a0eca9806476cb6001d3f394d3b8252e7347158e5877b99a5c1fc4c5570c3e6a

General

Target

436761d8954fd8bfe07b73c734ae3459_JaffaCakes118.exe
Size

14KB
MD5

436761d8954fd8bfe07b73c734ae3459
SHA1

c572522907347b4e1b6ba959cc13129639d7157b
SHA256

a0eca9806476cb6001d3f394d3b8252e7347158e5877b99a5c1fc4c5570c3e6a
SHA512

c10ec44108c4d386f911680af1ae9c12178e092a1b2c6aa92058a87bd5410d0fd3071c1501a34779418a2845124bb88e5fd5c3cca72291ea37d744d366334909
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRI:hDXWipuE+K3/SSHgxc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2964	DEMB606.exe
2888	DEMC02.exe
1744	DEM61DF.exe
2360	DEMB73E.exe
556	DEMCAE.exe
2096	DEM61EE.exe

Loads dropped DLL 6 IoCs

pid	Process
2428	436761d8954fd8bfe07b73c734ae3459_JaffaCakes118.exe
2964	DEMB606.exe
2888	DEMC02.exe
1744	DEM61DF.exe
2360	DEMB73E.exe
556	DEMCAE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436761d8954fd8bfe07b73c734ae3459_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB606.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM61DF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB73E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCAE.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2964	2428	436761d8954fd8bfe07b73c734ae3459_JaffaCakes118.exe	32
PID 2428 wrote to memory of 2964	2428	436761d8954fd8bfe07b73c734ae3459_JaffaCakes118.exe	32
PID 2428 wrote to memory of 2964	2428	436761d8954fd8bfe07b73c734ae3459_JaffaCakes118.exe	32
PID 2428 wrote to memory of 2964	2428	436761d8954fd8bfe07b73c734ae3459_JaffaCakes118.exe	32
PID 2964 wrote to memory of 2888	2964	DEMB606.exe	34
PID 2964 wrote to memory of 2888	2964	DEMB606.exe	34
PID 2964 wrote to memory of 2888	2964	DEMB606.exe	34
PID 2964 wrote to memory of 2888	2964	DEMB606.exe	34
PID 2888 wrote to memory of 1744	2888	DEMC02.exe	36
PID 2888 wrote to memory of 1744	2888	DEMC02.exe	36
PID 2888 wrote to memory of 1744	2888	DEMC02.exe	36
PID 2888 wrote to memory of 1744	2888	DEMC02.exe	36
PID 1744 wrote to memory of 2360	1744	DEM61DF.exe	38
PID 1744 wrote to memory of 2360	1744	DEM61DF.exe	38
PID 1744 wrote to memory of 2360	1744	DEM61DF.exe	38
PID 1744 wrote to memory of 2360	1744	DEM61DF.exe	38
PID 2360 wrote to memory of 556	2360	DEMB73E.exe	40
PID 2360 wrote to memory of 556	2360	DEMB73E.exe	40
PID 2360 wrote to memory of 556	2360	DEMB73E.exe	40
PID 2360 wrote to memory of 556	2360	DEMB73E.exe	40
PID 556 wrote to memory of 2096	556	DEMCAE.exe	42
PID 556 wrote to memory of 2096	556	DEMCAE.exe	42
PID 556 wrote to memory of 2096	556	DEMCAE.exe	42
PID 556 wrote to memory of 2096	556	DEMCAE.exe	42

C:\Users\Admin\AppData\Local\Temp\436761d8954fd8bfe07b73c734ae3459_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\436761d8954fd8bfe07b73c734ae3459_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\DEMB606.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB606.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\DEMC02.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC02.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\DEM61DF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM61DF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\DEMB73E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB73E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Users\Admin\AppData\Local\Temp\DEMCAE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCAE.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\DEM61EE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM61EE.exe"
        7⤵
        Executes dropped EXE
        
        PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM61DF.exe

Filesize
14KB

MD5
737903355347b6ca0c4340cfa4885c1b

SHA1
99c989c411206c38a94fdc8605ad8e2f46baf158

SHA256
b3259ad9158d58e10d4a814bcbdd94af849c25ca152d24c5dfa2a983253135b4

SHA512
c197930cba39909cdc1d179850263e092d9e225788831e48cf97ee38eceab4d27f5f8e3cf5576ca60b1a2527313c1cbe54691930faebaa0009b30e43deeed455

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB606.exe

Filesize
14KB

MD5
fee3925b059b8442e7a011840a84ff5d

SHA1
b85ee6a6ea4cedaa1e2957d8ec2834cff4372bb1

SHA256
fc855c36eb2b323e3f599689b86a9e39ac5239f5103685550bd038a4452c4e08

SHA512
56af2b05e3fe992c955e267c5cf3fd03d57dc29f616eb67eb0f9de832a8d994aa8a3d84de3f2bcd0b5db2a295b805a36970044c3b178b3afcf1a983541dfb82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC02.exe

Filesize
14KB

MD5
ab3fb9075ee5c870dd82fc0775f50c59

SHA1
6a11ba7dd25583f535c91e1f3a7e3d7480b33799

SHA256
881ea17a65cca705c71924bff2c938f17136b37f33c3699edb077c6e84c6ea56

SHA512
80dd3a08cee3a121b7f981742978f2ad0932aece62a9ec9845e50ed692cba31fbe5706af28b615f987c48dc53fd5a951ecfbb0f01f2d7add7e0348f482eb19a7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM61EE.exe

Filesize
14KB

MD5
17b4b990eaf075c440d006ca2abd71c5

SHA1
ad96367037e4dcb5b3c030757cc226d19473c001

SHA256
21488ed30739271fd834c3e2e5833cd512491a5dbb1c4461780d3e5cc976fc37

SHA512
c50a19325aadab8d1d947e2e23ae12134a3583f255429fb13ba033636882cd550d5097c5fc79a0fce93de9399f2c6a30b5cd7018ace8373579317fae49a28764

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB73E.exe

Filesize
14KB

MD5
b4c3bffd639b074c7a672b1816b12530

SHA1
0b778d6dfcedbef2daf4758db23341cb2528507a

SHA256
bcaf3f2019f3569df33d0e13caa13d33057cab70deb74fba7365594391379c9d

SHA512
6f89c644fa5c75a01ec430e7032fed4849ac43f260dde12da8c33af615e9c08f2a714606ecc9163eaa5b4e8d9439723c7a5fff2e217417def57f7d49a92856c2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCAE.exe

Filesize
14KB

MD5
df4899d08bc2d292284726ea8c31178a

SHA1
18d0fa5e4249ac40d95de2c6a68f8abcfbf4a387

SHA256
e8d7c573321088600cf34fe6a7cadec10f2a992fc1e362b7111a37495874e7ab

SHA512
0a9f36b9cec7ba469eec560fc1b4972e3642f8a9021ba52412b6c27031c6bbda3eaea7e0a1f4fd2381580819444f254bcdd77fcadeaa751ffc37c1c4a05287fb

Download Submit

Analysis

Sharing