d559f1fab9b764655802134093695ea64e0e6b2312f44a2a4313bff0cb537e25

General

Target

JaffaCakes118_f9df9e4debd65763912364666a964472.exe
Size

15KB
MD5

f9df9e4debd65763912364666a964472
SHA1

75069a5516019a2e9a354b2a5d2b6ae5a51cf9e9
SHA256

d559f1fab9b764655802134093695ea64e0e6b2312f44a2a4313bff0cb537e25
SHA512

2f88abad025a57526dded702728b299b548e93672c45b41902d70b8b2461e30c16bab2dae2efcd8a3059d2c36f73dc3f11bfc8d4ea6699e0d472f4aa422ffb30
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYuSJg:hDXWipuE+K3/SSHgxmTe

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2940	DEM3A14.exe
1712	DEM8FA2.exe
3056	DEME5BD.exe
536	DEM3ABF.exe
1936	DEM8FD1.exe
2172	DEME512.exe

Loads dropped DLL 6 IoCs

pid	Process
2808	JaffaCakes118_f9df9e4debd65763912364666a964472.exe
2940	DEM3A14.exe
1712	DEM8FA2.exe
3056	DEME5BD.exe
536	DEM3ABF.exe
1936	DEM8FD1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8FA2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME5BD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3ABF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8FD1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9df9e4debd65763912364666a964472.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3A14.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2940	2808	JaffaCakes118_f9df9e4debd65763912364666a964472.exe	31
PID 2808 wrote to memory of 2940	2808	JaffaCakes118_f9df9e4debd65763912364666a964472.exe	31
PID 2808 wrote to memory of 2940	2808	JaffaCakes118_f9df9e4debd65763912364666a964472.exe	31
PID 2808 wrote to memory of 2940	2808	JaffaCakes118_f9df9e4debd65763912364666a964472.exe	31
PID 2940 wrote to memory of 1712	2940	DEM3A14.exe	34
PID 2940 wrote to memory of 1712	2940	DEM3A14.exe	34
PID 2940 wrote to memory of 1712	2940	DEM3A14.exe	34
PID 2940 wrote to memory of 1712	2940	DEM3A14.exe	34
PID 1712 wrote to memory of 3056	1712	DEM8FA2.exe	36
PID 1712 wrote to memory of 3056	1712	DEM8FA2.exe	36
PID 1712 wrote to memory of 3056	1712	DEM8FA2.exe	36
PID 1712 wrote to memory of 3056	1712	DEM8FA2.exe	36
PID 3056 wrote to memory of 536	3056	DEME5BD.exe	38
PID 3056 wrote to memory of 536	3056	DEME5BD.exe	38
PID 3056 wrote to memory of 536	3056	DEME5BD.exe	38
PID 3056 wrote to memory of 536	3056	DEME5BD.exe	38
PID 536 wrote to memory of 1936	536	DEM3ABF.exe	40
PID 536 wrote to memory of 1936	536	DEM3ABF.exe	40
PID 536 wrote to memory of 1936	536	DEM3ABF.exe	40
PID 536 wrote to memory of 1936	536	DEM3ABF.exe	40
PID 1936 wrote to memory of 2172	1936	DEM8FD1.exe	42
PID 1936 wrote to memory of 2172	1936	DEM8FD1.exe	42
PID 1936 wrote to memory of 2172	1936	DEM8FD1.exe	42
PID 1936 wrote to memory of 2172	1936	DEM8FD1.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9df9e4debd65763912364666a964472.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9df9e4debd65763912364666a964472.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\DEM3A14.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3A14.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\DEM8FA2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8FA2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\DEME5BD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME5BD.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Users\Admin\AppData\Local\Temp\DEM3ABF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3ABF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
      - C:\Users\Admin\AppData\Local\Temp\DEM8FD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8FD1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\DEME512.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME512.exe"
        7⤵
        Executes dropped EXE
        
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3ABF.exe

Filesize
15KB

MD5
987065d9782402fadc8fa4bec1e98c91

SHA1
52f58f42a9162b1d4a5e1dd595a560610d0718c2

SHA256
92ab4c8b6bc8c9680565542efec9284ddd799fd5b8a22ebe42bc5dbca7f7073e

SHA512
ed6c399f60dffe2acd2fb93db7116a7d64f7e9e24ccc2452c4c7082f9e875ca848803feadac22b0d278d5c9a1e66ba832855fc5a5822c121701629533e954af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8FA2.exe

Filesize
15KB

MD5
6cb79c12011d3da6e1f00ebf466df8ca

SHA1
3f12fdb92dd8cdfa37f061eb6e2c761355151393

SHA256
e0b1e6dbf9b9f44220201b4e6bdc91a4ee4f3663fb69af3ce7002d61aff08836

SHA512
cdd082cc18d893e79401a947d253b8aacc9f8672d255ebb8a8b63ff2bd5cf1765e80303f8760c501e01816f02a07c6a6b14a0aa71d8c87b98a20dca23a8bb6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME5BD.exe

Filesize
15KB

MD5
8d93b5c7be6c901167f066c2ccaaf466

SHA1
f967b823d2ac0fe0bdded5fce33fe2d3bf59537b

SHA256
d4ec9a9899d8b0e2d66e0855039c985741e71950ac0dc34c2369b3068ea2e1f7

SHA512
29eed378c95f22c1734631e20085806a6f5bbd1fe9d9c9cc4ce72c31572d4b676eeaa48cf625f6c8c56e951a9eb3bc151dfc90ece95c9c4f0a8d3980c79e2f7b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3A14.exe

Filesize
15KB

MD5
66ca1b1432a3f1a1fa1e9ce9725e527a

SHA1
02ea66296121de1df62a47534beb531c53d2fbd1

SHA256
8654a94273084ef011978442000285861a1d03e875da6b53ba1f8f4df7037cff

SHA512
9809f9fb6a25bc37fe302f1432b479e75b369bf46da3fddb775d4451661c064b3529e164f3adfd93b6b6a102e99435c291a2dff0af1c762b2606c7d54ca98e4e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8FD1.exe

Filesize
15KB

MD5
9a17eeb2043e0dd36a1792f08fa1314d

SHA1
3af5b7e90c3905ed13de8b0982cc92505e128ef5

SHA256
94cff266cdae8804d5043d957025b4fc768a17dd4a0bc4810cf80190acb09c40

SHA512
d074d6305beb23ba09f8ca0a3c4335963da40d3f9cbd862e75468d2b4550e9164c6449ba758fa2a994d39f31b4ce5276cd3aaaa5732eba0bbca5aabdb4d205a8

Download Submit
\Users\Admin\AppData\Local\Temp\DEME512.exe

Filesize
15KB

MD5
e92bc6e4bee17e747c38b46d67b03718

SHA1
f3972b9abe34c8fb2b00a7860c0350c967cb43b2

SHA256
0621399b78291d1095dd196d19115e98db72e91a3d6da10edc5d0d89e4a5d7b5

SHA512
ea259f29f0db64b1b45eea693178b9626853aba67b4d81c5b746c697c3743c90399fddb97a2d5bf0a5f1f4848e1826e4518d6f50611030f50f98a6a42b97cf9c

Download Submit

Analysis

Sharing