254ea2fb1c31685e634a26c379a2742661901686f1a0fdf38fcfc8060d59cde6

General

Target

JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe
Size

20KB
MD5

f9d1a277b59230d9739d5fedecb6ed8b
SHA1

b61d7caad9552eb9ace84c77c4fa1c6850cb6484
SHA256

254ea2fb1c31685e634a26c379a2742661901686f1a0fdf38fcfc8060d59cde6
SHA512

ff238e9980591b71e1abaa91b86914a6870a2da4a41c4d9dfe26ac63f66766532babaaf603c482abc73ac9da4f15d2741d4a1db0ad3f018470cf05c93ab868cb
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PRSV:hDXWipuE+K3/SSHgxmHZPRy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2264	DEM8881.exe
1728	DEMDE6D.exe
2468	DEM339E.exe
1908	DEM891D.exe
1152	DEMDE1F.exe
2460	DEM336F.exe

Loads dropped DLL 6 IoCs

pid	Process
2788	JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe
2264	DEM8881.exe
1728	DEMDE6D.exe
2468	DEM339E.exe
1908	DEM891D.exe
1152	DEMDE1F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDE6D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM339E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM891D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDE1F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8881.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2264	2788	JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe	32
PID 2788 wrote to memory of 2264	2788	JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe	32
PID 2788 wrote to memory of 2264	2788	JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe	32
PID 2788 wrote to memory of 2264	2788	JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe	32
PID 2264 wrote to memory of 1728	2264	DEM8881.exe	34
PID 2264 wrote to memory of 1728	2264	DEM8881.exe	34
PID 2264 wrote to memory of 1728	2264	DEM8881.exe	34
PID 2264 wrote to memory of 1728	2264	DEM8881.exe	34
PID 1728 wrote to memory of 2468	1728	DEMDE6D.exe	36
PID 1728 wrote to memory of 2468	1728	DEMDE6D.exe	36
PID 1728 wrote to memory of 2468	1728	DEMDE6D.exe	36
PID 1728 wrote to memory of 2468	1728	DEMDE6D.exe	36
PID 2468 wrote to memory of 1908	2468	DEM339E.exe	38
PID 2468 wrote to memory of 1908	2468	DEM339E.exe	38
PID 2468 wrote to memory of 1908	2468	DEM339E.exe	38
PID 2468 wrote to memory of 1908	2468	DEM339E.exe	38
PID 1908 wrote to memory of 1152	1908	DEM891D.exe	40
PID 1908 wrote to memory of 1152	1908	DEM891D.exe	40
PID 1908 wrote to memory of 1152	1908	DEM891D.exe	40
PID 1908 wrote to memory of 1152	1908	DEM891D.exe	40
PID 1152 wrote to memory of 2460	1152	DEMDE1F.exe	42
PID 1152 wrote to memory of 2460	1152	DEMDE1F.exe	42
PID 1152 wrote to memory of 2460	1152	DEMDE1F.exe	42
PID 1152 wrote to memory of 2460	1152	DEMDE1F.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\DEM8881.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8881.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\DEMDE6D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDE6D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\DEM339E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM339E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Users\Admin\AppData\Local\Temp\DEM891D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM891D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Users\Admin\AppData\Local\Temp\DEMDE1F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDE1F.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\DEM336F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM336F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM891D.exe

Filesize
20KB

MD5
1264db6af317c56ad6c5a1b03b991b2e

SHA1
8c87ebbfaa6334d12579925b18328363e9728ba5

SHA256
8e49ad32b41997fdbb4220b148cf7d2a494bfe201af19d89d468bd2ffd91a2b1

SHA512
c57ac3d2e97f5890394e8eb04ac1b8793eac6b9b9e0eeb76edd9683f43c770b377ddc796ec7afdae602052105ec76da20004da347eaba0b98dc8dec2b23f9a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE1F.exe

Filesize
20KB

MD5
f7b3104b60c163669c8de324c3000b35

SHA1
392ad98d368a16669bfa9e2e89c8071ca07178c2

SHA256
6b6924d21c315f74fda058eef0f76a62f502debe86bbe7c0b6dd776d06b645e6

SHA512
063ef743ce61989268d7c0e3e2ebdbc0066f309f341a8fd1380d636df2e247d8732802a2dce85e54faf0e759f3cfea3b6ef69852a6676fdf002ca63bae356221

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE6D.exe

Filesize
20KB

MD5
f0671f8b95f9a18cb977a4d365c2b689

SHA1
56f029585f36d5e26b4bd704306b3870a20749b7

SHA256
41d12293bed94e610cddeea808a7f7ac95b53b576071f290ba04ea0c580d5339

SHA512
0a7721a379928795eac26f69142bd3c4d755249986ae4b2f50118302aa98d2f5799ad8e1fbc31919db3ae4bfd7a966358596b781b1dbfbeb23ea3e2e84a2473b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM336F.exe

Filesize
20KB

MD5
a887ba0334b38d279d2363ced40c62b7

SHA1
54313d716bc3e3ce8a300a353caec9633bc2d7f7

SHA256
7cfcfbdd281eabe49f682be3b7a719d1ab44630bdcd2cb9be3fc0e2bd4e6d12b

SHA512
eed2955409161ae2ff4b6a7a83c388a8699b7a8022c8d64f308e2edc1f3bb44f1e02ee6d501f0fd483cb2ccd74aeaef3829faaa1248e6ce912b5ef77c64c7cc1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM339E.exe

Filesize
20KB

MD5
8432deb48a20f29373818c7e5d830b43

SHA1
7b408f6bd3a2a4b23dace171d58e4b80a6778932

SHA256
f836473733d71a20c88af22df5662c7cfb55132cadd3e72ad1876127922815c6

SHA512
26ee4823b3e4e69b785eb7f089470670c0248dce1835596f7f83189038390261157349184b8d24f3b1e2b545ce932dfe6835448f47b6e4f0c8101401534fbb59

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8881.exe

Filesize
20KB

MD5
6e5458590a4e3d89af38a4a463816fc6

SHA1
895a84bdb8b1cd60aeb11375e7ec1f6b665853b8

SHA256
7e2bbec656d91192b42f2a532e665c8ca675507b3efb2d4146cb87ec79d4674f

SHA512
d7a06fa1464f235a71b315568863879b92dccebad5b39e3133eec263852b736203396056de536acfe256febb2330022b29e0b8fd4deb45422ca6f14cfee7b025

Download Submit

Analysis

Sharing