353a036422291c3f66067841dc3fbd0304d14f51a798302c5be7517739a57e72

General

Target

826db34308f805cfa5b765ce87a60d65_JaffaCakes118.exe
Size

14KB
MD5

826db34308f805cfa5b765ce87a60d65
SHA1

1290cad47c2ea38366fd07e66b3f3f96e18fe143
SHA256

353a036422291c3f66067841dc3fbd0304d14f51a798302c5be7517739a57e72
SHA512

e40811625f3f9ecb3a51c3b076fe0b244214af60349b8eddbfa2d4f22256e47a79da0cd9463e42a1abc9674bfa647b456e9c49a19f146117ebfa0371a838fd58
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyOQm:hDXWipuE+K3/SSHgxmyOQm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1948	DEM62F7.exe
1500	DEMB895.exe
2540	DEMEB0.exe
2864	DEM63F1.exe
1800	DEMB912.exe
1788	DEME34.exe

Loads dropped DLL 6 IoCs

pid	Process
2728	826db34308f805cfa5b765ce87a60d65_JaffaCakes118.exe
1948	DEM62F7.exe
1500	DEMB895.exe
2540	DEMEB0.exe
2864	DEM63F1.exe
1800	DEMB912.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	826db34308f805cfa5b765ce87a60d65_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM62F7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB895.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEB0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM63F1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB912.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 1948	2728	826db34308f805cfa5b765ce87a60d65_JaffaCakes118.exe	31
PID 2728 wrote to memory of 1948	2728	826db34308f805cfa5b765ce87a60d65_JaffaCakes118.exe	31
PID 2728 wrote to memory of 1948	2728	826db34308f805cfa5b765ce87a60d65_JaffaCakes118.exe	31
PID 2728 wrote to memory of 1948	2728	826db34308f805cfa5b765ce87a60d65_JaffaCakes118.exe	31
PID 1948 wrote to memory of 1500	1948	DEM62F7.exe	34
PID 1948 wrote to memory of 1500	1948	DEM62F7.exe	34
PID 1948 wrote to memory of 1500	1948	DEM62F7.exe	34
PID 1948 wrote to memory of 1500	1948	DEM62F7.exe	34
PID 1500 wrote to memory of 2540	1500	DEMB895.exe	36
PID 1500 wrote to memory of 2540	1500	DEMB895.exe	36
PID 1500 wrote to memory of 2540	1500	DEMB895.exe	36
PID 1500 wrote to memory of 2540	1500	DEMB895.exe	36
PID 2540 wrote to memory of 2864	2540	DEMEB0.exe	38
PID 2540 wrote to memory of 2864	2540	DEMEB0.exe	38
PID 2540 wrote to memory of 2864	2540	DEMEB0.exe	38
PID 2540 wrote to memory of 2864	2540	DEMEB0.exe	38
PID 2864 wrote to memory of 1800	2864	DEM63F1.exe	40
PID 2864 wrote to memory of 1800	2864	DEM63F1.exe	40
PID 2864 wrote to memory of 1800	2864	DEM63F1.exe	40
PID 2864 wrote to memory of 1800	2864	DEM63F1.exe	40
PID 1800 wrote to memory of 1788	1800	DEMB912.exe	42
PID 1800 wrote to memory of 1788	1800	DEMB912.exe	42
PID 1800 wrote to memory of 1788	1800	DEMB912.exe	42
PID 1800 wrote to memory of 1788	1800	DEMB912.exe	42

C:\Users\Admin\AppData\Local\Temp\826db34308f805cfa5b765ce87a60d65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\826db34308f805cfa5b765ce87a60d65_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\DEM62F7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM62F7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\DEMB895.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB895.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\DEMEB0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEB0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\DEM63F1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM63F1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Users\Admin\AppData\Local\Temp\DEMB912.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB912.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\DEME34.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME34.exe"
        7⤵
        Executes dropped EXE
        
        PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM62F7.exe

Filesize
14KB

MD5
ab84cabc8aa519c975767577dd0f23eb

SHA1
c5c9beddb8b6899d297837f4689e4689457c88f9

SHA256
f86af8f219697366f313ac6a97e5207241e87af53cdae367cd607e4a370aff90

SHA512
cb2c30197044116ce8f606147c08a4c6e7770c6ea6ae8680b98eee752ad45ba7519387f5dcc44446ff94bc20e61817faa82d2402bcab1cc4ad99e8ac4fc3d2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB895.exe

Filesize
14KB

MD5
ce0c0ebebdfab5a0a19252fedacc8b6c

SHA1
1d9f94592371ee1dc9db8569d7b21b8e38deb39e

SHA256
4106068661366dd3c36f7f332267f108b5d6b0f34f8cc9941b24ec9aa99d002e

SHA512
74a5246f282b7e9ac9a207dd93fc64c0444172c528489d6b65de97bc29a798ada6c4893bec1635b035ff2a6887c080505c2d2aa1ce837e40f660a73706576d5a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM63F1.exe

Filesize
14KB

MD5
564a3f4009aff652734489414bdcfffd

SHA1
22a4514f5b1bb1fc7d730b096ccd1d950f7e13a6

SHA256
ec402b18d726e4bff1e65f0d572de1f34536d87196f17f31b1ac1f46c545f4e5

SHA512
e9c078ba649c05296f9a10e1c1a274054780aff0e5012ef69b969d2aaa391e889b923118e5763c0f14213ca28d5afb3e6fe587eca3f555d17311e72a32d38568

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB912.exe

Filesize
14KB

MD5
eabe415c52ad88d6e2aa5e0a9912b943

SHA1
beea2213077c7cba1a092253e773f00c6fcd1d31

SHA256
8f437727357ad8a05275a676201fe6f6778519b82629a6e5846d25eabd6e586d

SHA512
12e4e14cc51d6351518b1d1745ac0b23acf007bb42622797f1ddef5cd7b699b83c4d86ce3a1e22dd478111cb8f45b417936691dd6f7116429396ece2cd677b5a

Download Submit
\Users\Admin\AppData\Local\Temp\DEME34.exe

Filesize
14KB

MD5
a4674cb3577daec2141f6ba667e80bc1

SHA1
7f63741a07a82a79574ad6339661d2db81751e39

SHA256
ed169f9a417d3db5056ca683deb87886b11762ea7419d6492f07051b14802d1b

SHA512
ab255c1186e32fbf986e930cc6516e67f024d7a277b3f0a20a394895bd59cbfacce95b04ca45e667f993b86ba13b7cc657f8b004da37362a70317ffb1d706afa

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEB0.exe

Filesize
14KB

MD5
e118927817d9ed5e529cb04a7b170253

SHA1
d2a0ab53b203d043687e3a330ae2f033e80d5105

SHA256
0b1b3b66f6f0db29df5363ac2af476e6098534e037b8c957fac5ca24347d70de

SHA512
900e4dd5fc67363c842a9c29b38b0aa234dec3637e6bde18e19f9cbb9bc5f2d266881fe579b3a95ac968c0b8fffb86dd5cc562f7cd9bcb3ee2b377f968ad6e0f

Download Submit

Analysis

Sharing