cb5906eef6ea91e3fb09e901974d062799dabf02ec7f15eeff28cf7569e5031f

General

Target

39a73e5c92e8e3a33b985120127caac4_JaffaCakes118.exe
Size

14KB
MD5

39a73e5c92e8e3a33b985120127caac4
SHA1

dd24a320d014191b63489652b2d2c7217dabbc36
SHA256

cb5906eef6ea91e3fb09e901974d062799dabf02ec7f15eeff28cf7569e5031f
SHA512

892e1bc0c13ef0764a7ae334ff85eb00e2c767b88ac42c1b28297b009813e50c89e950128528a543cdc5530cc66ac6d6f8c89c23377fbe38d52b0af17d9e4d33
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhIF5O:hDXWipuE+K3/SSHgxyF5O

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2860	DEM6E4.exe
2728	DEM5C05.exe
1600	DEMB1D2.exe
2872	DEM6E5.exe
1632	DEM5BF5.exe
2272	DEMB107.exe

Loads dropped DLL 6 IoCs

pid	Process
2712	39a73e5c92e8e3a33b985120127caac4_JaffaCakes118.exe
2860	DEM6E4.exe
2728	DEM5C05.exe
1600	DEMB1D2.exe
2872	DEM6E5.exe
1632	DEM5BF5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB1D2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5BF5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39a73e5c92e8e3a33b985120127caac4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6E4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5C05.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2860	2712	39a73e5c92e8e3a33b985120127caac4_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2860	2712	39a73e5c92e8e3a33b985120127caac4_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2860	2712	39a73e5c92e8e3a33b985120127caac4_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2860	2712	39a73e5c92e8e3a33b985120127caac4_JaffaCakes118.exe	31
PID 2860 wrote to memory of 2728	2860	DEM6E4.exe	33
PID 2860 wrote to memory of 2728	2860	DEM6E4.exe	33
PID 2860 wrote to memory of 2728	2860	DEM6E4.exe	33
PID 2860 wrote to memory of 2728	2860	DEM6E4.exe	33
PID 2728 wrote to memory of 1600	2728	DEM5C05.exe	35
PID 2728 wrote to memory of 1600	2728	DEM5C05.exe	35
PID 2728 wrote to memory of 1600	2728	DEM5C05.exe	35
PID 2728 wrote to memory of 1600	2728	DEM5C05.exe	35
PID 1600 wrote to memory of 2872	1600	DEMB1D2.exe	37
PID 1600 wrote to memory of 2872	1600	DEMB1D2.exe	37
PID 1600 wrote to memory of 2872	1600	DEMB1D2.exe	37
PID 1600 wrote to memory of 2872	1600	DEMB1D2.exe	37
PID 2872 wrote to memory of 1632	2872	DEM6E5.exe	39
PID 2872 wrote to memory of 1632	2872	DEM6E5.exe	39
PID 2872 wrote to memory of 1632	2872	DEM6E5.exe	39
PID 2872 wrote to memory of 1632	2872	DEM6E5.exe	39
PID 1632 wrote to memory of 2272	1632	DEM5BF5.exe	41
PID 1632 wrote to memory of 2272	1632	DEM5BF5.exe	41
PID 1632 wrote to memory of 2272	1632	DEM5BF5.exe	41
PID 1632 wrote to memory of 2272	1632	DEM5BF5.exe	41

C:\Users\Admin\AppData\Local\Temp\39a73e5c92e8e3a33b985120127caac4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39a73e5c92e8e3a33b985120127caac4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\DEM6E4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6E4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\DEM5C05.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5C05.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\DEMB1D2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB1D2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\DEM6E5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6E5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
      - C:\Users\Admin\AppData\Local\Temp\DEM5BF5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5BF5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\DEMB107.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB107.exe"
        7⤵
        Executes dropped EXE
        
        PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5BF5.exe

Filesize
14KB

MD5
40518d3e91116057bb933d5f1ff6afb7

SHA1
7f1f6222ae7de0640b85844ccbfdf2b25c6d383a

SHA256
f4b19ccafb69a6f07b9c1618924d432390d56c9a7e90b7ac4872ef8b678f51e7

SHA512
ebac3083d914e32be7df37ed26297a4c3c8048c113a927c9e12d23876ce6252392d2a35772d8b671b5c7d1167842089beef39cdb9771866075e8549ef1596814

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5C05.exe

Filesize
14KB

MD5
57f662a2bc38124cb72f5b2b923314cd

SHA1
e177032d6acb74d18c25c24d7d24024a95b6c3b3

SHA256
3085d93ae0eacba436fced108a21e3c4985c1991a0f15e28b9dbf7333521d95a

SHA512
bc72e174a5305dafa9db21939e94a1ea83237bed0337d2c7f3fa05eeb0bb2cd3960dd8642149923f18badf55b1914cbfbfbce0e650ed49c28c8fdffb42f7c468

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6E4.exe

Filesize
14KB

MD5
f76043b0cebb185e5245733fb9682079

SHA1
11fa617deadb706b78e968814e18e72c3c439478

SHA256
6e8ad233ec273c3738f67742670c64c5ba56c8ffd12650b1eb9bcb267010d6e5

SHA512
f29fe5346f5d035760090473c6120aa179754950851743397196623e3148ddad24563625aae702cc85e311b143668e19c5796a4b3668934f0b7e45bb61f467ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB107.exe

Filesize
14KB

MD5
2c08dc72f608156e061f0010fdc8aebd

SHA1
3fd00503c193ef1927f0665812e53eb2d16c0201

SHA256
7e25a075a1a14b7e4d736b4a61017dae39ec7ca32b945445995939cee655c047

SHA512
c968bf77fbb3894ad898589198c320b49e3be37d46583aec000eeb068715bc01dbe869502d7d7edcb00ff616607aa12bd8c913a2b9fb2f99cbc6619a2b443258

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB1D2.exe

Filesize
14KB

MD5
b37edb651bd30ccf099eabc22ce15b53

SHA1
a32b9baa47bd0566986da28aadd17a1232d234c8

SHA256
fd42a5c41b94a025cbe6b60d68daa4162c1b09675b5e110856da27e948d5dfff

SHA512
3b234423585c2ea5712b821d82ad1bbdc31905308915d7b18d7e0e952cc204a8c41bbc97ed760c559e98706efcc7ccde360dad83524333ecd366f9b3ea135246

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6E5.exe

Filesize
14KB

MD5
246b0044a1d7771dacf327f1c408cb99

SHA1
56129a3e1121df98b0a4c5de3333bd7091d93ae7

SHA256
a994d75800b0d5bbe33d424498044b768f07dce7a65e2e957e4518a419875594

SHA512
ed3de6a7318b7319ff38c614a09ae0415044101af0eac93e6b69d42ad5c302b405424bc33368a17ddd6e93e21df540c52290cf8c4828628f3e0f0802561589b5

Download Submit

Analysis

Sharing