709a482711d4d8eb586527f5d96285b2b7d961cbc421187fff3dff9b76132ac2

General

Target

2fde5d88627c6c33fd0c796252d95035_JaffaCakes118.exe
Size

13KB
MD5

2fde5d88627c6c33fd0c796252d95035
SHA1

096a914c4f9c79ab376e30adc01cc47ed49a21a4
SHA256

709a482711d4d8eb586527f5d96285b2b7d961cbc421187fff3dff9b76132ac2
SHA512

e6180047a208488f46370203a19aedc493c1fe07bbb8135733af3f86b9c6256c6d42c4122b636c503553d4d3727a1a3d700e5598bd18c3661dfa2bb343e1b323
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yht:hDXWipuE+K3/SSHgxn

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2460	DEMB23F.exe
2768	DEM780.exe
2728	DEM5CDF.exe
580	DEMB22F.exe
2836	DEM781.exe
2544	DEM5D9B.exe

Loads dropped DLL 6 IoCs

pid	Process
2012	2fde5d88627c6c33fd0c796252d95035_JaffaCakes118.exe
2460	DEMB23F.exe
2768	DEM780.exe
2728	DEM5CDF.exe
580	DEMB22F.exe
2836	DEM781.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fde5d88627c6c33fd0c796252d95035_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB23F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM780.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5CDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB22F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM781.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2460	2012	2fde5d88627c6c33fd0c796252d95035_JaffaCakes118.exe	32
PID 2012 wrote to memory of 2460	2012	2fde5d88627c6c33fd0c796252d95035_JaffaCakes118.exe	32
PID 2012 wrote to memory of 2460	2012	2fde5d88627c6c33fd0c796252d95035_JaffaCakes118.exe	32
PID 2012 wrote to memory of 2460	2012	2fde5d88627c6c33fd0c796252d95035_JaffaCakes118.exe	32
PID 2460 wrote to memory of 2768	2460	DEMB23F.exe	34
PID 2460 wrote to memory of 2768	2460	DEMB23F.exe	34
PID 2460 wrote to memory of 2768	2460	DEMB23F.exe	34
PID 2460 wrote to memory of 2768	2460	DEMB23F.exe	34
PID 2768 wrote to memory of 2728	2768	DEM780.exe	36
PID 2768 wrote to memory of 2728	2768	DEM780.exe	36
PID 2768 wrote to memory of 2728	2768	DEM780.exe	36
PID 2768 wrote to memory of 2728	2768	DEM780.exe	36
PID 2728 wrote to memory of 580	2728	DEM5CDF.exe	38
PID 2728 wrote to memory of 580	2728	DEM5CDF.exe	38
PID 2728 wrote to memory of 580	2728	DEM5CDF.exe	38
PID 2728 wrote to memory of 580	2728	DEM5CDF.exe	38
PID 580 wrote to memory of 2836	580	DEMB22F.exe	40
PID 580 wrote to memory of 2836	580	DEMB22F.exe	40
PID 580 wrote to memory of 2836	580	DEMB22F.exe	40
PID 580 wrote to memory of 2836	580	DEMB22F.exe	40
PID 2836 wrote to memory of 2544	2836	DEM781.exe	42
PID 2836 wrote to memory of 2544	2836	DEM781.exe	42
PID 2836 wrote to memory of 2544	2836	DEM781.exe	42
PID 2836 wrote to memory of 2544	2836	DEM781.exe	42

C:\Users\Admin\AppData\Local\Temp\2fde5d88627c6c33fd0c796252d95035_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fde5d88627c6c33fd0c796252d95035_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\DEMB23F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB23F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\DEM780.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM780.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\DEM5CDF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5CDF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\DEMB22F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB22F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:580
      - C:\Users\Admin\AppData\Local\Temp\DEM781.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM781.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\DEM5D9B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5D9B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM780.exe

Filesize
13KB

MD5
50e189dc6c2177253f1d9c2334e6ca8f

SHA1
4f58bfe4d3e6004597e755ad91eea103f80a770b

SHA256
6261d753f677c8142c3a0ff0b60a665cdcfb25b472629b520d4bb5a39878e511

SHA512
5bc9678bf2a8899d5f49c810dca0a19809cdb616d743e151041612a0366a8f32adfb4c734ffd609064268c3854a8ffdbb5338307489e8ddb6e882eb8b8570a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM781.exe

Filesize
13KB

MD5
eea4f5ea85ed167f82555fa98b50e371

SHA1
139fe813bb1b587337095b8efc0451e54af8bed8

SHA256
4ea108c532588f6a86a695b0db020182ade94caa85a87bd1f5cb4eb269f11a4c

SHA512
07afbed531659c0318599a07999476d5d5ecabdf4d3757ce6b1b1ac72004fb6354ebfbf7839c025022486e0a4785b3cde27d1ab4deaeb296b4ab0503e806b443

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5CDF.exe

Filesize
13KB

MD5
0f12907d681c4bf44e26ab6ac60d3205

SHA1
b72199cf117698f6d3ce8bb9203f7ac1cd88c045

SHA256
ac527ea4cd2ef7ecda961a7429da0de8c72ce3f7a2a4c47b8694226e8f626f49

SHA512
f1088c8da9a82d289147d48f6910ac940abca7e55d054f79ef863770c8cbeb5a325a9db863fe4894ce4987deb3bd70f555ecf40a9973a4b61bc68eb01f4a6f62

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5D9B.exe

Filesize
13KB

MD5
ae8dc8ab03ebd6345dbb9651b8f0f6de

SHA1
63a9f8eb7cc35224730df143f2d9ea118447d337

SHA256
432b505713f12a54e30e8bb87c444878c5394a211bc245d3506dd1ba1ec1050f

SHA512
eca65140b595c8eb3cb32c4c318e75d7614ef2798c0b7c5d134f3f06bee58855cd92061f7dc84f825fdb15257e2b7bb4c4debe9dc03e0082366863bc6fcedf88

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB22F.exe

Filesize
13KB

MD5
35abb1df14c1bb059f64e3d179edc8b5

SHA1
9ca828b7948b5b0b9972d15fa9105456c3c6993a

SHA256
0d7fb70198b871553df18812e59fa1d0211c69bb1bd195e4c3d7cbfcb3f3707f

SHA512
c18335e1f191e5eb72cf3bb4e94f84e83dd79e27e856928e5cdcfcc0473026dc6ab2a4ddd3d5a95659f0cd5920b034c3805b71cf19a2ff635d515b89e7771c6d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB23F.exe

Filesize
13KB

MD5
994858855426eff4a81b55c4f19d0e2d

SHA1
8127a04dcac9305e5fe91ad46b4e6ee191eda270

SHA256
48500a5afa914b9dfbd6247ff49e68d532d0ba86342395dc66d1730fbe74cf60

SHA512
c5734b8297f7e61815ea45715d7e0d51a86c7caa27d9aff0809e56e97bea3ead6eec5ec6afba127ff2d6e3e1817933419d1648e86111d9ef0579e067bcf18aae

Download Submit

Analysis

Sharing