90eaf87fa7bc71569867eaa901657bab6a4d67c8b8d0ffc0863decc1de2f432a

General

Target

3af86410c2ea1ec1e0a868c73be0554c_JaffaCakes118.exe
Size

14KB
MD5

3af86410c2ea1ec1e0a868c73be0554c
SHA1

520c63e714bc25e3e1472883d896e87456d0f5c5
SHA256

90eaf87fa7bc71569867eaa901657bab6a4d67c8b8d0ffc0863decc1de2f432a
SHA512

14084a22531a5ebd89ac143af0d604709927b4ee7a3e266f043a03859c55a7a848abc1e2017cc4d7ee51d54e892f7758d8139829ee787140b31eaa294dacea9f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5Z:hDXWipuE+K3/SSHgxmz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2896	DEMCC83.exe
2420	DEM21C3.exe
1860	DEM76F4.exe
1648	DEMCD5D.exe
2676	DEM22EC.exe
988	DEM784B.exe

Loads dropped DLL 6 IoCs

pid	Process
2528	3af86410c2ea1ec1e0a868c73be0554c_JaffaCakes118.exe
2896	DEMCC83.exe
2420	DEM21C3.exe
1860	DEM76F4.exe
1648	DEMCD5D.exe
2676	DEM22EC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM22EC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3af86410c2ea1ec1e0a868c73be0554c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCC83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM21C3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM76F4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCD5D.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2896	2528	3af86410c2ea1ec1e0a868c73be0554c_JaffaCakes118.exe	32
PID 2528 wrote to memory of 2896	2528	3af86410c2ea1ec1e0a868c73be0554c_JaffaCakes118.exe	32
PID 2528 wrote to memory of 2896	2528	3af86410c2ea1ec1e0a868c73be0554c_JaffaCakes118.exe	32
PID 2528 wrote to memory of 2896	2528	3af86410c2ea1ec1e0a868c73be0554c_JaffaCakes118.exe	32
PID 2896 wrote to memory of 2420	2896	DEMCC83.exe	34
PID 2896 wrote to memory of 2420	2896	DEMCC83.exe	34
PID 2896 wrote to memory of 2420	2896	DEMCC83.exe	34
PID 2896 wrote to memory of 2420	2896	DEMCC83.exe	34
PID 2420 wrote to memory of 1860	2420	DEM21C3.exe	36
PID 2420 wrote to memory of 1860	2420	DEM21C3.exe	36
PID 2420 wrote to memory of 1860	2420	DEM21C3.exe	36
PID 2420 wrote to memory of 1860	2420	DEM21C3.exe	36
PID 1860 wrote to memory of 1648	1860	DEM76F4.exe	38
PID 1860 wrote to memory of 1648	1860	DEM76F4.exe	38
PID 1860 wrote to memory of 1648	1860	DEM76F4.exe	38
PID 1860 wrote to memory of 1648	1860	DEM76F4.exe	38
PID 1648 wrote to memory of 2676	1648	DEMCD5D.exe	40
PID 1648 wrote to memory of 2676	1648	DEMCD5D.exe	40
PID 1648 wrote to memory of 2676	1648	DEMCD5D.exe	40
PID 1648 wrote to memory of 2676	1648	DEMCD5D.exe	40
PID 2676 wrote to memory of 988	2676	DEM22EC.exe	42
PID 2676 wrote to memory of 988	2676	DEM22EC.exe	42
PID 2676 wrote to memory of 988	2676	DEM22EC.exe	42
PID 2676 wrote to memory of 988	2676	DEM22EC.exe	42

C:\Users\Admin\AppData\Local\Temp\3af86410c2ea1ec1e0a868c73be0554c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3af86410c2ea1ec1e0a868c73be0554c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\DEMCC83.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCC83.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\DEM21C3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM21C3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\DEM76F4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM76F4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1860
    - - C:\Users\Admin\AppData\Local\Temp\DEMCD5D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCD5D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Users\Admin\AppData\Local\Temp\DEM22EC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM22EC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\DEM784B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM784B.exe"
        7⤵
        Executes dropped EXE
        
        PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM21C3.exe

Filesize
14KB

MD5
007b7b4b645d060cd3217c2ad456c860

SHA1
add176cdc9a2308b2cadb736c7416fd3da4bf576

SHA256
cb9a7eabaaeadf6434d22e65f90a0cd72716b4bdaa7bab96f1e8d33ac5e9ac74

SHA512
fe1b0cdeb7240cf7a3ccae59d67b5fa0768e1f8c66ef7059c77d0c02e10f3ebc848df20858c67e3bdb454e9e98afe9a97bac3623677a9108dfb388c49f8792e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCC83.exe

Filesize
14KB

MD5
51d94c494a71ee97ea061bf376fab94d

SHA1
b50fb37f36d9913c257353a0ee227754fb2c001b

SHA256
3b0cc80d10c312a06eb06ee2f8c79b1bd9b63a677f530dd0a006cf5fd0daca28

SHA512
0bd1eeb777f320393e9e399f16e3c4c8d48b8cc90d86e1a8974d9d29134463ada1cd6d558c0b13dc693c4cca6c5de2a45208e88c62448942ce3a508e188eeb32

Download Submit
\Users\Admin\AppData\Local\Temp\DEM22EC.exe

Filesize
14KB

MD5
464b682750fcbffc79ce0e946686fa2c

SHA1
ba79320585166cd29acce3ea2c2349132ece57b3

SHA256
639765b0a0eacddbc81915a2dba19541042973472c823cd7db495b05e77ea95c

SHA512
b75dccf2a6433ff2ce61ddb5d61ccf4d239c194e41a5e2d3aab5f1ed93e90c6e5bc8850db5989f7751e044951065561b12d1d1a38639fcc70469444ebd2dbd5d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM76F4.exe

Filesize
14KB

MD5
56d8cdb88de4e89703d01c6781e13c47

SHA1
b9eaf28d500df12d0030df85449faea251468ba1

SHA256
4e2d62e4c54de20e3af429970dcd27fe3e46963286be11e2cbf0eed44dadc560

SHA512
7a0bc1a51559d36f2b7057d363031a0d37a022c4add34333504a760813a225eb5692aa5468a0762cd3831075285680c2ed1bbd513f557f0207dc24836fbfb56d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM784B.exe

Filesize
14KB

MD5
f4074def6e56c1ee2cf906c5ea618345

SHA1
2e13f929a7e27ca61a56908baa2b98989b6e9323

SHA256
cfecfca937c521af1c48be7300641a59166b5b079eb20d1b9649741092ed1dfe

SHA512
0e582effc387b9d4576674fa6fd8342cc2bebc6cb2d2939f911aeb82839fc503c6738e4d841c60df5ad7f987df164bbd16b721845abc3d2f35d05a5f40a7ffc6

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCD5D.exe

Filesize
14KB

MD5
1dc331392f67ff4747ec0888aad6563c

SHA1
5cfe806dc8bee2f00411c8614b549f19f4557bd6

SHA256
8951dd6889afe339d8bdb56ac2bd596a34e8efc7f7a1bf04abc13b30cba602d0

SHA512
206fe2efa5cb8eed4919e52101a9e3c8d617ad2829630d321817068fb3c0faf1c56edfa9c9bc16a118e9dc2fed3387e1c76df397418d14a974534762340d102d

Download Submit

Analysis

Sharing