e9f189b220035b707dba2835ccd16af2117016005f50a16fe8a768f9b0c089d0

General

Target

386428b8fffa2e51337b5127be7a5ae9_JaffaCakes118.exe
Size

14KB
MD5

386428b8fffa2e51337b5127be7a5ae9
SHA1

4e592170097ae37a390a7b3ef8b8b0c8d6f206c9
SHA256

e9f189b220035b707dba2835ccd16af2117016005f50a16fe8a768f9b0c089d0
SHA512

0098b4cd71d46a6f87b8b941f2dda4d0fd3caa68c7aef6ef0788a60cf93400b669e340439b170ad0e1f3e8e66f7bb0246c63f74a3c50f3824abc00571c5c6125
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR4N:hDXWipuE+K3/SSHgxsN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2940	DEM32C4.exe
1604	DEM8A26.exe
2256	DEMDFC4.exe
1976	DEM35A1.exe
2464	DEM8B7D.exe
3012	DEME1F6.exe

Loads dropped DLL 6 IoCs

pid	Process
2860	386428b8fffa2e51337b5127be7a5ae9_JaffaCakes118.exe
2940	DEM32C4.exe
1604	DEM8A26.exe
2256	DEMDFC4.exe
1976	DEM35A1.exe
2464	DEM8B7D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM32C4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8A26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDFC4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM35A1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8B7D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	386428b8fffa2e51337b5127be7a5ae9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2940	2860	386428b8fffa2e51337b5127be7a5ae9_JaffaCakes118.exe	31
PID 2860 wrote to memory of 2940	2860	386428b8fffa2e51337b5127be7a5ae9_JaffaCakes118.exe	31
PID 2860 wrote to memory of 2940	2860	386428b8fffa2e51337b5127be7a5ae9_JaffaCakes118.exe	31
PID 2860 wrote to memory of 2940	2860	386428b8fffa2e51337b5127be7a5ae9_JaffaCakes118.exe	31
PID 2940 wrote to memory of 1604	2940	DEM32C4.exe	33
PID 2940 wrote to memory of 1604	2940	DEM32C4.exe	33
PID 2940 wrote to memory of 1604	2940	DEM32C4.exe	33
PID 2940 wrote to memory of 1604	2940	DEM32C4.exe	33
PID 1604 wrote to memory of 2256	1604	DEM8A26.exe	35
PID 1604 wrote to memory of 2256	1604	DEM8A26.exe	35
PID 1604 wrote to memory of 2256	1604	DEM8A26.exe	35
PID 1604 wrote to memory of 2256	1604	DEM8A26.exe	35
PID 2256 wrote to memory of 1976	2256	DEMDFC4.exe	38
PID 2256 wrote to memory of 1976	2256	DEMDFC4.exe	38
PID 2256 wrote to memory of 1976	2256	DEMDFC4.exe	38
PID 2256 wrote to memory of 1976	2256	DEMDFC4.exe	38
PID 1976 wrote to memory of 2464	1976	DEM35A1.exe	40
PID 1976 wrote to memory of 2464	1976	DEM35A1.exe	40
PID 1976 wrote to memory of 2464	1976	DEM35A1.exe	40
PID 1976 wrote to memory of 2464	1976	DEM35A1.exe	40
PID 2464 wrote to memory of 3012	2464	DEM8B7D.exe	42
PID 2464 wrote to memory of 3012	2464	DEM8B7D.exe	42
PID 2464 wrote to memory of 3012	2464	DEM8B7D.exe	42
PID 2464 wrote to memory of 3012	2464	DEM8B7D.exe	42

C:\Users\Admin\AppData\Local\Temp\386428b8fffa2e51337b5127be7a5ae9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\386428b8fffa2e51337b5127be7a5ae9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\DEM32C4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM32C4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\DEM8A26.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8A26.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\DEMDFC4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDFC4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Users\Admin\AppData\Local\Temp\DEM35A1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM35A1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\DEM8B7D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8B7D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\DEME1F6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME1F6.exe"
        7⤵
        Executes dropped EXE
        
        PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8A26.exe

Filesize
14KB

MD5
0e1bd1d4cb05a91260e0066bd520ec9c

SHA1
0c727af0a3d0726779dcefc2f7cc6adf51aebd58

SHA256
655b59b725eee99b2d7fb6eedce683812e2e4c67a3d2e559e3d6d6e582e649ae

SHA512
fb452190219b0cdccde15831d9673e5bd106f5e6834fbd57405b9b0581339feddb4c62332d64876dc04f7f2997e5b77e420be1549c3d8f63b0fb26b0adbf2c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDFC4.exe

Filesize
14KB

MD5
94bdcac31bda888e5c0e3e8e4262cae2

SHA1
fd752540404957cc996a1c3170644fb6f59f2333

SHA256
e68010a8213cfa44c91e29b93ccaaad600e4fed1aa733135794c6a8a2394aa2e

SHA512
8025f69851df6f573994a8cf0f17ed85ebd37895580e68688b954aa89f21932dbb43f625be03f274334853c3f153b1591093b01b1a56c1da5b060624f0ff6156

Download Submit
\Users\Admin\AppData\Local\Temp\DEM32C4.exe

Filesize
14KB

MD5
547119ad6d96d8a57d892936d93606c4

SHA1
d000e7621c69e2c6fa46698d20f015d16040793f

SHA256
80cddd437b454f0e12efcacf6e0f5362fb30b32a8bfb0e54cf32b09923c34314

SHA512
46271dc2b033d06e6752a7ff99d1163dc4776426d9e11e18d488c83e2654c0ab2297d2b72ae6c835f396d1ba3eb581697bcca45fe3ca790f8058ed363c9b6055

Download Submit
\Users\Admin\AppData\Local\Temp\DEM35A1.exe

Filesize
14KB

MD5
cb57b15af040284051dd70d1beb7d933

SHA1
cb287cbea0fd01567a4c42adf35592d14d03b63e

SHA256
6aea45f059f418bdbe3b6978f85e82f0c26dd5521df78862dbc07b4b17d2d98b

SHA512
988333c2eb7507e2b9bb61722cd8fe94cbd9c341ffcfe4c1c85ae52b2b81b5cef67e27fffcdfe4b6c0c6ee96695258f3162062a005b91737ee9abb06f81d3422

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8B7D.exe

Filesize
14KB

MD5
589a0abe64433f4520c7e43f15acb4a9

SHA1
2eac519909b23f4eccee79a382674781265b1521

SHA256
af8325010bd045b5dca9455c055c2c5511afa6748b1a1a0fd90eec4eebe773bf

SHA512
4f463d3610a5e5ecb4eafa0252dfec718182a6674fa3cda3ddac288838a086816a662bcba7c606fd4f0db2867739f49678bd96752a8e4ff55b9690790b1b4e53

Download Submit
\Users\Admin\AppData\Local\Temp\DEME1F6.exe

Filesize
14KB

MD5
9cbe32b4c489a18c69c686aae1167829

SHA1
ba48055f2f55ba0b1b497259641209f16eb902d0

SHA256
54946e5f3ac6586004a3e4eda44eaf675440a35b7c0f506c0b1a6e178028e399

SHA512
a05a5afc7c97dc43649a20f4951581261a94682924fde86e4befaf81f445bebf1adc124781feb708dbd102e253e692b06a4b2c329062f194a91428097cae969e

Download Submit

Analysis

Sharing