5fc902d366e6ee1386a8d8c4a015f55281cde13b99589e72c0365c3f8aa12e06

General

Target

3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe
Size

14KB
MD5

3c9a2900d31fb1b91c189473da7cd487
SHA1

d341b0bc21e576a70451d23dab16f5c6994a51f9
SHA256

5fc902d366e6ee1386a8d8c4a015f55281cde13b99589e72c0365c3f8aa12e06
SHA512

6f83fbc6d9bd754d602b0723944567f1355c0615aa799657d5fe62ea894f3ab51ab2656f166ce32f6119e5329cc7a178ef49f6584b6a4603436d4144e7a1625c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhP:hDXWipuE+K3/SSHgxp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2972	DEMC4B6.exe
2980	DEM19F6.exe
2656	DEM6F27.exe
1948	DEMC477.exe
1688	DEM1A06.exe
2144	DEM6F56.exe

Loads dropped DLL 6 IoCs

pid	Process
1900	3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe
2972	DEMC4B6.exe
2980	DEM19F6.exe
2656	DEM6F27.exe
1948	DEMC477.exe
1688	DEM1A06.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC4B6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM19F6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6F27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC477.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1A06.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2972	1900	3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe	32
PID 1900 wrote to memory of 2972	1900	3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe	32
PID 1900 wrote to memory of 2972	1900	3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe	32
PID 1900 wrote to memory of 2972	1900	3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe	32
PID 2972 wrote to memory of 2980	2972	DEMC4B6.exe	34
PID 2972 wrote to memory of 2980	2972	DEMC4B6.exe	34
PID 2972 wrote to memory of 2980	2972	DEMC4B6.exe	34
PID 2972 wrote to memory of 2980	2972	DEMC4B6.exe	34
PID 2980 wrote to memory of 2656	2980	DEM19F6.exe	36
PID 2980 wrote to memory of 2656	2980	DEM19F6.exe	36
PID 2980 wrote to memory of 2656	2980	DEM19F6.exe	36
PID 2980 wrote to memory of 2656	2980	DEM19F6.exe	36
PID 2656 wrote to memory of 1948	2656	DEM6F27.exe	38
PID 2656 wrote to memory of 1948	2656	DEM6F27.exe	38
PID 2656 wrote to memory of 1948	2656	DEM6F27.exe	38
PID 2656 wrote to memory of 1948	2656	DEM6F27.exe	38
PID 1948 wrote to memory of 1688	1948	DEMC477.exe	40
PID 1948 wrote to memory of 1688	1948	DEMC477.exe	40
PID 1948 wrote to memory of 1688	1948	DEMC477.exe	40
PID 1948 wrote to memory of 1688	1948	DEMC477.exe	40
PID 1688 wrote to memory of 2144	1688	DEM1A06.exe	42
PID 1688 wrote to memory of 2144	1688	DEM1A06.exe	42
PID 1688 wrote to memory of 2144	1688	DEM1A06.exe	42
PID 1688 wrote to memory of 2144	1688	DEM1A06.exe	42

C:\Users\Admin\AppData\Local\Temp\3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\DEMC4B6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC4B6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\DEM19F6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM19F6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\DEM6F27.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6F27.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\DEMC477.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC477.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Users\Admin\AppData\Local\Temp\DEM1A06.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1A06.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\DEM6F56.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6F56.exe"
        7⤵
        Executes dropped EXE
        
        PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM19F6.exe

Filesize
14KB

MD5
e8d7130ab1c5be53babfaf7c997faacd

SHA1
3c18c2d49f679b278f6deafb59be4a4e2fbeeb04

SHA256
f4b7f8e0e46c2fd7211995c2661b919c0cafac641beeae9d5634d6d758f2b706

SHA512
3401de742ae214196453c9086a8e46295dad1fe5ef1ace82db251c060dd9ae149d1e7da63f92120a63ca5ffe75f84ba9a5e3cdbd4af15b20eedae5160d19ed8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6F27.exe

Filesize
14KB

MD5
b9fc086b1c5c580ad46bd0b9506cf4ea

SHA1
06edddf2c494bb44567f1cb732dce29033b6c010

SHA256
6bcbf53110129d66264dc91aba4ff450039f0f037ab91b76b0c652dc0de1e756

SHA512
fa249096224fbc05eb51756551fc69c9e32e8e362bd921e64b3f3d6561c46c265b55dc616ed20e95f45c6909ca593a71fdd3762d7a90690ae9b95100d113df35

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1A06.exe

Filesize
14KB

MD5
33886f9e479e432edbb27b01474be579

SHA1
f63cc483b1610c1377bc3e9667f0cd9577a1d067

SHA256
e0df20e434fcc55c41bf232fee224d5165ea4bb7459ef53dd2bfdb353a2c39bc

SHA512
a3657db935dd6497ac8b6d137881e746edb8ca294ec8fef8ef0e63868d272a762016d6829acc99bf8cbb19f96d6304fd2d04f418bdb870eeb5a5b9b55509d5d8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6F56.exe

Filesize
14KB

MD5
4c328948a7b3f722e2910846684873e1

SHA1
e81a12246297a70ccfd1469eb3863ae0824efbe5

SHA256
d86b191d3ff6c35b95435f614a479d02e57e7d0239a45c3df3d707fddd9981b0

SHA512
635102e7b36498d54fe08dc6388c498b06ac2a5dd60841cd33e80af3170944755eeaeb77c4474e1270198847d33edf90fcaa5182db2bae65faddfa5da22bdaba

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC477.exe

Filesize
14KB

MD5
f5b36cdb6d37d022cd78da2f491a395d

SHA1
a2910130160b7318ffca3847af890318f05458f7

SHA256
ba7cdae55a7df653f21f65bcd0f55e0038e77d543d2a8bfcbb55f65d70712890

SHA512
3288e9a6156fa0d7c7da62849516d29dfa06f70b430b599efe01fc10d63196d2128434e69058656066359a9a8ba2b57f8138db3b42d2e7562d3aa560740a4402

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC4B6.exe

Filesize
14KB

MD5
9b176164a72eb7db1a971adaf741ffed

SHA1
346bee69460432e825aba048af802bca949799cc

SHA256
4ad76fd0026403f68c4a504ea8ce90c43eb49f1fac2ff199b0e092cfdd1c91f6

SHA512
4f30ba5fc4f5a777a5a3d1481bc1519e53f47199abd12ff2d2c46c926aabcc9a6db12ac38d1ae1be95cd7bc5863dbfc9e0d7ec357d2c37f25abf49de6052326d

Download Submit

Analysis

Sharing