b6bb49bb3c1b9e017f052212cb3cf50c10dc029599c4bddc2f980aa4efc9b524

General

Target

44062c3d33db1887856cbb53a17a2ae0_JaffaCakes118.exe
Size

15KB
MD5

44062c3d33db1887856cbb53a17a2ae0
SHA1

dcc3bbba041cb642278592293e80b35e716e5fb9
SHA256

b6bb49bb3c1b9e017f052212cb3cf50c10dc029599c4bddc2f980aa4efc9b524
SHA512

64936ce323128ea6be50dd41350e75ba3cc16b8f17a0d653abfa2ef7d2f763141bfb0b4add2720949d67c8e12edcb80a22641e83b60247fab55bb997e1ba8d21
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+Lud:hDXWipuE+K3/SSHgxmHBd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2916	DEM4412.exe
2688	DEM99B0.exe
1076	DEMEFAC.exe
2920	DEM45C7.exe
672	DEM9C7E.exe
2072	DEMF3B2.exe

Loads dropped DLL 6 IoCs

pid	Process
2496	44062c3d33db1887856cbb53a17a2ae0_JaffaCakes118.exe
2916	DEM4412.exe
2688	DEM99B0.exe
1076	DEMEFAC.exe
2920	DEM45C7.exe
672	DEM9C7E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9C7E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44062c3d33db1887856cbb53a17a2ae0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4412.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM99B0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEFAC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM45C7.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2916	2496	44062c3d33db1887856cbb53a17a2ae0_JaffaCakes118.exe	31
PID 2496 wrote to memory of 2916	2496	44062c3d33db1887856cbb53a17a2ae0_JaffaCakes118.exe	31
PID 2496 wrote to memory of 2916	2496	44062c3d33db1887856cbb53a17a2ae0_JaffaCakes118.exe	31
PID 2496 wrote to memory of 2916	2496	44062c3d33db1887856cbb53a17a2ae0_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2688	2916	DEM4412.exe	33
PID 2916 wrote to memory of 2688	2916	DEM4412.exe	33
PID 2916 wrote to memory of 2688	2916	DEM4412.exe	33
PID 2916 wrote to memory of 2688	2916	DEM4412.exe	33
PID 2688 wrote to memory of 1076	2688	DEM99B0.exe	36
PID 2688 wrote to memory of 1076	2688	DEM99B0.exe	36
PID 2688 wrote to memory of 1076	2688	DEM99B0.exe	36
PID 2688 wrote to memory of 1076	2688	DEM99B0.exe	36
PID 1076 wrote to memory of 2920	1076	DEMEFAC.exe	38
PID 1076 wrote to memory of 2920	1076	DEMEFAC.exe	38
PID 1076 wrote to memory of 2920	1076	DEMEFAC.exe	38
PID 1076 wrote to memory of 2920	1076	DEMEFAC.exe	38
PID 2920 wrote to memory of 672	2920	DEM45C7.exe	40
PID 2920 wrote to memory of 672	2920	DEM45C7.exe	40
PID 2920 wrote to memory of 672	2920	DEM45C7.exe	40
PID 2920 wrote to memory of 672	2920	DEM45C7.exe	40
PID 672 wrote to memory of 2072	672	DEM9C7E.exe	42
PID 672 wrote to memory of 2072	672	DEM9C7E.exe	42
PID 672 wrote to memory of 2072	672	DEM9C7E.exe	42
PID 672 wrote to memory of 2072	672	DEM9C7E.exe	42

C:\Users\Admin\AppData\Local\Temp\44062c3d33db1887856cbb53a17a2ae0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\44062c3d33db1887856cbb53a17a2ae0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\DEM4412.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4412.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\DEM99B0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM99B0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\DEMEFAC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEFAC.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Users\Admin\AppData\Local\Temp\DEM45C7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM45C7.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Users\Admin\AppData\Local\Temp\DEM9C7E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9C7E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\DEMF3B2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF3B2.exe"
        7⤵
        Executes dropped EXE
        
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4412.exe

Filesize
15KB

MD5
ad35a0352c8c2c1a0d23fa3e2484d74b

SHA1
30801d479f368f3ed22b6f3ba5baf1fd36bad261

SHA256
0c60a88b1e0e06124e687f8a795bc38917cd9d8b8f94dac7177f92ff62e44871

SHA512
01bee43e754fd0bb83210b514959cf6674e79fce6ac4a53453cfbe42419b81f0110b289a62af24afd45216917d43d56b57dcc2052042f3ce6f287d742c9ce991

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM99B0.exe

Filesize
15KB

MD5
785ce2ba7b807028ff90625473ddb21d

SHA1
ebf5db515673ecdc12b2ef906983f6a73b7e7931

SHA256
4b5b4e82c687efc4f2a6b49f64a0b361d3bc4d8854f011a2d0c9fa1879c82104

SHA512
1192c278f6d1e9e29bc5d8337213609bc96805461b4b3a5f64acce0ab08baaa1eaaa6694df85f26425582590adc1e5ab6f6df7ce670dd5ac63feb0534fad2a90

Download Submit
\Users\Admin\AppData\Local\Temp\DEM45C7.exe

Filesize
15KB

MD5
53bd45aaf7c742fb8aa94b79a3d5295b

SHA1
033427f2767e8e62f2bdff62df621a2bd4dff42e

SHA256
468e0aa27a963e9b10d4a480f235f597e899ab9d3118ae280150f04da94422ec

SHA512
7aa8827651211e9d879c3334bcb3b3afbf14aadf628bc33dcd9ad3160614f1982db9c582a57406e1fc4e735d11df3647e25726863d500062eb2391818ef3e933

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9C7E.exe

Filesize
15KB

MD5
ecbdadc6a7060693f1fa630aa3d46926

SHA1
8c418f69e7b5add44c9b615a2e2ea91dc8d7064a

SHA256
4083ec635b1b4b5f609e733a7a0a60700fc6ff20f46d73ab0591dbb00867ff06

SHA512
48d041a316cf9ef6ff353223e4d312cde6e34aa9f5c347adcf8e4574935966be3a6aa35429f601a047cb874aea50ab46ea02c8377da4b907bfbedb10c06c3a78

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEFAC.exe

Filesize
15KB

MD5
d27a7a8365d012e8b9933630e93fe7da

SHA1
1313bb538b2444a595225db042580415594de720

SHA256
7febc1238ccfc439542b41a84ebcc3c1d921fdfedd43aed58780211f86b6a6c3

SHA512
41e858d7a025236b40b735e7879664e54ea33bcc91dda6d852927de5fe382aff2904078133615eee25667da5ece43de95a64172c15b3a26128de408d3a2f54b4

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF3B2.exe

Filesize
15KB

MD5
ad9f0ac2b8faf68d5726dad526ed39ef

SHA1
dc3a910ac1cc4a92aaef1737b3dd325334780a17

SHA256
4740fddd652d20d9f43b10519c03539a7cdbdafe606a1c24317c8f7ee14f6346

SHA512
b6e1bf78c13f60c7cd58b2419b393aee740ac73c11b7b09f5009d9ea20c9aea15ba1c26951994eb6a02c3d5fcd2ad3b414d8ed4857c0eef1eb69bde65cf5df5e

Download Submit

Analysis

Sharing