8ef8ff51c0c52d671d3efa5ad6e5ed9193febcd0e72f525cc5ca7b1efe38cc39

General

Target

43b77a10ad3d40ed96b6fe11aee72aaa_JaffaCakes118.exe
Size

14KB
MD5

43b77a10ad3d40ed96b6fe11aee72aaa
SHA1

ca3af1a45c1a2ef10c059d9a140174e90842d537
SHA256

8ef8ff51c0c52d671d3efa5ad6e5ed9193febcd0e72f525cc5ca7b1efe38cc39
SHA512

1b371191df9a6d1201adc976d012f7e4acf0e4cd3a7100b072d7fb4f558f0007dad50eb874127523bad6fcae3f159b9d46cd9be0cdb069a5e56b9cc2ed127155
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhni:hDXWipuE+K3/SSHgxg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2812	DEM6C5A.exe
608	DEMC1E8.exe
1928	DEM170A.exe
1824	DEM6C69.exe
296	DEMC17B.exe
2440	DEM1767.exe

Loads dropped DLL 6 IoCs

pid	Process
2844	43b77a10ad3d40ed96b6fe11aee72aaa_JaffaCakes118.exe
2812	DEM6C5A.exe
608	DEMC1E8.exe
1928	DEM170A.exe
1824	DEM6C69.exe
296	DEMC17B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43b77a10ad3d40ed96b6fe11aee72aaa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6C5A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC1E8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM170A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6C69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC17B.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2812	2844	43b77a10ad3d40ed96b6fe11aee72aaa_JaffaCakes118.exe	32
PID 2844 wrote to memory of 2812	2844	43b77a10ad3d40ed96b6fe11aee72aaa_JaffaCakes118.exe	32
PID 2844 wrote to memory of 2812	2844	43b77a10ad3d40ed96b6fe11aee72aaa_JaffaCakes118.exe	32
PID 2844 wrote to memory of 2812	2844	43b77a10ad3d40ed96b6fe11aee72aaa_JaffaCakes118.exe	32
PID 2812 wrote to memory of 608	2812	DEM6C5A.exe	35
PID 2812 wrote to memory of 608	2812	DEM6C5A.exe	35
PID 2812 wrote to memory of 608	2812	DEM6C5A.exe	35
PID 2812 wrote to memory of 608	2812	DEM6C5A.exe	35
PID 608 wrote to memory of 1928	608	DEMC1E8.exe	37
PID 608 wrote to memory of 1928	608	DEMC1E8.exe	37
PID 608 wrote to memory of 1928	608	DEMC1E8.exe	37
PID 608 wrote to memory of 1928	608	DEMC1E8.exe	37
PID 1928 wrote to memory of 1824	1928	DEM170A.exe	39
PID 1928 wrote to memory of 1824	1928	DEM170A.exe	39
PID 1928 wrote to memory of 1824	1928	DEM170A.exe	39
PID 1928 wrote to memory of 1824	1928	DEM170A.exe	39
PID 1824 wrote to memory of 296	1824	DEM6C69.exe	41
PID 1824 wrote to memory of 296	1824	DEM6C69.exe	41
PID 1824 wrote to memory of 296	1824	DEM6C69.exe	41
PID 1824 wrote to memory of 296	1824	DEM6C69.exe	41
PID 296 wrote to memory of 2440	296	DEMC17B.exe	43
PID 296 wrote to memory of 2440	296	DEMC17B.exe	43
PID 296 wrote to memory of 2440	296	DEMC17B.exe	43
PID 296 wrote to memory of 2440	296	DEMC17B.exe	43

C:\Users\Admin\AppData\Local\Temp\43b77a10ad3d40ed96b6fe11aee72aaa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43b77a10ad3d40ed96b6fe11aee72aaa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\DEM6C5A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6C5A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\DEMC1E8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC1E8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:608
  - - C:\Users\Admin\AppData\Local\Temp\DEM170A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM170A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\DEM6C69.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6C69.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Users\Admin\AppData\Local\Temp\DEMC17B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC17B.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\DEM1767.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1767.exe"
        7⤵
        Executes dropped EXE
        
        PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6C5A.exe

Filesize
14KB

MD5
504712f0a4de543fd89145816aa0dd97

SHA1
c9142deb8a52089fa5cc573e740519ce86396001

SHA256
416aacb2b92892b58e2a0b9e94b2926b6ae2907fc44448ec2370ec47b4dba10a

SHA512
6408cdcf62b1b10c513e6a882588b202b4495ebf9126a4d8e20371c9ef2f2899b75f3e5d10c7ec119cf9447bcc36f57c1f33078dc48c66d256efea1f352e09cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC1E8.exe

Filesize
14KB

MD5
8d57054ad889e11cec9332404af7e92f

SHA1
615a60012bec4529fc9f249ff3506de8d2d60b1d

SHA256
8cff5194b3cfe049f59a5fd27d4803e1380aef1d3ac88b3b1773d1f920b90c1f

SHA512
0bcc810eff267b91b7af1e0af6b5ae3a8dbf72f2d5afdfb714599158c04922f6f265785214ed039c1dd93808a7ffb83f5113edae8f9ee5133df4b8f4388efedf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM170A.exe

Filesize
14KB

MD5
d557ab2171411f053f9c0c6261ca2d02

SHA1
09bb2dd0d153e199153c8abd1fc4e2e1a9145ee6

SHA256
3c9c97fb8cc91e384fb19e5bd498b3337cf8f4d53363c534e13cb3ecc024a09c

SHA512
27fce77eb9c8aee9cd8017fe53bc47d26d96195f45685b2cf5a53a2505a216d0ca8d760256b45202b899bd2da90df74730bacf30af21c44c5677891b46f57650

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1767.exe

Filesize
14KB

MD5
e1ae96c2b3d5d0c7d80e9d7d483c4bac

SHA1
056bc3fd9e070af5add4130a58856d7986a7bfa6

SHA256
1547490fc16274e6a805da6d4b0ad82eea081af53f04310632a41f72efeef3de

SHA512
c617449ad032a2c4769255dab338e6975601e74e99c4a0bfb0de3781fef3dbd11099f1cce2b3f1e86611bc52da1ec0142f0a434ce306d88452d32ef488aff4e0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6C69.exe

Filesize
14KB

MD5
febb0d32d81103a539fb7f6155c6a11b

SHA1
c00d63c5b3b009663cbf162dabc19890e4dfc472

SHA256
c7e7419d520093c69c286ba2b5257579c3e61b49793d55f8e307bda67aae573c

SHA512
b357912a4b70342ea020f5f18af03d3293f4e356da26f21d3a49165d678ba5869da3145afea1064714128bd0256a673477add7784127e5f8b03cd34be578c72e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC17B.exe

Filesize
14KB

MD5
08eb95d174358e0848fc41ad249f3051

SHA1
1370d3dd6c052f0ff4c1924f76dc028386adc288

SHA256
e8fcf319e0cb6534da2e3e71b4d90361e14e64c99619a71d42c87b16e70e938b

SHA512
ea80602412ad588145bc3326baaa856230fbe5542c6d316d0eccefe911f5e15b6a279033e0516a36e838b26f49e9f22424f3b5dce2375f977aea9b7294485f6a

Download Submit

Analysis

Sharing