adfc2b34fa603d40ec7b692c2bba35449ec1a7af955ea79a8460b8e543ef4388

General

Target

JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe
Size

15KB
MD5

f9d2634a8a19bb3ad99f339577eff0ee
SHA1

e1015e531dbedee6c3a136abc446bf71bf0def9a
SHA256

adfc2b34fa603d40ec7b692c2bba35449ec1a7af955ea79a8460b8e543ef4388
SHA512

e2177744c13e17ba2f31c5b79a386711f8425843d27d69354fcc8c0e54017f18a6e4017d67fb9d159dce4f6358bec5b54c41d3a9d8862e1fe44e145f0087a750
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0mWDK:hDXWipuE+K3/SSHgxm0JDK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2816	DEM622C.exe
1500	DEMB79C.exe
2064	DEMCEC.exe
836	DEM628A.exe
1148	DEMB7AB.exe
2440	DEMD59.exe

Loads dropped DLL 6 IoCs

pid	Process
2720	JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe
2816	DEM622C.exe
1500	DEMB79C.exe
2064	DEMCEC.exe
836	DEM628A.exe
1148	DEMB7AB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM622C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB79C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCEC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM628A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB7AB.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2816	2720	JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe	31
PID 2720 wrote to memory of 2816	2720	JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe	31
PID 2720 wrote to memory of 2816	2720	JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe	31
PID 2720 wrote to memory of 2816	2720	JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe	31
PID 2816 wrote to memory of 1500	2816	DEM622C.exe	34
PID 2816 wrote to memory of 1500	2816	DEM622C.exe	34
PID 2816 wrote to memory of 1500	2816	DEM622C.exe	34
PID 2816 wrote to memory of 1500	2816	DEM622C.exe	34
PID 1500 wrote to memory of 2064	1500	DEMB79C.exe	36
PID 1500 wrote to memory of 2064	1500	DEMB79C.exe	36
PID 1500 wrote to memory of 2064	1500	DEMB79C.exe	36
PID 1500 wrote to memory of 2064	1500	DEMB79C.exe	36
PID 2064 wrote to memory of 836	2064	DEMCEC.exe	38
PID 2064 wrote to memory of 836	2064	DEMCEC.exe	38
PID 2064 wrote to memory of 836	2064	DEMCEC.exe	38
PID 2064 wrote to memory of 836	2064	DEMCEC.exe	38
PID 836 wrote to memory of 1148	836	DEM628A.exe	40
PID 836 wrote to memory of 1148	836	DEM628A.exe	40
PID 836 wrote to memory of 1148	836	DEM628A.exe	40
PID 836 wrote to memory of 1148	836	DEM628A.exe	40
PID 1148 wrote to memory of 2440	1148	DEMB7AB.exe	42
PID 1148 wrote to memory of 2440	1148	DEMB7AB.exe	42
PID 1148 wrote to memory of 2440	1148	DEMB7AB.exe	42
PID 1148 wrote to memory of 2440	1148	DEMB7AB.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\DEM622C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM622C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\DEMB79C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB79C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\DEMCEC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCEC.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\DEM628A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM628A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:836
      - C:\Users\Admin\AppData\Local\Temp\DEMB7AB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB7AB.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\DEMD59.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD59.exe"
        7⤵
        Executes dropped EXE
        
        PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM622C.exe

Filesize
15KB

MD5
fc44bcffc346068682ad23f8f9aa21e2

SHA1
b0f32b7c62d83cebedd56b6eb7b6d276826f45b1

SHA256
7ed37cfcfb5f4e920c30a0b98652b33a458606247266ad53ddec0440773da36e

SHA512
0e8a2593255fb42c3aeb42ce1c15648f68fb25f322db4ffcc4d3d51d710280b2ae464581e29673e592988064d1458b5293fd3728c67671dcc40105a0763e4081

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM628A.exe

Filesize
15KB

MD5
b613d16a828185485926e385ae7069b0

SHA1
a7d321bcb9857bcf1f1a6a605df0e83cf6664394

SHA256
63df0486555e4cb2750f47560f5bdfe37b6c4a730ac97bd8aa0bf4188619b379

SHA512
7a7109cff4ebf86d592d0f7b263dac8d0f04fad9d0d978e6dd80babd08e80c81f8ab127e79816c428b0aeef134209228bd7ca0a6f6f993b895ccb19554715193

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB79C.exe

Filesize
15KB

MD5
2743583646f91863675a58c5900c940e

SHA1
0ac0371bd108c67fb9cde117f5293e383f4789c6

SHA256
c1ad76bbd580f596d22599380802a9f1d941afd909a229faa7659fb5b8152c74

SHA512
159c72e8c5a36c08b8f01db4b57e60d1191abcf875458729978478464ccdcca2882628d1d69c5fa7888ad79e8c188be7e1bd73fc2bb83bf4faa59b89e5471204

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB7AB.exe

Filesize
15KB

MD5
05a222162b8452bc04e077a179f38f19

SHA1
0f2e8a8679c4ea6e1130bb4609813cee27f7b169

SHA256
59c17059d02c42a0681e087852af9ee0cd3943221598efb006b313bbc599c33a

SHA512
d5531925b7a8a60b0e10da19e2da98b4c7c41a601253f8361b1e8bd5d2942102449bf4c1f3aa992c8e80ccb5c1acb42c28e7e14e49757da064d968bcebab7261

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCEC.exe

Filesize
15KB

MD5
39076cbf5c2d3b5d61838786642e9983

SHA1
301ac0f255cf8a0e82b82b387cf8f76926002a42

SHA256
3bafd3bb62ba55b07b43fcdcb2693c272792deba69fa8f2de0f7d9facb9aed67

SHA512
60d73b4b1b8b9f98a16f7922096fed6e8484a2fc7bc8bd89842c3be55f72928904a274fea5a78003b20fc019db5861d9e86698ae819e3c8117c13ad540acab4e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD59.exe

Filesize
15KB

MD5
881736d17be131f53cc426ba9d8b6ea0

SHA1
032d6917ead0aa23ec7c05e97d51211f2ec1711a

SHA256
ff7a38dd5b9d8f6a0fd932cc811a9157c40e0addb6f8d0f44dd64ccf33400878

SHA512
5aa294a679d2d930d290b126e907102977d31e26fe2b802db8aa1d1975c33d21195c9b5519c68ff65c9bbe79a4f37e75ec5eaa89285c7947e9372083556f850c

Download Submit

Analysis

Sharing