fd2f3f0f7c90d07e96d7fb80d79f51e8b81de745839f331a6a42ebb9b410473a

General

Target

3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe
Size

14KB
MD5

3077e7dfa37f7b57488e11c7ca0b143c
SHA1

9876096ccc681b185b6d7d69b0e59d0519e1cd5a
SHA256

fd2f3f0f7c90d07e96d7fb80d79f51e8b81de745839f331a6a42ebb9b410473a
SHA512

31cd6ed8c2e05be765e94da8a4cdd28d350e57d55636b937c192aa3852bdb2b9463f031905d4fc7b27b1845b0e5ba9a6957df0bd6481ae072ec9763d0c5c40e8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh7:hDXWipuE+K3/SSHgxN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2204	DEM7EFF.exe
2728	DEMD46F.exe
1880	DEM2A1C.exe
2852	DEM7FBB.exe
620	DEMD4BD.exe
2224	DEM29CE.exe

Loads dropped DLL 6 IoCs

pid	Process
2980	3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe
2204	DEM7EFF.exe
2728	DEMD46F.exe
1880	DEM2A1C.exe
2852	DEM7FBB.exe
620	DEMD4BD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7EFF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD46F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2A1C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7FBB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD4BD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2204	2980	3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe	32
PID 2980 wrote to memory of 2204	2980	3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe	32
PID 2980 wrote to memory of 2204	2980	3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe	32
PID 2980 wrote to memory of 2204	2980	3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe	32
PID 2204 wrote to memory of 2728	2204	DEM7EFF.exe	34
PID 2204 wrote to memory of 2728	2204	DEM7EFF.exe	34
PID 2204 wrote to memory of 2728	2204	DEM7EFF.exe	34
PID 2204 wrote to memory of 2728	2204	DEM7EFF.exe	34
PID 2728 wrote to memory of 1880	2728	DEMD46F.exe	36
PID 2728 wrote to memory of 1880	2728	DEMD46F.exe	36
PID 2728 wrote to memory of 1880	2728	DEMD46F.exe	36
PID 2728 wrote to memory of 1880	2728	DEMD46F.exe	36
PID 1880 wrote to memory of 2852	1880	DEM2A1C.exe	38
PID 1880 wrote to memory of 2852	1880	DEM2A1C.exe	38
PID 1880 wrote to memory of 2852	1880	DEM2A1C.exe	38
PID 1880 wrote to memory of 2852	1880	DEM2A1C.exe	38
PID 2852 wrote to memory of 620	2852	DEM7FBB.exe	40
PID 2852 wrote to memory of 620	2852	DEM7FBB.exe	40
PID 2852 wrote to memory of 620	2852	DEM7FBB.exe	40
PID 2852 wrote to memory of 620	2852	DEM7FBB.exe	40
PID 620 wrote to memory of 2224	620	DEMD4BD.exe	42
PID 620 wrote to memory of 2224	620	DEMD4BD.exe	42
PID 620 wrote to memory of 2224	620	DEMD4BD.exe	42
PID 620 wrote to memory of 2224	620	DEMD4BD.exe	42

C:\Users\Admin\AppData\Local\Temp\3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\DEM7EFF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7EFF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\DEMD46F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD46F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\DEM2A1C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2A1C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Users\Admin\AppData\Local\Temp\DEM7FBB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7FBB.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Users\Admin\AppData\Local\Temp\DEMD4BD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD4BD.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\DEM29CE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM29CE.exe"
        7⤵
        Executes dropped EXE
        
        PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2A1C.exe

Filesize
14KB

MD5
a0bbe7f1fb306b97a19eecc4f1fda458

SHA1
897dd2f0c004d3e5925624623b82996e929a059b

SHA256
e8fd0cf319db75517d59b0db17a3c8d7290960099dd99174701d2c3906834656

SHA512
f095bb56000290c682e947af428000dbaa548328980fb84548e6f05d77d2b8230e4c55dca327ffec3db75f46b7c7ac45e70f55c279e62054c7b73ddd5dde3597

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD46F.exe

Filesize
14KB

MD5
c5ba5fb48e8b0e806b0e0abe21605d89

SHA1
d94ece7591f6dc17efff07be92c18ec5518660b0

SHA256
0418fb9657b9e60e675c9ef03ef1c805e49934485c336e5e35deba8f784effc9

SHA512
1095890a9c2f2871b0c2516637d364c0f267e5ea6d01c25f3a6f647d154df7a66a8dd47847d3b64f07c366cb5d0f44a9d2196b8c4000ad1fccd284a56d780a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD4BD.exe

Filesize
14KB

MD5
908508e4645ec7704d98ff42ac91a098

SHA1
4050a2f699a6efc1a3d8ec510f9977b2eb050e83

SHA256
4c261aaf08b67de75b5e5b574bbc7c8f44d0fb0195d80cf489e31ec7e11dcf20

SHA512
1e776e6c2da66c93dc1581090c540a3c9083af26db5ded177f2ae0ff5329d4926d41801a34721dbdd074bec234af65540fcbad497099f9413b09435087939b16

Download Submit
\Users\Admin\AppData\Local\Temp\DEM29CE.exe

Filesize
14KB

MD5
ff8aaa819eee677fdb91f3352eb22b33

SHA1
593b4825db404636dd1d6fe0591b98469436ac4b

SHA256
28d893a7f7931c70b95bf689d706817e06abcb31afa9878473f6d034924558c9

SHA512
2d312d14c8c2d847cb6953d8b714b4742f5f301206b92831307e5fabdac696ea7cef0cdd65f165c8a72e654bb847373c068fa48b39de326f6c992f3c28192da0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7EFF.exe

Filesize
14KB

MD5
7f46d4eadc9486dea5b4d1cd865076f1

SHA1
a541833e1a9708d6c9968c45097b297fc3676737

SHA256
f9ae66af0c0d6ce31c2a96266f842be7feaae22db12759f06ac38154f23b3e10

SHA512
ffb09e205850eb4222a954978e6c381357154972ea0be7220c4d76be3fbe9ad2a5cb02a60679355257b49dcb31d4b47a6a02ab95878f5701afd0f6055a862e0a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7FBB.exe

Filesize
14KB

MD5
1029421143d54bce4653a85e3f44005a

SHA1
5f7ff76f74b99622a9a323414179638bb898ee55

SHA256
52453bb8a2213ca25144fcba83469b733bc4ef2f160f0dc4de9ee6082d811876

SHA512
db1b2753dae87c221aefb2978360a2bfa5aa7ddea17711fcf2325b0a69668d11152a2982379831b5cbc7a896ae5a57d7263118e00c0653c53e5a6c21c36f66b1

Download Submit

Analysis

Sharing