ac1f4f128ad130f141e12d109b3e3d9394982611630987818bc19b5a0a2ce7fd

General

Target

561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe
Size

14KB
MD5

561d055cc6c0da0756a01748ce967058
SHA1

8303f42074385c1a54302b4a785c90953b7250cc
SHA256

ac1f4f128ad130f141e12d109b3e3d9394982611630987818bc19b5a0a2ce7fd
SHA512

44e3b821fb1005865036b3f9d1c418c6c016ec09fde394c725706ce7d96fbe3625190177eae784561198a772c05821a31ec7f34f6be059a3d112481e4e98ead1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4bCl:hDXWipuE+K3/SSHgxm0O

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2228	DEMD153.exe
2704	DEM26E2.exe
2360	DEM7C41.exe
2392	DEMD192.exe
2800	DEM27BC.exe
1108	DEM7D0C.exe

Loads dropped DLL 6 IoCs

pid	Process
2668	561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe
2228	DEMD153.exe
2704	DEM26E2.exe
2360	DEM7C41.exe
2392	DEMD192.exe
2800	DEM27BC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD153.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM26E2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7C41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD192.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM27BC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2228	2668	561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2228	2668	561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2228	2668	561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2228	2668	561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe	32
PID 2228 wrote to memory of 2704	2228	DEMD153.exe	34
PID 2228 wrote to memory of 2704	2228	DEMD153.exe	34
PID 2228 wrote to memory of 2704	2228	DEMD153.exe	34
PID 2228 wrote to memory of 2704	2228	DEMD153.exe	34
PID 2704 wrote to memory of 2360	2704	DEM26E2.exe	36
PID 2704 wrote to memory of 2360	2704	DEM26E2.exe	36
PID 2704 wrote to memory of 2360	2704	DEM26E2.exe	36
PID 2704 wrote to memory of 2360	2704	DEM26E2.exe	36
PID 2360 wrote to memory of 2392	2360	DEM7C41.exe	38
PID 2360 wrote to memory of 2392	2360	DEM7C41.exe	38
PID 2360 wrote to memory of 2392	2360	DEM7C41.exe	38
PID 2360 wrote to memory of 2392	2360	DEM7C41.exe	38
PID 2392 wrote to memory of 2800	2392	DEMD192.exe	41
PID 2392 wrote to memory of 2800	2392	DEMD192.exe	41
PID 2392 wrote to memory of 2800	2392	DEMD192.exe	41
PID 2392 wrote to memory of 2800	2392	DEMD192.exe	41
PID 2800 wrote to memory of 1108	2800	DEM27BC.exe	43
PID 2800 wrote to memory of 1108	2800	DEM27BC.exe	43
PID 2800 wrote to memory of 1108	2800	DEM27BC.exe	43
PID 2800 wrote to memory of 1108	2800	DEM27BC.exe	43

C:\Users\Admin\AppData\Local\Temp\561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\DEMD153.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMD153.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\DEM26E2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM26E2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\DEM7C41.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7C41.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\DEMD192.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD192.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Users\Admin\AppData\Local\Temp\DEM27BC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM27BC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\DEM7D0C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7D0C.exe"
        7⤵
        Executes dropped EXE
        
        PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM26E2.exe

Filesize
14KB

MD5
3fd6bd3ec8d4904e66ab1c8ba77ed9bc

SHA1
7904197d24e28ea985770aa072aaf4bbcdace6b6

SHA256
b0c2050798487c4eea58ca8f1cb85dd2a850c048ce10c8b4e24d663a876f8225

SHA512
52842b858f9c30feea15d54b133d0560e519e0538ff3fee49ed452d7db7d55e1f5928194fd1a1d5b473d56cc710660e728b7209cd06ee5b11632853aa8a6b3b2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM27BC.exe

Filesize
14KB

MD5
dd0257a7aaf7a5a75cb641cb18001c88

SHA1
06878e142c4e2a4cc52c99c3fee1b35b7272491e

SHA256
308c9a3d3145da31d60b5abc12f44c7c779a8fe3599fa0b3eaee78507492e9e5

SHA512
516098074fb33b7e2b1595186d46bc32a3db07d575ae5128dfe0700c7421e38539c9c0227d2dd5557cfc0452da4842d81b9ce371e085fdbace4a0ff2fc5a266f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7C41.exe

Filesize
14KB

MD5
9ad3309626246b803ebe262c2b0c5745

SHA1
0572f26a0bab70a3235b1bdfa89c1bde5b0e8d50

SHA256
b9b8563dfcfba0fd2469cdcd44a3502bb298ea475dd8f29d64bda404fe7dea91

SHA512
54f12fe4edf6a7b7b6f5fc518d86939817a986e2e6da1ee93a17c02fb0a03c78afe3b8d6c8964641e8e874689a4449f07a93f983198afaf4da49c1341aeb6084

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7D0C.exe

Filesize
15KB

MD5
2cb976e0b7735a51fc6591a8b3b2159f

SHA1
6d9f4d90d57c2aa57aea4bbb64a505f4b6569cb9

SHA256
7790d8858628cfd38b4a1e82827a6ed53eab2639dc3ab532b4e9ff8e948f1ea8

SHA512
0a02704af4f1f5acced325e89643a52d9d4288098e243a6994d30b14fbcd79ee91417e9d365788c77d0a4a2299a5df3558057734c666d0fa0bf266b27ec91aae

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD153.exe

Filesize
14KB

MD5
b32f95d1003b545f196357fd14386cc0

SHA1
54a82112f4fcc9765a5ac6fa8fa9da991115f62c

SHA256
c42cf979856a12eab782a2cae87d51aa433598d86caf90ba2c3c2036683b9c9d

SHA512
93bf75d68a47a50edfde822505cd36582d7ff6f5b915b78180076fa621128b56b971dba19f8aa5eea4f73b2c07f74770246d1e8bf156ec67245243d7db43034d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD192.exe

Filesize
14KB

MD5
8543c45e3eaf2928127dc359252d60ff

SHA1
2405d2b14235fe7b5d875f660c49512958741644

SHA256
973bc6d04c4487aa7d1e6d668f7aa0f5731be6e87bc82363ebd79097b44410c2

SHA512
ccee4fc69fde55aafad6a7aaf31c7b59702f319c74b88f520a1de87feaf83bf63fa4cf681a8dd10aa489aaadd33ca4b7cd0787925de44e51763b6a9f538f8b4e

Download Submit

Analysis

Sharing