f72ab8b3237590b126f7626268b38a0cf62f22b753d3fb9f8570a0f9556752e7

General

Target

429135a546d210e86f29537d3e1d59de_JaffaCakes118.exe
Size

14KB
MD5

429135a546d210e86f29537d3e1d59de
SHA1

e58593d237e5eef344a209549d2094efb94904ce
SHA256

f72ab8b3237590b126f7626268b38a0cf62f22b753d3fb9f8570a0f9556752e7
SHA512

b5f5a8a12849fc496348b2080e2192170144ba9e980a2fee3b7886a9746b04dca3d76375a272438912d210caae5178ac7ae3ac681b8f9e00f70b416616b3c94b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/w6:hDXWipuE+K3/SSHgxm/V

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3024	DEMCF9E.exe
700	DEM252D.exe
2660	DEM7A4E.exe
2996	DEMCF9F.exe
1712	DEM24DF.exe
2484	DEM7A1F.exe

Loads dropped DLL 6 IoCs

pid	Process
2520	429135a546d210e86f29537d3e1d59de_JaffaCakes118.exe
3024	DEMCF9E.exe
700	DEM252D.exe
2660	DEM7A4E.exe
2996	DEMCF9F.exe
1712	DEM24DF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7A4E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCF9F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM24DF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	429135a546d210e86f29537d3e1d59de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCF9E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM252D.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 3024	2520	429135a546d210e86f29537d3e1d59de_JaffaCakes118.exe	32
PID 2520 wrote to memory of 3024	2520	429135a546d210e86f29537d3e1d59de_JaffaCakes118.exe	32
PID 2520 wrote to memory of 3024	2520	429135a546d210e86f29537d3e1d59de_JaffaCakes118.exe	32
PID 2520 wrote to memory of 3024	2520	429135a546d210e86f29537d3e1d59de_JaffaCakes118.exe	32
PID 3024 wrote to memory of 700	3024	DEMCF9E.exe	34
PID 3024 wrote to memory of 700	3024	DEMCF9E.exe	34
PID 3024 wrote to memory of 700	3024	DEMCF9E.exe	34
PID 3024 wrote to memory of 700	3024	DEMCF9E.exe	34
PID 700 wrote to memory of 2660	700	DEM252D.exe	36
PID 700 wrote to memory of 2660	700	DEM252D.exe	36
PID 700 wrote to memory of 2660	700	DEM252D.exe	36
PID 700 wrote to memory of 2660	700	DEM252D.exe	36
PID 2660 wrote to memory of 2996	2660	DEM7A4E.exe	38
PID 2660 wrote to memory of 2996	2660	DEM7A4E.exe	38
PID 2660 wrote to memory of 2996	2660	DEM7A4E.exe	38
PID 2660 wrote to memory of 2996	2660	DEM7A4E.exe	38
PID 2996 wrote to memory of 1712	2996	DEMCF9F.exe	40
PID 2996 wrote to memory of 1712	2996	DEMCF9F.exe	40
PID 2996 wrote to memory of 1712	2996	DEMCF9F.exe	40
PID 2996 wrote to memory of 1712	2996	DEMCF9F.exe	40
PID 1712 wrote to memory of 2484	1712	DEM24DF.exe	42
PID 1712 wrote to memory of 2484	1712	DEM24DF.exe	42
PID 1712 wrote to memory of 2484	1712	DEM24DF.exe	42
PID 1712 wrote to memory of 2484	1712	DEM24DF.exe	42

C:\Users\Admin\AppData\Local\Temp\429135a546d210e86f29537d3e1d59de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\429135a546d210e86f29537d3e1d59de_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\DEMCF9E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCF9E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\DEM252D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM252D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Users\Admin\AppData\Local\Temp\DEM7A4E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7A4E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Users\Admin\AppData\Local\Temp\DEMCF9F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCF9F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Users\Admin\AppData\Local\Temp\DEM24DF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM24DF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\DEM7A1F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7A1F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM24DF.exe

Filesize
14KB

MD5
dffb6cc4b724aa22b762b6da8da67d84

SHA1
0e24dc03f70ee8e37164afc12ca22f3d4b7f0163

SHA256
2cf5a45fabec49f9e84baa340b0753d5c5c6ebe09a28cc685c06cbe9bc018868

SHA512
62b55a01174117845bca3fabb75876c9254168ccb25cbe57c4a4b62d2a6c5ef34debe426f5a9a0679a316a466d130c0bb8581e660fdb77ca2901db9b7e3657be

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM252D.exe

Filesize
14KB

MD5
050098a7d2e694ec3e72f67abbc6cf30

SHA1
05003386ee8c9dbd8c365fe3888aa513fec0fad5

SHA256
075c6bff9acb766fd9368dd596eb834d2fcb4361239f122e0840a61eb7039b0b

SHA512
7de44cc8ca863705ea732352199c99d722814343360abe3cb04e95c4f16dcf7accb2987863be0d21a21414f6373f85b82430b458068afdce81338521a3e58061

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A1F.exe

Filesize
14KB

MD5
9952a02030b2d79aa5e8bcb849397818

SHA1
c8eddd5dc5f498e5268a621cb24e8e1d1f5c7248

SHA256
979431b6ef8e4852327af56122685300c02ce0d0254c82255914b475edc0f22b

SHA512
ea2e17ec596b1fe32572f249818d32714cf810ca2ab0cde2f374a9332499b306adecd5b3dcf85b3e0c17dc23a8171c78915cfa0344116a32fd9cbedfa3a386b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCF9F.exe

Filesize
14KB

MD5
63f21fdc0ec8b81c01d53e24231d7ffa

SHA1
9c1f672bdf2c8cc533453929e1fcc5bd050b32e1

SHA256
b45bc3407dd8ade3d363d6cc226a46679e0703b31571cc4410837346f5a420ec

SHA512
136e4555094ad162c2eec231dea05dadf6d15c9f99f6022d65dde434a8fde39f4baed0907e865de447b0858fe690f6597d5763132ad3a29c5ab0f1ecedd89e28

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7A4E.exe

Filesize
14KB

MD5
9b15523557bf304d96861d75bc2caff7

SHA1
0573087bba3f663eeb671f6eb3bf1be5cae3074c

SHA256
6eace402d4104265f4dda5da792891340246884c7ae9ec01d848bf1db6c91985

SHA512
aba5b57a753794321bca1dc715240d01a06fc58fe9b8f075bd4c5a72621d22bee55975c13a7bbdca06f8a7db6f05be59feb48a550e14a15aab97be465ec07188

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCF9E.exe

Filesize
14KB

MD5
bed4f67f979abe353cdd51ec9dfed7df

SHA1
b1a83859f2493db636ff1e602f1cfc04aa01bafd

SHA256
9d825f519229edbb610cd5428ed0d4dab6603eb50a5cccf3083f1c6450e36d9e

SHA512
c6d1650e41449568d91cdd9ba69d0795dc351816ca86ba96333ebf869d444f37e18fc3835f94954e5cf9c6c0c9fe95573a003fb11194eb0ef2bbb3acb5253524

Download Submit

Analysis

Sharing