c282047ef22cc443830495aadf39e3b771193c408e2124465e951dda149fa6

SHA512
ea7a84295ec9a89a7802a93858989582d47b22221489ae426fe8234f476f225564e6ad19f837a1c7f5e54acd885aee34f48b9d8ba00e5c960851d505e3e1302d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD652.exe

Filesize
14KB

MD5
7d2eb2233631523f4c613d89c51f3b12

SHA1
e275ac506d451e25869809024e01d4aadd4b6281

SHA256
35b7e828934f8208b32975bb59198c06e43099e2d5717f76d56e8094913dcd8a

SHA512
5fda65cca808afa35efcb4defaf6bfa6297cc02cfff04e5183b3fc0efbf9e42197e5c48ceaa4d952abe0dd3122441e451a74584c72badcfedac088cb458e343a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2C2F.exe

Filesize
14KB

MD5
2130478a6a4306900d9e1795ae2f7f27

SHA1
f34d4a75fecdd6eee51b0833f3803717e6516c86

SHA256
6e0f4c683296af931abdb0c9f2e4372dae77856f3a3f4285b486b41f3c02134f

SHA512
8dddd3360972355d47eacb1ba2b4c2276b1f34a9864464addb46fe6f2969a4d3ce969a822d4475b27004af9b4b3a012458aff590f2e7f40bfac1c3fb4a42fd08

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD672.exe

Filesize
14KB

MD5
e9468a7af00d95e1f52c3042fb711abb

SHA1
cdea64995d88479c6c107c9610405b5f39cae9f1

SHA256
86edd0f2e12b08f1825a2decd539d4ed0fe60f6f1a2d4708cedca5be23783eb4

SHA512
58818355733abdeafdf402799540e21b4266f6947ad6cf3424f4bf5d53a5a6648c026961be5706ef19002da9e7171f05a3dae85e1d0a1ea2b8665422a0b7c439

Download Submit

Analysis

Sharing