f68879b1b17ece33516365893e7d10cc149e3ce2e93fcbbdc4a7c6c7fe7dd415

General

Target

JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe
Size

14KB
MD5

f9ec4ebf625e99b681fd01f794be27d0
SHA1

45cfbe707ae9a9035f47d82443607cd97e4897af
SHA256

f68879b1b17ece33516365893e7d10cc149e3ce2e93fcbbdc4a7c6c7fe7dd415
SHA512

81abda48d10e39cf8aa7e4cc46d4b57e15bf5843c1f5c505b2587ea64c0f63ab49c40924555525b76bb9fa2b29939d8c88c4f006a211b4519333ae9f7b46b850
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHuS:hDXWipuE+K3/SSHgx3NHHB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2900	DEM6420.exe
548	DEMB960.exe
1736	DEMEA1.exe
2656	DEM63A3.exe
2360	DEMB8B5.exe
1952	DEMDC6.exe

Loads dropped DLL 6 IoCs

pid	Process
2964	JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe
2900	DEM6420.exe
548	DEMB960.exe
1736	DEMEA1.exe
2656	DEM63A3.exe
2360	DEMB8B5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEA1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM63A3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB8B5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6420.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB960.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2900	2964	JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe	31
PID 2964 wrote to memory of 2900	2964	JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe	31
PID 2964 wrote to memory of 2900	2964	JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe	31
PID 2964 wrote to memory of 2900	2964	JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe	31
PID 2900 wrote to memory of 548	2900	DEM6420.exe	34
PID 2900 wrote to memory of 548	2900	DEM6420.exe	34
PID 2900 wrote to memory of 548	2900	DEM6420.exe	34
PID 2900 wrote to memory of 548	2900	DEM6420.exe	34
PID 548 wrote to memory of 1736	548	DEMB960.exe	36
PID 548 wrote to memory of 1736	548	DEMB960.exe	36
PID 548 wrote to memory of 1736	548	DEMB960.exe	36
PID 548 wrote to memory of 1736	548	DEMB960.exe	36
PID 1736 wrote to memory of 2656	1736	DEMEA1.exe	38
PID 1736 wrote to memory of 2656	1736	DEMEA1.exe	38
PID 1736 wrote to memory of 2656	1736	DEMEA1.exe	38
PID 1736 wrote to memory of 2656	1736	DEMEA1.exe	38
PID 2656 wrote to memory of 2360	2656	DEM63A3.exe	40
PID 2656 wrote to memory of 2360	2656	DEM63A3.exe	40
PID 2656 wrote to memory of 2360	2656	DEM63A3.exe	40
PID 2656 wrote to memory of 2360	2656	DEM63A3.exe	40
PID 2360 wrote to memory of 1952	2360	DEMB8B5.exe	42
PID 2360 wrote to memory of 1952	2360	DEMB8B5.exe	42
PID 2360 wrote to memory of 1952	2360	DEMB8B5.exe	42
PID 2360 wrote to memory of 1952	2360	DEMB8B5.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\DEM6420.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6420.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\DEMB960.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB960.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Users\Admin\AppData\Local\Temp\DEMEA1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEA1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\DEM63A3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM63A3.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Users\Admin\AppData\Local\Temp\DEMB8B5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB8B5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\DEMDC6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDC6.exe"
        7⤵
        Executes dropped EXE
        
        PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM63A3.exe

Filesize
14KB

MD5
1af4cae7c4234c0c2cebc838ba6c3ebb

SHA1
14290880052c730dc0541c76c6284f41f7475730

SHA256
774a8f335d22520ca568fb6b7fd5516796cd89761e809b30f7d088318b37a2db

SHA512
f6b1a0f17fd2732f427075d1e0f144c1f068d2a7fde139b390068faa96bce6fca7ed24fa6e0837765cb8442cf2c5300b3f2a5e8862d246d6b3b7c830f73cf78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB960.exe

Filesize
14KB

MD5
c251765cb1e31a8cd8eb62aaff04cac6

SHA1
84986afa19ff30087108e46496a997a38ef3e533

SHA256
62ef533f7d2075505e915ec5c3d1e72691fd43d04978a54ae5c58c5ddef6c43a

SHA512
f0a59d9aae66553d99d76bc0b3ff22b857f34a86bdc46885fde215210da571293ae66a440c30abead1d80f0058d43a3cbdd2a9c062d4071a1fb7e5a129491798

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDC6.exe

Filesize
14KB

MD5
cd2a45322203bc4af50ea35392423f2b

SHA1
d621dafe71788c05de9272e1404dbb8776cb1de8

SHA256
b6964a418049dc1fd38fd96478dbb6fe1232c0678b586062ea64d2013dfddc85

SHA512
19717831aade5af4518ef22a8df473cf25530caddacc09c5bbf83e229f51d894322a337826df9628f674f1a3fe2ee46f08c6bdcc23b03cdc1f021983aac00ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEA1.exe

Filesize
14KB

MD5
a4733600d2ce116ce6c9cf7aa11d5d05

SHA1
4a5843c7fb7ee614d5dde962a12486ca64d10d90

SHA256
54216cbf431bebc1aedebcfcbccd554803f6709d937b9b484a1e781adef703f8

SHA512
8963c6ef6a4026c7d182b42c8500405bc086f0d1f6e6031290adcd0a2f4f0be154a8aae4d9b8a32bd5ac9e4ea5fc1ae7c2b366e3941b53fbcc9d6b1029789d7a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6420.exe

Filesize
14KB

MD5
927f93941f6838f85e21c6c7c6e953b7

SHA1
e244b2e8c950d6f4582599569665ae9b508e9147

SHA256
33024eefe2b51e374c7a00f4b5ada08e164ad44a97065810a7b8cab1afa42f06

SHA512
3fc382514d2912591a93dacdbb9785de1e892bca1fb431f7d269c6b017e89a3a09b49fb9b10e5ef9eba0278d69437199fa260a939c14d639f384ea7605b498e8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB8B5.exe

Filesize
14KB

MD5
9214ad93e8fe1c3f3c75cf9ca51b7c8d

SHA1
910f24c562967a1a917f65f1063309d469f886a3

SHA256
46f3ee4cb46fbefeedf1bd01b5ea01146346017e6930f8f9db586042c5b3fed9

SHA512
0042568e324c2306f4071a69cadc3726e69dca169542e0aa08611e1687bd77f0beee2516fff4a8eb91352aaaecd3149c24890a9eff410ebf8fcebb3d22e64501

Download Submit

Analysis

Sharing