a74b228fa2ee0f7ef1fe0eb26770b926a72c5618d86f5f8766f086e6333a877b

General

Target

JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe
Size

16KB
MD5

f9cf2715d4e9834207635d8660629a6d
SHA1

2d36db52fe1dabba65fbf0d66c64d57b0cd83c22
SHA256

a74b228fa2ee0f7ef1fe0eb26770b926a72c5618d86f5f8766f086e6333a877b
SHA512

ab5b48bea89aa3176042d3db43d2a09d03fd3fb769ed1659288e1cdb13f0f6ce44009f49a0ba394a031cd1df16de589a412ee4585ca3248461dc33410ce69f03
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYZEGU:hDXWipuE+K3/SSHgxmZU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2400	DEMEB58.exe
2576	DEM4125.exe
2976	DEM9666.exe
1240	DEMEB78.exe
1912	DEM407A.exe
1940	DEM9675.exe

Loads dropped DLL 6 IoCs

pid	Process
2628	JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe
2400	DEMEB58.exe
2576	DEM4125.exe
2976	DEM9666.exe
1240	DEMEB78.exe
1912	DEM407A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM407A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEB58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4125.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9666.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEB78.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2400	2628	JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe	31
PID 2628 wrote to memory of 2400	2628	JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe	31
PID 2628 wrote to memory of 2400	2628	JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe	31
PID 2628 wrote to memory of 2400	2628	JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe	31
PID 2400 wrote to memory of 2576	2400	DEMEB58.exe	33
PID 2400 wrote to memory of 2576	2400	DEMEB58.exe	33
PID 2400 wrote to memory of 2576	2400	DEMEB58.exe	33
PID 2400 wrote to memory of 2576	2400	DEMEB58.exe	33
PID 2576 wrote to memory of 2976	2576	DEM4125.exe	35
PID 2576 wrote to memory of 2976	2576	DEM4125.exe	35
PID 2576 wrote to memory of 2976	2576	DEM4125.exe	35
PID 2576 wrote to memory of 2976	2576	DEM4125.exe	35
PID 2976 wrote to memory of 1240	2976	DEM9666.exe	38
PID 2976 wrote to memory of 1240	2976	DEM9666.exe	38
PID 2976 wrote to memory of 1240	2976	DEM9666.exe	38
PID 2976 wrote to memory of 1240	2976	DEM9666.exe	38
PID 1240 wrote to memory of 1912	1240	DEMEB78.exe	40
PID 1240 wrote to memory of 1912	1240	DEMEB78.exe	40
PID 1240 wrote to memory of 1912	1240	DEMEB78.exe	40
PID 1240 wrote to memory of 1912	1240	DEMEB78.exe	40
PID 1912 wrote to memory of 1940	1912	DEM407A.exe	42
PID 1912 wrote to memory of 1940	1912	DEM407A.exe	42
PID 1912 wrote to memory of 1940	1912	DEM407A.exe	42
PID 1912 wrote to memory of 1940	1912	DEM407A.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\DEMEB58.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEB58.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\DEM4125.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4125.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\DEM9666.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9666.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Users\Admin\AppData\Local\Temp\DEMEB78.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEB78.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\Users\Admin\AppData\Local\Temp\DEM407A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM407A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\DEM9675.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9675.exe"
        7⤵
        Executes dropped EXE
        
        PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4125.exe

Filesize
16KB

MD5
673dfada4a6d9572ef70a83434d6b91f

SHA1
d07c8d5ad96efc9aae601056ee918211d90f39d7

SHA256
b3bf92ab108f2e8ea6a9ea217666931316386cf87f75e0ad142c594d3d6f55a0

SHA512
3f77808e07b107602c1d9daebc60f9a9bc3e313900ebe31db85c9976b1f3237b8f67c907807e1caffd103a5b3c4ded8dd631c6a4ca6927a4c66f69ec58dab4ab

Download Submit
\Users\Admin\AppData\Local\Temp\DEM407A.exe

Filesize
16KB

MD5
b69775ca6490caf7e65b95a01a4bc49b

SHA1
eda8f610c2acc41322c9190bf9e4b9d5192909d9

SHA256
6ed6ef0ad8efca4bd1cbc38fea6cd08374af989df76397dd068ff2217f725ced

SHA512
6bb3592bf41a3fb53efc3fc01327803765c9da4a39eed1148a0c1d0505cff630da60d7b035bb2f9ec29a397bbe387011e79b6d9dadc9e5fd85197dcb7a0117cd

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9666.exe

Filesize
16KB

MD5
027736bff1c876b73402cc437fc19581

SHA1
a6e391f8a8a81d03dc73f3e231f0aa4d98111685

SHA256
fc276cc66caac48a5d8421cdab1a6fe7f93763f3bf9f3032141e6f5d289d6f52

SHA512
6387b9abe90e091d5b6db9f770e9c8dca580bc1b8e4246befb4a82ff57131c7794ff2818f3eaae5f4a2287893b14d452f196e2c89f4dc7b8ccd4db47cce3cf9c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9675.exe

Filesize
16KB

MD5
1f5ee280e5444b6d35b330a80abb95a2

SHA1
9d4f8352c552e89cf99cf9aa1047f5a8206ff407

SHA256
febc3dfdfbcc43b6239aa680818daefd0b26f8f1d958f25f7273df89574148b0

SHA512
ba98bfd5f9200e3c68f264d8ff7cfa2d55099adf7114a88142a25a62b072c4e6ff0399c76f79256c72a4e3440ddfa197aa65d069acd2a00cf44c06d99fc1a55c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEB58.exe

Filesize
16KB

MD5
424b84a2950bdf02da547ca5517b632e

SHA1
860dc9099688ac5c0d67363f19bf0ab4f1835348

SHA256
1a4ef5d781b8fbeccdf18daff08b76f60cf9ed3104912885af6ea34a9ae80156

SHA512
a5dbfd53c501dc23cb21a1b61fdb312f8a0c1c8df0fe17bdc6e8f30312b6e80fb1abee842f5414e6a3ec99ffbc69de830f870f644c8ce999b007dfee060dc8c1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEB78.exe

Filesize
16KB

MD5
5ed2d6b2e405a44c9419262b5d7e4fa1

SHA1
acb9ed2959e0696936fff0779c537d9d6ac8913b

SHA256
e649130764e5f0ebb1ae74cf8388ffb526bd8d8c6b8affd054b35535f627efc4

SHA512
8088586892e95ba8e1c224368b400afead74249eab2b3ed09f14415195bbd271f59055a9a806b30e8fe9ca9f28c60fd9c2e39d2946db602cf463b04884dccf57

Download Submit

Analysis

Sharing