651357b39854dde06a526cb37836264a7df605911ce589c848c2e4120ae965d4

General

Target

3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe
Size

14KB
MD5

3cdacb6ab5121019143c5c96e67f2000
SHA1

6d0aacb61a250492c118915902ee747d7bc82d98
SHA256

651357b39854dde06a526cb37836264a7df605911ce589c848c2e4120ae965d4
SHA512

f87aaef1ca9fab141eb976db4360bf510b8358801a4f59b181ab6ac48db2ede43bd50559f79418b46ba94bf7552b0086ad38ac3b47c75ec6d1e286286cfa7ade
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5S:hDXWipuE+K3/SSHgxm0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2856	DEME3CA.exe
2744	DEM39C6.exe
2068	DEM8F45.exe
2184	DEME5AE.exe
2932	DEM3B7A.exe
2500	DEM9270.exe

Loads dropped DLL 6 IoCs

pid	Process
2448	3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe
2856	DEME3CA.exe
2744	DEM39C6.exe
2068	DEM8F45.exe
2184	DEME5AE.exe
2932	DEM3B7A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME3CA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM39C6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8F45.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME5AE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3B7A.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2856	2448	3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2856	2448	3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2856	2448	3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2856	2448	3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe	30
PID 2856 wrote to memory of 2744	2856	DEME3CA.exe	32
PID 2856 wrote to memory of 2744	2856	DEME3CA.exe	32
PID 2856 wrote to memory of 2744	2856	DEME3CA.exe	32
PID 2856 wrote to memory of 2744	2856	DEME3CA.exe	32
PID 2744 wrote to memory of 2068	2744	DEM39C6.exe	34
PID 2744 wrote to memory of 2068	2744	DEM39C6.exe	34
PID 2744 wrote to memory of 2068	2744	DEM39C6.exe	34
PID 2744 wrote to memory of 2068	2744	DEM39C6.exe	34
PID 2068 wrote to memory of 2184	2068	DEM8F45.exe	36
PID 2068 wrote to memory of 2184	2068	DEM8F45.exe	36
PID 2068 wrote to memory of 2184	2068	DEM8F45.exe	36
PID 2068 wrote to memory of 2184	2068	DEM8F45.exe	36
PID 2184 wrote to memory of 2932	2184	DEME5AE.exe	38
PID 2184 wrote to memory of 2932	2184	DEME5AE.exe	38
PID 2184 wrote to memory of 2932	2184	DEME5AE.exe	38
PID 2184 wrote to memory of 2932	2184	DEME5AE.exe	38
PID 2932 wrote to memory of 2500	2932	DEM3B7A.exe	40
PID 2932 wrote to memory of 2500	2932	DEM3B7A.exe	40
PID 2932 wrote to memory of 2500	2932	DEM3B7A.exe	40
PID 2932 wrote to memory of 2500	2932	DEM3B7A.exe	40

C:\Users\Admin\AppData\Local\Temp\3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\DEME3CA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME3CA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\DEM39C6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM39C6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\DEM8F45.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8F45.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Users\Admin\AppData\Local\Temp\DEME5AE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME5AE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Users\Admin\AppData\Local\Temp\DEM3B7A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3B7A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\DEM9270.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9270.exe"
        7⤵
        Executes dropped EXE
        
        PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM39C6.exe

Filesize
14KB

MD5
278a84e1851427c212a388ba4a8be44d

SHA1
628be7a27dd5a94c3aabd2440ce891f8478c3c60

SHA256
7132f572c4b568412a65e5d8106e77df62e45c3472b8dd6756382d6bce84e734

SHA512
54b0b0b494113bd0c802ca4308478908905324246c221e46a658516387516059dfa4ac7dd4a3db0d0049a6971e214cce04397314629b43da2b05f8f4ac9c20eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3B7A.exe

Filesize
14KB

MD5
e80c1424cc082efe24167048031c002b

SHA1
c6ae699b5e1e7565c97d73330202155e7ae1215d

SHA256
300a930e6c1bb12b72b1dffcae2e66832e6e1ecc37907d7689f7ebc6752a20b9

SHA512
30418f3fa336fa16469d5ed5fbfff87845f3f9e64f661215e77079b1afe8e38a475f137ae043ccf3744cbf72954899159408e65643ce8c7215aac86d70aed351

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8F45.exe

Filesize
14KB

MD5
38ab0d3c6c4e86bedfa193841649b223

SHA1
9c9c0d1604a9e010cfa36874a799c1a396449006

SHA256
a2173123904d58088ea9fa6f2688108750242028f45073c94a38fcda306281fe

SHA512
1e9fcdc3fad86c67aa1e102f28fc3d3da94fd43ebf1d40bbbd552e26945b4dc40f9cbd166bffebcceb142edc31845f855ac16560cef054a84901056ec85d719b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9270.exe

Filesize
14KB

MD5
d2b4d9cbf8329be32f931cedf4e73a59

SHA1
3d10b88669ed5c581b6e5a86f55438ef9ba90ffc

SHA256
1ca866011e6d9d3a4b047a9fcf9f2acecf414bd27f018107c68e457f8ba6f8a5

SHA512
be4781a9a48e18f4c2eb3bd02acae50bb579603b5406af1bab72695565ec228370683b69482ff78b89a47406a5cf2c9aa789eacbd493594603314a2a52a1ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME5AE.exe

Filesize
14KB

MD5
8cf9a9eb8a258019f537c13a899f3403

SHA1
8e083c84ecb4d25516b38539cf85fa9fc453841c

SHA256
b8c1d6c52b15057e495e53b50c9571998aab08d0e9d4c49e3d094c5a39ed56a0

SHA512
fa9e4fc09f2adc1f7009c9f23cb41e50aaeff704161ef623edae06b8b63ea5e9a45596d040a86aaf186c022b911c6a45375ecd1f253c9a52babcecf20a8e7bea

Download Submit
\Users\Admin\AppData\Local\Temp\DEME3CA.exe

Filesize
14KB

MD5
e2270c0499a44e4ac001d5923b4ff3af

SHA1
28d217adb0ba13ca840ccc2fa2fe02125e524302

SHA256
3a0cb06d02e4cbd7e61b7bb17f752bba6d6349b6f49fe17bd713ffd367c8bc08

SHA512
2a071550a87e484de9128d600488be81a02194beaf292786d109049a764ba0551c2437a8372c1c4bfec24c31ef0aef613c29e6f41f2230a32013af06eef96375

Download Submit

Analysis

Sharing