ea0e3e401488f6442774f9dfdc05b794a0d632d3a1e71bebd9bc38e42f1bb03f

General

Target

3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe
Size

14KB
MD5

3755096f70f5b06820c778af7e0b2266
SHA1

cd38bb6be49b74000727b9355368b932fbe5ce2b
SHA256

ea0e3e401488f6442774f9dfdc05b794a0d632d3a1e71bebd9bc38e42f1bb03f
SHA512

d369a7fe5a2ad5fc93e05845cf93507687f1878449544836c781d6210b652dc87caf7122313ccdea652ff24e963e8322ca627c497b2f6a018b3a564280a0e408
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhq:hDXWipuE+K3/SSHgxY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2884	DEM77AF.exe
2904	DEMCEF3.exe
1888	DEM25E8.exe
2992	DEM7BB5.exe
1800	DEMD182.exe
2408	DEM277E.exe

Loads dropped DLL 6 IoCs

pid	Process
2272	3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe
2884	DEM77AF.exe
2904	DEMCEF3.exe
1888	DEM25E8.exe
2992	DEM7BB5.exe
1800	DEMD182.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM77AF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCEF3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM25E8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7BB5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD182.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2884	2272	3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2884	2272	3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2884	2272	3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2884	2272	3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe	31
PID 2884 wrote to memory of 2904	2884	DEM77AF.exe	33
PID 2884 wrote to memory of 2904	2884	DEM77AF.exe	33
PID 2884 wrote to memory of 2904	2884	DEM77AF.exe	33
PID 2884 wrote to memory of 2904	2884	DEM77AF.exe	33
PID 2904 wrote to memory of 1888	2904	DEMCEF3.exe	35
PID 2904 wrote to memory of 1888	2904	DEMCEF3.exe	35
PID 2904 wrote to memory of 1888	2904	DEMCEF3.exe	35
PID 2904 wrote to memory of 1888	2904	DEMCEF3.exe	35
PID 1888 wrote to memory of 2992	1888	DEM25E8.exe	37
PID 1888 wrote to memory of 2992	1888	DEM25E8.exe	37
PID 1888 wrote to memory of 2992	1888	DEM25E8.exe	37
PID 1888 wrote to memory of 2992	1888	DEM25E8.exe	37
PID 2992 wrote to memory of 1800	2992	DEM7BB5.exe	39
PID 2992 wrote to memory of 1800	2992	DEM7BB5.exe	39
PID 2992 wrote to memory of 1800	2992	DEM7BB5.exe	39
PID 2992 wrote to memory of 1800	2992	DEM7BB5.exe	39
PID 1800 wrote to memory of 2408	1800	DEMD182.exe	41
PID 1800 wrote to memory of 2408	1800	DEMD182.exe	41
PID 1800 wrote to memory of 2408	1800	DEMD182.exe	41
PID 1800 wrote to memory of 2408	1800	DEMD182.exe	41

C:\Users\Admin\AppData\Local\Temp\3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\DEM77AF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM77AF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\DEMCEF3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCEF3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\DEM25E8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM25E8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Users\Admin\AppData\Local\Temp\DEM7BB5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7BB5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Users\Admin\AppData\Local\Temp\DEMD182.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD182.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\DEM277E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM277E.exe"
        7⤵
        Executes dropped EXE
        
        PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM25E8.exe

Filesize
14KB

MD5
a0008f56ef7e2d9f63c9dac15c3b284e

SHA1
cfc207d5121e61dc8814c3edfc3252f62a8941b1

SHA256
dbba1b516dfd5be514379e9442a8ada27d0274441695da669b326ab93d81c8ad

SHA512
879768bea4c453e1ae5195cc196c63c49b4676f6e0d106fc2f1625ebd59c105cd12a72297d9937e4808678b1af978834e0ea577298605997e3b35813d0ebea13

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7BB5.exe

Filesize
14KB

MD5
56c71c4c8073083de11a0a3ef972315d

SHA1
772d30332488d5bf50c6f94e50b599c547b68d34

SHA256
80ed51da0780a1641fd18ba5e2770b439d41f32617fc2a6b52283fca293697f4

SHA512
0fd4a8a788d7fc41f9a0c5524a3e2be69c3d3706c24eb436a2900333ac7ef658d39323ed0d0029ac672c8fea4681388150c4a50e1922c2a23662198d65e58093

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCEF3.exe

Filesize
14KB

MD5
1bae470cbb51b8bda51116f87c94206c

SHA1
95b3c0cee7d6da8dd6b3976a944879853250d09f

SHA256
11e9746e3a2842b8495f2d0eb385376cc36c5dc9f96958e9e42f8e79cf9a205f

SHA512
f3ae1f1b5364df950364ad6d0704c05abefea555866325a771c7ca37910413cf4d514f6cc5474727df02552999c94c3f8986b82e55c94ffa4ccbebebde11ad58

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD182.exe

Filesize
14KB

MD5
48e361ad0ece0fd114d3481f93ce1826

SHA1
09d136a440fbd8400a1a08af9181d356d0304582

SHA256
cf3991b5b72a1d97f8c27e2ef09ee8a4842430a4ebff23711a69d7a89365a1e7

SHA512
7a73797342740556278d558e83b5fbb0af61874aabeae45cc888927bff5107c0cda48bc63fc07ae0f91c8a284775d88fabfaf68e247ca69e6a3cb62c1336aae7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM277E.exe

Filesize
14KB

MD5
58c3707e4f31e5b2799d623abd5c83ec

SHA1
de2d24311010be90869dd9165ba734341ac891ee

SHA256
f5c5608abd70822fcff064dd3bf4b763814ce0f52f5cc28d3e34af3992e8fdef

SHA512
fe6694b70a55746f8621035c6a61984f76f73ab2a5e668a7f9fcb65b323066e441e955e8b8188bf891a74add65cb523644b078e9932ff1071abe2ec2e1935d9b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM77AF.exe

Filesize
14KB

MD5
cbbf15e9696527b575ea4d5edb35be67

SHA1
dfaa68a86e8046768d555bd8fe69211a929b6f6d

SHA256
bb65a58013488fd427a18f791a0112d557a6a2c18ac315172eae2e5a611b0712

SHA512
29117321113ddc9d5784300d5f8a517f5aa45039dc9eef38e4a452ac7134e29d266710e78fb86c1a94fcdb0e11ddde6b0127200ca3986d8af9a64caf3b2021db

Download Submit

Analysis

Sharing