dd40156bb590a67efd281860ba3e8a9b27fc51258cd784c983f9e1ac0700b332

General

Target

3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe
Size

15KB
MD5

3b6d83310ed0b07a71a362a21663d3a0
SHA1

b912e6f5c7a8dcf15f4cfb95275795d49dd2f1c1
SHA256

dd40156bb590a67efd281860ba3e8a9b27fc51258cd784c983f9e1ac0700b332
SHA512

a1535c0b6b1534733494b524a1f1ae2091c31cc6dee048afab626bf3342b298171a3879fe51b1c161656b7dc3f92af5f1dc3de4a2dc15af1a34a85f9e1c1cf83
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxU:hDXWipuE+K3/SSHgxmHC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1852	DEMCD8C.exe
2652	DEM22CC.exe
2688	DEM77FD.exe
1712	DEMCD1F.exe
2396	DEM226F.exe
2656	DEM7790.exe

Loads dropped DLL 6 IoCs

pid	Process
2584	3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe
1852	DEMCD8C.exe
2652	DEM22CC.exe
2688	DEM77FD.exe
1712	DEMCD1F.exe
2396	DEM226F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM77FD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCD1F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM226F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCD8C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM22CC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 1852	2584	3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe	32
PID 2584 wrote to memory of 1852	2584	3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe	32
PID 2584 wrote to memory of 1852	2584	3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe	32
PID 2584 wrote to memory of 1852	2584	3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe	32
PID 1852 wrote to memory of 2652	1852	DEMCD8C.exe	34
PID 1852 wrote to memory of 2652	1852	DEMCD8C.exe	34
PID 1852 wrote to memory of 2652	1852	DEMCD8C.exe	34
PID 1852 wrote to memory of 2652	1852	DEMCD8C.exe	34
PID 2652 wrote to memory of 2688	2652	DEM22CC.exe	36
PID 2652 wrote to memory of 2688	2652	DEM22CC.exe	36
PID 2652 wrote to memory of 2688	2652	DEM22CC.exe	36
PID 2652 wrote to memory of 2688	2652	DEM22CC.exe	36
PID 2688 wrote to memory of 1712	2688	DEM77FD.exe	38
PID 2688 wrote to memory of 1712	2688	DEM77FD.exe	38
PID 2688 wrote to memory of 1712	2688	DEM77FD.exe	38
PID 2688 wrote to memory of 1712	2688	DEM77FD.exe	38
PID 1712 wrote to memory of 2396	1712	DEMCD1F.exe	40
PID 1712 wrote to memory of 2396	1712	DEMCD1F.exe	40
PID 1712 wrote to memory of 2396	1712	DEMCD1F.exe	40
PID 1712 wrote to memory of 2396	1712	DEMCD1F.exe	40
PID 2396 wrote to memory of 2656	2396	DEM226F.exe	42
PID 2396 wrote to memory of 2656	2396	DEM226F.exe	42
PID 2396 wrote to memory of 2656	2396	DEM226F.exe	42
PID 2396 wrote to memory of 2656	2396	DEM226F.exe	42

C:\Users\Admin\AppData\Local\Temp\3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\DEMCD8C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCD8C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\DEM22CC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM22CC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\DEM77FD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM77FD.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\DEMCD1F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCD1F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\DEM226F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM226F.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\DEM7790.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7790.exe"
        7⤵
        Executes dropped EXE
        
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM22CC.exe

Filesize
15KB

MD5
af77b2333c8abadbf7671438174f0e33

SHA1
c2d7d427ce909ced88869e71e7be9103a8559d9c

SHA256
ecf361417c2c03b143985ee72dfc02bc9bce971aee1d66ed68d56b7c38dc4e2c

SHA512
743caf83686e9cc1f913f143fa412c263dc1c8cb59ec7564adaa3f116102b3a0c9bf8c2a62141b2cb1f0b6b1422be873facf698d7bf75b1d9aa18fe216e3ea8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCD1F.exe

Filesize
15KB

MD5
981f7fe118eb0ec1d62e644186edb074

SHA1
7d9217de3cd74c9976dd186a9c67d4f2ced55a72

SHA256
a54c7ad59faebae0934bbd6794056f7a2e18919a7dfc3c7f2fbc2045a1e1ed54

SHA512
14d30a16fdea8d98ab0b76af3375460686f1e1366d50544d25aefc965aa027339d10ee9091d85bc097999dc0e04f6dd3669443180e4152dfe364f4ddf57a9e70

Download Submit
\Users\Admin\AppData\Local\Temp\DEM226F.exe

Filesize
15KB

MD5
fd536878474290dac45912bca948de8f

SHA1
cd48a65e3c3a84469840028c825f3787a0ff7866

SHA256
08d725298417e20f7d5a31b4bb617abe1747d93132a3dd71358b61f131ca5acb

SHA512
57e72ff69e4017d8c8c4b454b831dcd9f4e0e87fd43ff1639e423fd8215a1786181bcda3e0f05aa909f158510141d0ba27978cc8aea2dc4125dc7f8f15c6f7aa

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7790.exe

Filesize
15KB

MD5
a22ab42e735a1c53a3b22a32c59b99fd

SHA1
ab8ad90cbed16bfb04d7134fb745dc4d3e552df2

SHA256
b9d9af3cea469622f1cb4add792fa54ddababa4b5736de113a26211b8173776a

SHA512
d26335f8c98647a5ab867d8235a873025c13fd90676c1f18f577c2555a34dda4e7b7476e9791eae5e2dd30512a5b58beb47321bbf5000cc2a2b537b73ad939e1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM77FD.exe

Filesize
15KB

MD5
42ccf557cd030a4fbca4dea5a0f59040

SHA1
95bc384ee285e20569df67bff82e17cdf7c83882

SHA256
cde0a0a5505f8277fdf88ca0a079f683da354bafe42f233f0f75330c8e184801

SHA512
485690569f74c953b859253dcb72b4357fd1f5032d4823c9406d8f4257b481c43eff89e269c9845d692c028e45a399cb03be4b9e70a8b7ab19695eb9dd2a96d6

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCD8C.exe

Filesize
15KB

MD5
a82550b5a0e7ff3a0ded45af4ba93f3c

SHA1
c6a5a5ef856b69ae5f3a1431c923f7bc9593c14c

SHA256
c81008034b2ea1a39010ea1bbb630d0217c7be1c0ca8216cc59558ec161df6d4

SHA512
1567de80af290f5b4fdf6481ca991be2a87bda15c9dc3a9d0da9ec77c96eb7088c26b1d75d99e66d9402883fad7cd47f0dafe331c426ece06fb1cb0bda01674c

Download Submit

Analysis

Sharing