3d615a756c1bff2d17fc837ad0a7147466b0d8b96986dc3c8f7c16df76e6e59c

General

Target

JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe
Size

15KB
MD5

f9e4724d8c0420ca64d7f092dc48c2b7
SHA1

12ccb6299b339b7db145b991627a985ecd5b15b8
SHA256

3d615a756c1bff2d17fc837ad0a7147466b0d8b96986dc3c8f7c16df76e6e59c
SHA512

145fc7ebb4d367563c0f0a772bc04d3063d114a1fa4249f8ca2ead8aaf7e944fe6043f8c347da7d951ac1859eb64bc39acaaab9c2cc731bc2bfc418e1b4b3527
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJd8Z:hDXWipuE+K3/SSHgxh8Z

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2704	DEM9F2C.exe
2956	DEMF44E.exe
2036	DEM49BD.exe
808	DEM9F3C.exe
1544	DEMF4DA.exe
1720	DEM4AA7.exe

Loads dropped DLL 6 IoCs

pid	Process
1260	JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe
2704	DEM9F2C.exe
2956	DEMF44E.exe
2036	DEM49BD.exe
808	DEM9F3C.exe
1544	DEMF4DA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9F2C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF44E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM49BD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9F3C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF4DA.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2704	1260	JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe	32
PID 1260 wrote to memory of 2704	1260	JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe	32
PID 1260 wrote to memory of 2704	1260	JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe	32
PID 1260 wrote to memory of 2704	1260	JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe	32
PID 2704 wrote to memory of 2956	2704	DEM9F2C.exe	34
PID 2704 wrote to memory of 2956	2704	DEM9F2C.exe	34
PID 2704 wrote to memory of 2956	2704	DEM9F2C.exe	34
PID 2704 wrote to memory of 2956	2704	DEM9F2C.exe	34
PID 2956 wrote to memory of 2036	2956	DEMF44E.exe	36
PID 2956 wrote to memory of 2036	2956	DEMF44E.exe	36
PID 2956 wrote to memory of 2036	2956	DEMF44E.exe	36
PID 2956 wrote to memory of 2036	2956	DEMF44E.exe	36
PID 2036 wrote to memory of 808	2036	DEM49BD.exe	38
PID 2036 wrote to memory of 808	2036	DEM49BD.exe	38
PID 2036 wrote to memory of 808	2036	DEM49BD.exe	38
PID 2036 wrote to memory of 808	2036	DEM49BD.exe	38
PID 808 wrote to memory of 1544	808	DEM9F3C.exe	40
PID 808 wrote to memory of 1544	808	DEM9F3C.exe	40
PID 808 wrote to memory of 1544	808	DEM9F3C.exe	40
PID 808 wrote to memory of 1544	808	DEM9F3C.exe	40
PID 1544 wrote to memory of 1720	1544	DEMF4DA.exe	42
PID 1544 wrote to memory of 1720	1544	DEMF4DA.exe	42
PID 1544 wrote to memory of 1720	1544	DEMF4DA.exe	42
PID 1544 wrote to memory of 1720	1544	DEMF4DA.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\DEM9F2C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9F2C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\DEMF44E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF44E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\DEM49BD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM49BD.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Users\Admin\AppData\Local\Temp\DEM9F3C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9F3C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:808
      - C:\Users\Admin\AppData\Local\Temp\DEMF4DA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF4DA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\DEM4AA7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4AA7.exe"
        7⤵
        Executes dropped EXE
        
        PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM9F2C.exe

Filesize
15KB

MD5
b6d6402b8243335ed2240f84c1e53f60

SHA1
6bfbca4e25c66b669f03896339b2c81394389fa9

SHA256
d8f47491509ea27e6d909c1408cc335e348a9db2d032fcf0ce7d854bf275d45e

SHA512
6e37bc17cb2e84cf41072798519f261ce68f33101876b76f3f6cfb8da7418c922ae5dde48212200158fe621b9d3e75f9448a39df5dc68d821a356d1a9980e655

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF44E.exe

Filesize
15KB

MD5
d2038ae11d5aed307eb53ad27accb9c2

SHA1
7dc0c4e949754a3f49d1893ab4b88eebfe3b4f90

SHA256
4a9ec266bc3cbb85b07d7ba64d3613550d30f8e0893c3d1be7a7f54dba369419

SHA512
c60e725c61ceeacba26a9d3538b48364f351bc84bdb145e8bb8df960fb9b0d96c99ad971c0f41d1815549019ff4f2cf4097cbeeaf5f6932543b3d4be8c25efd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF4DA.exe

Filesize
15KB

MD5
29ae6468b725339b0e42255f2afb3554

SHA1
586ce898d5d25ad3541393724dd8bdbcda53713e

SHA256
9f94dc1c3ab1d1aa3be3db6aef7adf10d0d88ec786d0e6fe420460896f1278c1

SHA512
52574c779ca2b2cdc5573c42488610874fe87694ea50401e12ae4231471d54808598c929ed6c999887e9ee75f4c1ecbd42faf935951f8899c15cad9af2c55068

Download Submit
\Users\Admin\AppData\Local\Temp\DEM49BD.exe

Filesize
15KB

MD5
2dd2a23437f5e380f5ce988b4de1fe69

SHA1
a924b347305e097795db4375c62037ff2e629c97

SHA256
79c39e9366b2bce8e2f7fb3cad031240c5ef1fed5904b6b0aa54a2ab365d3cde

SHA512
988eeef75f4ad9aea08e1ec7ef91b103f764e4b4e1e4ce3931888f29c87cfa15683af41e227f8396fa5c8839336f7a64934d682a95729fef2c8551c87ace7d17

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4AA7.exe

Filesize
15KB

MD5
5f8619950e811b2561b52fb40140698d

SHA1
1dda58d09e839c1daa5fd550ac7e4c61f37c9b62

SHA256
7fefde9fca874f8e48d74bb1786fa48219e1ba26e63fe63db29330c0564ee611

SHA512
20ca7d271aba7d3efc385b75c2357adeab3782479fee7fddfb9df12f9bff4c387c064731706778106969f2431e09b83bdc7d70c180c898bc92a5e6e58f247b1d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9F3C.exe

Filesize
15KB

MD5
6e3c3949dfbda468cfe4454632797185

SHA1
7c27e6e3eeaec65cc56ac63ed8a030389c559794

SHA256
bb3360c8c02969527be39a2c5f7d316a3b10a4e2a1eeecb6cece9d86c3948240

SHA512
95d3713f8d3479ceac2848c051a248c01b64157f55246c910d9cf4925be8febeea4000e1ee1d969a10c32a25c9c90b688340a5f55d6019a5b7e04e9290b37743

Download Submit

Analysis

Sharing