6290d583c1b37bf5819406a8128a76ef284040b96aef789de4f3aab8818455e6

General

Target

JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe
Size

16KB
MD5

f9e0fd5dfff8c99764144f1d7ab15853
SHA1

921995bd52e980f264d773be02ec6fe667963a11
SHA256

6290d583c1b37bf5819406a8128a76ef284040b96aef789de4f3aab8818455e6
SHA512

4c7d0ff49323462f5419ca73583eb49b48dbfeecca0a4ec8823193ac85655b72876c66fec9c95fb39a066d044d124acea0fefbc804eb48384a6ffc46cd0fc31d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvcn:hDXWipuE+K3/SSHgxmkn

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1372	DEM20CA.exe
2712	DEM7761.exe
2236	DEMCD2E.exe
2108	DEM22FB.exe
3040	DEM78E7.exe
2448	DEMCF7F.exe

Loads dropped DLL 6 IoCs

pid	Process
432	JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe
1372	DEM20CA.exe
2712	DEM7761.exe
2236	DEMCD2E.exe
2108	DEM22FB.exe
3040	DEM78E7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7761.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCD2E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM22FB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM78E7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM20CA.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 1372	432	JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe	30
PID 432 wrote to memory of 1372	432	JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe	30
PID 432 wrote to memory of 1372	432	JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe	30
PID 432 wrote to memory of 1372	432	JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe	30
PID 1372 wrote to memory of 2712	1372	DEM20CA.exe	32
PID 1372 wrote to memory of 2712	1372	DEM20CA.exe	32
PID 1372 wrote to memory of 2712	1372	DEM20CA.exe	32
PID 1372 wrote to memory of 2712	1372	DEM20CA.exe	32
PID 2712 wrote to memory of 2236	2712	DEM7761.exe	34
PID 2712 wrote to memory of 2236	2712	DEM7761.exe	34
PID 2712 wrote to memory of 2236	2712	DEM7761.exe	34
PID 2712 wrote to memory of 2236	2712	DEM7761.exe	34
PID 2236 wrote to memory of 2108	2236	DEMCD2E.exe	36
PID 2236 wrote to memory of 2108	2236	DEMCD2E.exe	36
PID 2236 wrote to memory of 2108	2236	DEMCD2E.exe	36
PID 2236 wrote to memory of 2108	2236	DEMCD2E.exe	36
PID 2108 wrote to memory of 3040	2108	DEM22FB.exe	38
PID 2108 wrote to memory of 3040	2108	DEM22FB.exe	38
PID 2108 wrote to memory of 3040	2108	DEM22FB.exe	38
PID 2108 wrote to memory of 3040	2108	DEM22FB.exe	38
PID 3040 wrote to memory of 2448	3040	DEM78E7.exe	40
PID 3040 wrote to memory of 2448	3040	DEM78E7.exe	40
PID 3040 wrote to memory of 2448	3040	DEM78E7.exe	40
PID 3040 wrote to memory of 2448	3040	DEM78E7.exe	40

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\DEM20CA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM20CA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\DEM7761.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7761.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\DEMCD2E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCD2E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Users\Admin\AppData\Local\Temp\DEM22FB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM22FB.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Users\Admin\AppData\Local\Temp\DEM78E7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM78E7.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\DEMCF7F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCF7F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7761.exe

Filesize
16KB

MD5
ec1be5ed9dc73dbfc076b79605ad0f96

SHA1
6464da98896ce325792d6bb13a2b7fb132f01349

SHA256
cb5eeed714bdfd41188a2372006ec660f4045b30972a053a8bfb8ebd5b46ba69

SHA512
d34fca81391c7a7526ee1a25a10b720a70c9b5ad84bea5891bf320a7e0d7811b789c2eafa60f5eebe53151318d54c92d7f8a15c224300f029c89da61f6fe6659

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCF7F.exe

Filesize
16KB

MD5
357f99551cf27c53ce1c4a115003bc4d

SHA1
b274279c0bcac344f65691520ec4ee761ad9d52a

SHA256
eb24079483440eb0dc18dfdf2d3bdda783225cda61c47e103fca58ee6b1195af

SHA512
6c7afca31d228500abe8a71b04576e1fa694cf984c9357a13b28be6f2ac487e2d9a547523ed9491cbace1db81deb4e2c730b81e11f247880a5f1e89108f19454

Download Submit
\Users\Admin\AppData\Local\Temp\DEM20CA.exe

Filesize
16KB

MD5
9fc731ce7231b0beb1f545818686340c

SHA1
8212a9c94793c538f900464d308f40572e26d03c

SHA256
6f43fd594d899ae354d1fe285ad6f518e6630a760d73b49cad347ddd36b0b38f

SHA512
57e296a68df17ebdb457fedd031a74711ecd0f79958a55297cd7004d10117aa62bd40331efb03d58fc5f7e33b3494afa0cac007c9f44364fdf18c437028f7522

Download Submit
\Users\Admin\AppData\Local\Temp\DEM22FB.exe

Filesize
16KB

MD5
4c34024ad9b4c4681c6840189bdeaa90

SHA1
ab26eb45fc837cfc492e5a1d1da6e5ad16fed3c4

SHA256
31aaf6e1c48c338c6256499749bc9a67d07da515429d6dae9b60edad7aa9f9fb

SHA512
036061260caaa15bb92228c2cdf113ff8ff4b08df49b4610c9340c17e3b87d05df0bf2f4cd34e569bb8c42d3fd91c268720c6d0d4613c4e034b5a174b64ef007

Download Submit
\Users\Admin\AppData\Local\Temp\DEM78E7.exe

Filesize
16KB

MD5
b8a7a3cdb6b2eb246e7f29e60dc2fa7b

SHA1
7cffdd2448898e1f85fb83405e5696c93332f9ae

SHA256
3447056ecd2019452f719726d747cc27927c13344fa0bdbcacc4992b9e886b01

SHA512
3f26e0742dd8954675b585e9688b808982593237465b371945809460035cb0cf2535db4b963fa942204706dfa15b3f16f04f691f50909f16aed18987d866f710

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCD2E.exe

Filesize
16KB

MD5
a5e600bd051d6746d3a5e1a80d4bbc6d

SHA1
ffdabf78d8d0278486482e0a2eeaa66fee7d7cd2

SHA256
18cf95f155f6b2f691667836fb2ac6986def6cfb90b6c7f9fb8164b58841079c

SHA512
afc350b9ab5922cc9c277643ffb94a63f977915977337d9a3595ea833ef97eefe149428746192c4888b03a3a95c856e945d1974477ded23727e6aa74897a6cca

Download Submit

Analysis

Sharing