Analysis
-
max time kernel
133s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-10-2024 21:14
Static task
static1
Behavioral task
behavioral1
Sample
53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe
-
Size
14KB
-
MD5
53c458b4ed395f5b0d39bdc8834915b6
-
SHA1
cbe66c2b4c92ca1cc80a74199d6d8da8fe481d40
-
SHA256
5ebfae04ff09cc0126a86bce3c42e01bce6aca4dd87a63c9663a347e52ade99d
-
SHA512
3aa09a1faeab3854ccc09c3cbebfdc70e1b9c613ccc8984ab0e2b462305af5e7c02c411b9da181b22717ba93286419510cc30ed8b8d07a96ab7087d83d5b2c46
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRa:hDXWipuE+K3/SSHgxO
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 3012 DEMDEDA.exe 2680 DEM369A.exe 2376 DEM8D42.exe 1316 DEME447.exe 324 DEM3ACF.exe 2276 DEM90EA.exe -
Loads dropped DLL 6 IoCs
pid Process 2100 53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe 3012 DEMDEDA.exe 2680 DEM369A.exe 2376 DEM8D42.exe 1316 DEME447.exe 324 DEM3ACF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMDEDA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM369A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM8D42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEME447.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM3ACF.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2100 wrote to memory of 3012 2100 53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe 31 PID 2100 wrote to memory of 3012 2100 53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe 31 PID 2100 wrote to memory of 3012 2100 53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe 31 PID 2100 wrote to memory of 3012 2100 53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe 31 PID 3012 wrote to memory of 2680 3012 DEMDEDA.exe 33 PID 3012 wrote to memory of 2680 3012 DEMDEDA.exe 33 PID 3012 wrote to memory of 2680 3012 DEMDEDA.exe 33 PID 3012 wrote to memory of 2680 3012 DEMDEDA.exe 33 PID 2680 wrote to memory of 2376 2680 DEM369A.exe 35 PID 2680 wrote to memory of 2376 2680 DEM369A.exe 35 PID 2680 wrote to memory of 2376 2680 DEM369A.exe 35 PID 2680 wrote to memory of 2376 2680 DEM369A.exe 35 PID 2376 wrote to memory of 1316 2376 DEM8D42.exe 37 PID 2376 wrote to memory of 1316 2376 DEM8D42.exe 37 PID 2376 wrote to memory of 1316 2376 DEM8D42.exe 37 PID 2376 wrote to memory of 1316 2376 DEM8D42.exe 37 PID 1316 wrote to memory of 324 1316 DEME447.exe 39 PID 1316 wrote to memory of 324 1316 DEME447.exe 39 PID 1316 wrote to memory of 324 1316 DEME447.exe 39 PID 1316 wrote to memory of 324 1316 DEME447.exe 39 PID 324 wrote to memory of 2276 324 DEM3ACF.exe 41 PID 324 wrote to memory of 2276 324 DEM3ACF.exe 41 PID 324 wrote to memory of 2276 324 DEM3ACF.exe 41 PID 324 wrote to memory of 2276 324 DEM3ACF.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\DEMDEDA.exe"C:\Users\Admin\AppData\Local\Temp\DEMDEDA.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\DEM369A.exe"C:\Users\Admin\AppData\Local\Temp\DEM369A.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\DEM8D42.exe"C:\Users\Admin\AppData\Local\Temp\DEM8D42.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\DEME447.exe"C:\Users\Admin\AppData\Local\Temp\DEME447.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\DEM3ACF.exe"C:\Users\Admin\AppData\Local\Temp\DEM3ACF.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\AppData\Local\Temp\DEM90EA.exe"C:\Users\Admin\AppData\Local\Temp\DEM90EA.exe"7⤵
- Executes dropped EXE
PID:2276
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5c984827a7f8adc5f88fea4b2884e6f2d
SHA136a132d2fdc9759b90012e4f3b0ef35e23b7df6c
SHA2569f011a3e655a40fc20a4fe0fbdf650ef89d78cd2a09e7a1fd669212198d01f1c
SHA5126ceb4cd1bbddf88fda018b5445a13531313c5b909d5000ded4625384facd14f92837849005b7ffbb499ef1cfbc3b42e3d172ce9cff8036d839b714a23743e212
-
Filesize
14KB
MD5eeacb95b3f98829e55e9745b8273a96c
SHA1eb2306bafacc1012a86ca47a8834e7adb302a651
SHA2560b49a5cf7be1facd12f66ab47e8e15a4f28ae5060c430fdcba731c475cd5264b
SHA5128fb80f9d2ec3bcb84cd4ba040b47177751f9f1170d1eeb7053fbc13a5a6b771ec155f6dbce39662f5d2df64c8ece97d39203eb750406d49f89509200f85a7bad
-
Filesize
14KB
MD5bf523761282ea93c0867b2d16111775f
SHA104b630bb819398c200f956781e0f11a365eca8ea
SHA2560e69d4fb92a0864a9d89d40275bc2780e38fe6c87b4fef5f87cb29cda09b2139
SHA5126ebec18fba43252ccd49e373def401238c06c4af0980aed0508e92cd3d11f7c8e21ce6fc271ebcdacacf394817d08f8bf2a65c69b3de9c1557d22191d40092b8
-
Filesize
14KB
MD545efe3ff004f5a5f4522c8bcf0d0f118
SHA1d35faca5a2fde06c47deaead5efccb61f31aba3e
SHA256e0a839dd84a9d5a7b661d5e72347d20660dbcc8c6302b0f8597184ac54944001
SHA512c82f6558ad561ae74a71a5211542f3eae12c4242e1f8e2a837be31b33091b80c917293095a6cacc6503f5563e6f370d05bc4610ecaf025125b2f93f65e864349
-
Filesize
14KB
MD5524f0d6ee572ddd90ac64046c0cdc9d7
SHA1aa8487e77201457b7b212862038f6599814c67c3
SHA256c661a56118223a5a13fa9d7ec8492882c6f0fe5c0f3c7cff7a130b6645ab31c3
SHA5123643c999f877ff86a1f8b9059234d0fd4a8c159e24aff38e611f9faf2f9e2788d88bd9ad6500a2352e9057eac3b1d83022ecb865bd4d0a255426b2256500c492
-
Filesize
14KB
MD5164243472db130578839b38b64279b4c
SHA109697deeb318ebc76d5f718704726c04e14a3ced
SHA2562be7554ed02b8a35edbe201d985007670ee306660c61aad75b87ee87a05f0640
SHA51232b9a8ca214fccea0ded5f9b110069e61d0f81d3d79839d2e23229bfd5c34cda1dc7561486a5592ff761eccd4cc0076d696e2a0cab1d147e6967fa8bf5f9382f