3b2bacc081aaef7635b1943b9bb465a211a5ef19c1b4204c9200cf8120bd7afa

General

Target

3cd409e034ffd16d7a68f009c6b5a69c_JaffaCakes118.exe
Size

14KB
MD5

3cd409e034ffd16d7a68f009c6b5a69c
SHA1

1965facf724dc87f3e6deae0df6c60ed8bc6ea19
SHA256

3b2bacc081aaef7635b1943b9bb465a211a5ef19c1b4204c9200cf8120bd7afa
SHA512

29d809d47f965ebcee4f0be44e0046a2cdfb7e8143e9fcfd7ef9ee74554f3374b8d1d4c0bf52d49f37e558a0e6c35c399ab644ca1f88e7e798bed72fd986a4d3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/ws:hDXWipuE+K3/SSHgxm/H

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2684	DEMEFEA.exe
2616	DEM4624.exe
2896	DEM9B27.exe
1576	DEMF038.exe
2992	DEM454A.exe
2404	DEM9A7B.exe

Loads dropped DLL 6 IoCs

pid	Process
2008	3cd409e034ffd16d7a68f009c6b5a69c_JaffaCakes118.exe
2684	DEMEFEA.exe
2616	DEM4624.exe
2896	DEM9B27.exe
1576	DEMF038.exe
2992	DEM454A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cd409e034ffd16d7a68f009c6b5a69c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEFEA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4624.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9B27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM454A.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2684	2008	3cd409e034ffd16d7a68f009c6b5a69c_JaffaCakes118.exe	31
PID 2008 wrote to memory of 2684	2008	3cd409e034ffd16d7a68f009c6b5a69c_JaffaCakes118.exe	31
PID 2008 wrote to memory of 2684	2008	3cd409e034ffd16d7a68f009c6b5a69c_JaffaCakes118.exe	31
PID 2008 wrote to memory of 2684	2008	3cd409e034ffd16d7a68f009c6b5a69c_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2616	2684	DEMEFEA.exe	33
PID 2684 wrote to memory of 2616	2684	DEMEFEA.exe	33
PID 2684 wrote to memory of 2616	2684	DEMEFEA.exe	33
PID 2684 wrote to memory of 2616	2684	DEMEFEA.exe	33
PID 2616 wrote to memory of 2896	2616	DEM4624.exe	35
PID 2616 wrote to memory of 2896	2616	DEM4624.exe	35
PID 2616 wrote to memory of 2896	2616	DEM4624.exe	35
PID 2616 wrote to memory of 2896	2616	DEM4624.exe	35
PID 2896 wrote to memory of 1576	2896	DEM9B27.exe	38
PID 2896 wrote to memory of 1576	2896	DEM9B27.exe	38
PID 2896 wrote to memory of 1576	2896	DEM9B27.exe	38
PID 2896 wrote to memory of 1576	2896	DEM9B27.exe	38
PID 1576 wrote to memory of 2992	1576	DEMF038.exe	40
PID 1576 wrote to memory of 2992	1576	DEMF038.exe	40
PID 1576 wrote to memory of 2992	1576	DEMF038.exe	40
PID 1576 wrote to memory of 2992	1576	DEMF038.exe	40
PID 2992 wrote to memory of 2404	2992	DEM454A.exe	42
PID 2992 wrote to memory of 2404	2992	DEM454A.exe	42
PID 2992 wrote to memory of 2404	2992	DEM454A.exe	42
PID 2992 wrote to memory of 2404	2992	DEM454A.exe	42

C:\Users\Admin\AppData\Local\Temp\3cd409e034ffd16d7a68f009c6b5a69c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cd409e034ffd16d7a68f009c6b5a69c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\DEMEFEA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEFEA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\DEM4624.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4624.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\DEM9B27.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9B27.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\DEMF038.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF038.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Users\Admin\AppData\Local\Temp\DEM454A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM454A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\DEM9A7B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9A7B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM454A.exe

Filesize
14KB

MD5
9c76d91c2cac1fb40affe82fee12975e

SHA1
0c199502f22c41e9253ca4203a9b2313957148d3

SHA256
9831427c880b05fc3a55f50478b1af741e19cb1999c8ecc9a634847fab849106

SHA512
9538ecbc4d531ad7885ce9b5a20f6ddd8025dfbc761bba874a54b3dcc615e06faf6187b0d3207a15ee34027271dc2b10c2a96e6b4673c023695d9d108c402cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4624.exe

Filesize
14KB

MD5
e109e6910122a6a91ec777deb2e00f76

SHA1
f989fb02c5eeed206a8f452001eb79d9f2a329f8

SHA256
0b441c1e53864812783421292983db53a7d79fd076c123c7e78d791e905dcb14

SHA512
0523c6fd7d6a4d6db14047d1c4a1e581c8239a944c9afb71be4305eb0298414c383355a28170c1f5247fab7ca42cab92e590432c296a3b6131c761b0cce68067

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEFEA.exe

Filesize
14KB

MD5
afa54f8490a6a7c6a33020d9406ac13d

SHA1
51f30c72007259441206c217b43052e2cc8a76be

SHA256
5e6011f622a9b75ec8cd2acc76b6141d12f8643cd2ffa011378c96a68bf81a65

SHA512
54b3bf7b306b8228b63156df6cb811149783b5453979a9c67565fb79642193071c2e0d238bf89c38e326fdb8ddd600bc55fb049674d5f5fb1a32092c341e3dde

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9A7B.exe

Filesize
14KB

MD5
8c48e9370d724cad3a38cb08f5f1c878

SHA1
3c2ccb81a1b2d4f8cb3e6d58ee00a214784a4d68

SHA256
a3a6eccf9a1553f7f8916718e68cf4ee37d25429ea3a75dcccce434c608abdd3

SHA512
5472e9c0c7a3a2ce2b7903f20bd5b3c28f508e1f46afe53b91138d6ccde853ec61333b64250879016b49b5b61e871ea5deaf0923dae4ccd99f390f1a1f343368

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9B27.exe

Filesize
14KB

MD5
f6a53ee1a6b2d2472d691a1b5ffd8a6f

SHA1
c4d6afd89af3869de7d5eb2e06246269a524e7ef

SHA256
f2152e716a2846c09d10aedcfd3a42f717dfe764095f4f072f013865c224e695

SHA512
89697f95e6355323022786714416950f4fa1df74ee3c02bd10a0ac0d28929a9a4a5e140ca58e68f50413288de193eba2bc573d61a44b56fda18d7351ee291e6c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF038.exe

Filesize
14KB

MD5
ac2946262a2e109742e48f961a89ae98

SHA1
c74bbb133aaea3a5494fcd88b48d6cc4b9334a85

SHA256
25ab5724ccd20c807def1b401ad6b9f53eb035ca49eb25179756fbfe3670d122

SHA512
9db74bf2a091fceb007fdc2782fe9af949beb8798088202064ed42c41ee12c02067c03524ab6b5ef34eca9d5268ef0b9d95b5d334198a94f42b24cbcc9001f15

Download Submit

Analysis

Sharing