656ae074cd013f1a80a1e801eb5fbe476fde0ca1944da83c4ab71ae5919760d6

General

Target

3bbd2fb9b070f684f80c81b56bb6f025_JaffaCakes118.exe
Size

14KB
MD5

3bbd2fb9b070f684f80c81b56bb6f025
SHA1

baffb03d3e6119c6dd64c424d26e679e6d0b762e
SHA256

656ae074cd013f1a80a1e801eb5fbe476fde0ca1944da83c4ab71ae5919760d6
SHA512

1672ce40cc73848eaadb514cf0472ab0cf4cd779a9178fd554ab77e5c41884448d06d472593ccd03af23700fbd10bbdd76598d87764509215fb311158ab2954c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJE6:hDXWipuE+K3/SSHgx9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2508	DEME2A2.exe
2576	DEM3840.exe
2644	DEM8D90.exe
2928	DEME33E.exe
1044	DEM39C6.exe
2084	DEM8ED7.exe

Loads dropped DLL 6 IoCs

pid	Process
1708	3bbd2fb9b070f684f80c81b56bb6f025_JaffaCakes118.exe
2508	DEME2A2.exe
2576	DEM3840.exe
2644	DEM8D90.exe
2928	DEME33E.exe
1044	DEM39C6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME33E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM39C6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bbd2fb9b070f684f80c81b56bb6f025_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME2A2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3840.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8D90.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2508	1708	3bbd2fb9b070f684f80c81b56bb6f025_JaffaCakes118.exe	32
PID 1708 wrote to memory of 2508	1708	3bbd2fb9b070f684f80c81b56bb6f025_JaffaCakes118.exe	32
PID 1708 wrote to memory of 2508	1708	3bbd2fb9b070f684f80c81b56bb6f025_JaffaCakes118.exe	32
PID 1708 wrote to memory of 2508	1708	3bbd2fb9b070f684f80c81b56bb6f025_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2576	2508	DEME2A2.exe	34
PID 2508 wrote to memory of 2576	2508	DEME2A2.exe	34
PID 2508 wrote to memory of 2576	2508	DEME2A2.exe	34
PID 2508 wrote to memory of 2576	2508	DEME2A2.exe	34
PID 2576 wrote to memory of 2644	2576	DEM3840.exe	36
PID 2576 wrote to memory of 2644	2576	DEM3840.exe	36
PID 2576 wrote to memory of 2644	2576	DEM3840.exe	36
PID 2576 wrote to memory of 2644	2576	DEM3840.exe	36
PID 2644 wrote to memory of 2928	2644	DEM8D90.exe	39
PID 2644 wrote to memory of 2928	2644	DEM8D90.exe	39
PID 2644 wrote to memory of 2928	2644	DEM8D90.exe	39
PID 2644 wrote to memory of 2928	2644	DEM8D90.exe	39
PID 2928 wrote to memory of 1044	2928	DEME33E.exe	41
PID 2928 wrote to memory of 1044	2928	DEME33E.exe	41
PID 2928 wrote to memory of 1044	2928	DEME33E.exe	41
PID 2928 wrote to memory of 1044	2928	DEME33E.exe	41
PID 1044 wrote to memory of 2084	1044	DEM39C6.exe	43
PID 1044 wrote to memory of 2084	1044	DEM39C6.exe	43
PID 1044 wrote to memory of 2084	1044	DEM39C6.exe	43
PID 1044 wrote to memory of 2084	1044	DEM39C6.exe	43

C:\Users\Admin\AppData\Local\Temp\3bbd2fb9b070f684f80c81b56bb6f025_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3bbd2fb9b070f684f80c81b56bb6f025_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\DEME2A2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME2A2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\DEM3840.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3840.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\DEM8D90.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8D90.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\DEME33E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME33E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Users\Admin\AppData\Local\Temp\DEM39C6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM39C6.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\DEM8ED7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8ED7.exe"
        7⤵
        Executes dropped EXE
        
        PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3840.exe

Filesize
14KB

MD5
58dedce62c2cab9f45cec96576bfac82

SHA1
7d398d65682361eadcb9155071da70e131303859

SHA256
da2254e102f039d10d48cedd972b9db4cd2ae99c56bc55e9c143f0d9da689255

SHA512
b3086c02929b445594cfae6999c9991c66d3e8898dcda0eca393f2a4e84f0c8ddc523fe740909d62503da261f9c72120517d7edb6af6aee4b19a4d514266b5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8ED7.exe

Filesize
14KB

MD5
3941e5ddf5ec0b6740ca6d9d6e619fe6

SHA1
054a5d6c8d3332f15874709aab3383fdd4956558

SHA256
5ce271a6a336c6146c512fbff3649d91a76a99f7427c131ebc333abdc2cc9b66

SHA512
f54e260f006f392092353e3d5ff7d8373e6c7692f02120c9e5abb28c3c76dd836914af11dbfc69ee80e21ab30b25c28e25972c46a9f080bcd9c1377747d25d9b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM39C6.exe

Filesize
14KB

MD5
1638331bce3450f0052a513fe81285a1

SHA1
fb04ea89838c5c19a23f4aa135f6ae2e1faa3903

SHA256
4b4ccb5e31a2aaab4b6177d5f37a49532b5301d63c97889a55db9a1942e3d5b6

SHA512
089cdce6a3683640cf208ca338e8876a451f6c67466faf1f7fbca2c47c1ff90abdd6fe595d4b7462ce5a0c6a0aac9d8168e717412220890c81d32173bae11188

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8D90.exe

Filesize
14KB

MD5
065a14ac6ce249e1de436b2cc738bde3

SHA1
d7445fcdebb5fe0112fe611c78315f161b47ba1e

SHA256
40fd4cf682a6014c273d907f92b6dcb6a57fa566cebbb73b20775b54e222088d

SHA512
7ee65450c17414c6c21bd8be61819b380220130e1684350de09ebebc8c97b9a13e7c68496109037c1fcbeb20d43f8164b9eb1408ea4946d2b1a8ee4d1215ef18

Download Submit
\Users\Admin\AppData\Local\Temp\DEME2A2.exe

Filesize
14KB

MD5
f4ac85cd00b2a9d20c4a1c3806aedd26

SHA1
c511f8b07ebd02e1f5b2a2bddbc7d4dd0afc0029

SHA256
c54ef20d620f7022dd9a9f2c5d6f1da83099d7d08bdc58d970a4420daf1c7f31

SHA512
a67a6fcf71ee814c3715a4aba54a96c83e5b4d3f69e301f6ca6f534752ed6358bb3fc0ab5c9a0729b2130aa1f13dea993e39aa715db0eafa1544ea79cb256047

Download Submit
\Users\Admin\AppData\Local\Temp\DEME33E.exe

Filesize
14KB

MD5
5fc60922358133ecb3649c7e5645aac1

SHA1
810d89f6a170f9a06fff065f716f26a8bd904180

SHA256
3ef4620a8b44af2131f6b077de0e9466ee1e5404f4d333e172434cef9c0a1aec

SHA512
6f0ce29bc695d00d26b80099cd5bbc53c8ed17820631208be5b798a72a354a62239a496136cc2129d5c9aafaef5aef33b10364667d5cbe925690cbde5b42df07

Download Submit

Analysis

Sharing