7ba90eb59358d4af9e88ccde2aaadc673f1bafb44621af6427a98ad8ad71cf2a

General

Target

37aabd3cfa961f7406fa49c558adb056_JaffaCakes118.exe
Size

14KB
MD5

37aabd3cfa961f7406fa49c558adb056
SHA1

9ef29aaba44a75864bd83bf0fb892ca454521ae3
SHA256

7ba90eb59358d4af9e88ccde2aaadc673f1bafb44621af6427a98ad8ad71cf2a
SHA512

491b98cbd68ae73c620d8e598fda0d9f4a1659a2ad364e246dcbf5e6f851fe3e8ece9c36a9a482a472aa8c59861caa5a957c67ec038e0966022e81641400d583
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhj:hDXWipuE+K3/SSHgxp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2888	DEMFD62.exe
2772	DEM533F.exe
2160	DEMA88F.exe
1508	DEMFE1D.exe
1148	DEM534E.exe
3000	DEMA87F.exe

Loads dropped DLL 6 IoCs

pid	Process
2420	37aabd3cfa961f7406fa49c558adb056_JaffaCakes118.exe
2888	DEMFD62.exe
2772	DEM533F.exe
2160	DEMA88F.exe
1508	DEMFE1D.exe
1148	DEM534E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM533F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA88F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFE1D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM534E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37aabd3cfa961f7406fa49c558adb056_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFD62.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2888	2420	37aabd3cfa961f7406fa49c558adb056_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2888	2420	37aabd3cfa961f7406fa49c558adb056_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2888	2420	37aabd3cfa961f7406fa49c558adb056_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2888	2420	37aabd3cfa961f7406fa49c558adb056_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2772	2888	DEMFD62.exe	32
PID 2888 wrote to memory of 2772	2888	DEMFD62.exe	32
PID 2888 wrote to memory of 2772	2888	DEMFD62.exe	32
PID 2888 wrote to memory of 2772	2888	DEMFD62.exe	32
PID 2772 wrote to memory of 2160	2772	DEM533F.exe	34
PID 2772 wrote to memory of 2160	2772	DEM533F.exe	34
PID 2772 wrote to memory of 2160	2772	DEM533F.exe	34
PID 2772 wrote to memory of 2160	2772	DEM533F.exe	34
PID 2160 wrote to memory of 1508	2160	DEMA88F.exe	36
PID 2160 wrote to memory of 1508	2160	DEMA88F.exe	36
PID 2160 wrote to memory of 1508	2160	DEMA88F.exe	36
PID 2160 wrote to memory of 1508	2160	DEMA88F.exe	36
PID 1508 wrote to memory of 1148	1508	DEMFE1D.exe	38
PID 1508 wrote to memory of 1148	1508	DEMFE1D.exe	38
PID 1508 wrote to memory of 1148	1508	DEMFE1D.exe	38
PID 1508 wrote to memory of 1148	1508	DEMFE1D.exe	38
PID 1148 wrote to memory of 3000	1148	DEM534E.exe	40
PID 1148 wrote to memory of 3000	1148	DEM534E.exe	40
PID 1148 wrote to memory of 3000	1148	DEM534E.exe	40
PID 1148 wrote to memory of 3000	1148	DEM534E.exe	40

C:\Users\Admin\AppData\Local\Temp\37aabd3cfa961f7406fa49c558adb056_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37aabd3cfa961f7406fa49c558adb056_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\DEMFD62.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMFD62.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\DEM533F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM533F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\DEMA88F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA88F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\DEMFE1D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFE1D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Users\Admin\AppData\Local\Temp\DEM534E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM534E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\DEMA87F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA87F.exe"
        7⤵
        Executes dropped EXE
        
        PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM533F.exe

Filesize
14KB

MD5
e009c1962ea209520fd8deaf5f8f19a6

SHA1
def7d220780776b1c8016c48e2bd882566007644

SHA256
8006c9bed8b84103107dca5b2e26133b4c0c81dbc3835d0b32f91404118e6a50

SHA512
b6ecbcdb3d4c92662444f7cb79106f929df566157bea134e6223ffd6e2cfbddef7ad63cfc3357074ac02aa07e03e1045cdaa38a174163a42dac9377aac7dafae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA87F.exe

Filesize
14KB

MD5
c119146b2ead8ef143fe2425eadce615

SHA1
21993f7b284157272e866e0905327cc6499c7658

SHA256
f81d7952be21c0629b5cd4b608aaf8255335afad2ecd26979fd1c51381ad46fa

SHA512
a17291afdbf6d1fa3a6cf87af1f9b944166ef7657b6c20a4956b1a126ea29864362ca05069b041f8a841dad0039b22c3d7eba03094e3feafd7ea1ca178057ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA88F.exe

Filesize
14KB

MD5
c12a48041698629ffba9a8ececde4bc3

SHA1
085d156900a1e43439d5ebbd11e412ced27c42c4

SHA256
d746f3d8aa551aa3eb4bc3cb93aa74f5aa7d568bc7af85e3fcf91cdda6a9a93e

SHA512
659b8ff470d3870726cdc3fe4c4a8fb9018511ad6ee856819ed838355214825f78d7feb4304019760ba942ada12ad9c9c0c960e7716751022ed62e61917c03f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFD62.exe

Filesize
14KB

MD5
385b203735c35fb965bd5baf3adf2839

SHA1
a2a33aa573942b0adce00059d35b22d045b90c2d

SHA256
7f036384b35f2bc05694e60ecf40483a4b3264224aedf226b4bf4ecd9df9998d

SHA512
376c3e27d5c9ee35620128788c86c8e612071b53e57b5927c7cc7859bc02594fa5607eeba6c1d480fe497bec99d23ec1957d8d6e6c594447ed0a6f863df8cc19

Download Submit
\Users\Admin\AppData\Local\Temp\DEM534E.exe

Filesize
14KB

MD5
8a67504642f23a9ff355c7ed2ce01926

SHA1
f0c6e4396af5b17c19df4a647712d81d3749b34e

SHA256
341150e50bfe9574585e10309ee63c85485fe5c16c7374ea657dc918ad8ba9ef

SHA512
86286f283d7830dc0bf37320892395a714d57c98085cc1d63bebccb32a88e3946c7884181c973a250d702ae70549fc4b79c9ab333a96919124fe818380f4f16c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFE1D.exe

Filesize
14KB

MD5
ac3d5a6a3f61d001eb1a0ab6d4c1d0a8

SHA1
f0cecacfaa250a5dae62f3dffe6ff0d4d82a2f7c

SHA256
1cae4729c76c2b37f77ae056d64f7ebd569516c83398eef562eb03e8feb13dfb

SHA512
5849c92344047ddbbf88e7f3d357c83c77255cb7d22683c8770dd260f9dc79684932f069d2f207dbf5249bbd9685eacea766fb838b61695ad4c33cbf4ae76f03

Download Submit

Analysis

Sharing