c461e1dfd818913f2ecd92901515c2d84e8f1a6309513d3194eea25e212ad54b

General

Target

41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe
Size

15KB
MD5

41892fa9ef59157dd6d19f03bcf9608b
SHA1

1dc833d8c9cfda67e1c05ae484f42ac575dc5fce
SHA256

c461e1dfd818913f2ecd92901515c2d84e8f1a6309513d3194eea25e212ad54b
SHA512

728093b9db16bfb6ec1f836c4bcb87bf98144410fc2c35d3e14074ff31aefeb800ae092a625d5d7aabecd8589608dae40424d47320cc691ccf1ef82e3593a20d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8a:hDXWipuE+K3/SSHgxm8a

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2784	DEME8E8.exe
2616	DEM3E58.exe
2032	DEM93F6.exe
1636	DEME965.exe
1936	DEM3EA6.exe
2184	DEM93F7.exe

Loads dropped DLL 6 IoCs

pid	Process
2636	41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe
2784	DEME8E8.exe
2616	DEM3E58.exe
2032	DEM93F6.exe
1636	DEME965.exe
1936	DEM3EA6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME965.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3EA6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME8E8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3E58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM93F6.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2784	2636	41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe	32
PID 2636 wrote to memory of 2784	2636	41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe	32
PID 2636 wrote to memory of 2784	2636	41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe	32
PID 2636 wrote to memory of 2784	2636	41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2616	2784	DEME8E8.exe	34
PID 2784 wrote to memory of 2616	2784	DEME8E8.exe	34
PID 2784 wrote to memory of 2616	2784	DEME8E8.exe	34
PID 2784 wrote to memory of 2616	2784	DEME8E8.exe	34
PID 2616 wrote to memory of 2032	2616	DEM3E58.exe	36
PID 2616 wrote to memory of 2032	2616	DEM3E58.exe	36
PID 2616 wrote to memory of 2032	2616	DEM3E58.exe	36
PID 2616 wrote to memory of 2032	2616	DEM3E58.exe	36
PID 2032 wrote to memory of 1636	2032	DEM93F6.exe	39
PID 2032 wrote to memory of 1636	2032	DEM93F6.exe	39
PID 2032 wrote to memory of 1636	2032	DEM93F6.exe	39
PID 2032 wrote to memory of 1636	2032	DEM93F6.exe	39
PID 1636 wrote to memory of 1936	1636	DEME965.exe	41
PID 1636 wrote to memory of 1936	1636	DEME965.exe	41
PID 1636 wrote to memory of 1936	1636	DEME965.exe	41
PID 1636 wrote to memory of 1936	1636	DEME965.exe	41
PID 1936 wrote to memory of 2184	1936	DEM3EA6.exe	43
PID 1936 wrote to memory of 2184	1936	DEM3EA6.exe	43
PID 1936 wrote to memory of 2184	1936	DEM3EA6.exe	43
PID 1936 wrote to memory of 2184	1936	DEM3EA6.exe	43

C:\Users\Admin\AppData\Local\Temp\41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\DEME8E8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME8E8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\DEM3E58.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3E58.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\DEM93F6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM93F6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Users\Admin\AppData\Local\Temp\DEME965.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME965.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Users\Admin\AppData\Local\Temp\DEM3EA6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3EA6.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\DEM93F7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM93F7.exe"
        7⤵
        Executes dropped EXE
        
        PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3E58.exe

Filesize
15KB

MD5
05434e2ee75e3a79db733affeeebf917

SHA1
b4742590e30912a42609eb0926148c7c7e92194f

SHA256
f36ba6598072c9385ac9cfbb0a7d2328e1a8a8280cba58d0b7b71a41651953dd

SHA512
efc3ae846c795a567fd9d5cb7cf88ea7d1bb55e29ffe4557480cc2e38e03f9d5660e34eb26e6a56a8cc978ebd2d00253c6ecda341731a0ecbdb3888fd3b539d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3EA6.exe

Filesize
15KB

MD5
a7489d283389503adb57d075b9df8937

SHA1
e84175f5490aff225268f77adbb044cfb7cfd602

SHA256
26cf7856bf2e4e2d919a2717d90ec4983251e7f1202ed23413495fad3c74c236

SHA512
a2399181c750e514730b40c13faaff8b493ca26fd8f87a34afdebc7f6b803f97da6d5f18f3dfad0ea041ec8e7514d4baa87ea05a129d0bfd298e41ff345b482f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM93F6.exe

Filesize
15KB

MD5
a0d661c202736e4ab2c01bf3ef27d49d

SHA1
a65b3c509492b442c9ce3143e027a184da30a857

SHA256
368d62991196a6cc6c87ede4a6ec48287996bd362c5fa32e69c9dd72e3980241

SHA512
658d4836489c5de41d1ff63cee4c7327c132ae0ecf73ca86fc1acadbb1818974b32d74d65f1447c4e2da442a033f1f2f45eb34037e64301cc3c669409d6f785e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM93F7.exe

Filesize
15KB

MD5
0f490ee64c4d55b0a47458d59a49f060

SHA1
9833b85ef9fd70973248ad5d80c3d1da2b7bd9ab

SHA256
0ae2c6b317d33c968fe3b50e614fd608e1e469da73108918aeebba684b8225b9

SHA512
7e5401e7c6b0d304e276ad99bd53a6f7aadf5c653778cb2c624b76b8d8c8e86e9b83d329deda0b82b1daa7d1d64fd56cceb1c3c3ac606a6fff621ed787096070

Download Submit
\Users\Admin\AppData\Local\Temp\DEME8E8.exe

Filesize
15KB

MD5
d566da256cae8bc887844d873c6f28fc

SHA1
a57d39882e13abbe300a91c6caabc47ecf592f87

SHA256
a7cda06827adb78ee26f0e4570d483a50d22d8368f8e1c9f9ceec7dfb83007b6

SHA512
95a353e56406cfc6bb5da7172df5d3ba6571aa4cbd6fb6e9da1a65341d514007546053edb1654d715541a3f0749254a76e84cb365efc5d9ffe1ed74a8e755552

Download Submit
\Users\Admin\AppData\Local\Temp\DEME965.exe

Filesize
15KB

MD5
8211ce81ff670a594a5d659272a21159

SHA1
efdef0115330827ab0cdf33c4831d3b566cb3163

SHA256
3dc98d59cba0c5d7d248baf6cd7a7644f4c59039317a035dee43300c25df246e

SHA512
62d972d71a2a3bfb1e4a26008ef8bc6de68ecfbd6eb74fcc31a232bca20c47ed5e4cb6cb22d5b24242a8c177bc7c3c6a6ec9625a4da7ef6e1a8972574e678f82

Download Submit

Analysis

Sharing