eac81d1cd5b67eb31b73b1835a3a0f19e5465a3371d39a361aa5d2f95e78f635

General

Target

JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe
Size

14KB
MD5

f9f7c996d9d37bf4ff3a2a12ef235fa4
SHA1

6bde65981ad37dede323033d29bfc15cabbefac5
SHA256

eac81d1cd5b67eb31b73b1835a3a0f19e5465a3371d39a361aa5d2f95e78f635
SHA512

f419f5a5660f8853a9f231f2b9026ca83b3559c26faf1fc979f7766bb83b7507e5c241df6bacd81e41f7ba83574fc3cda9a0c3d12d8b3507f775906efd9487a7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhX:hDXWipuE+K3/SSHgxx

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2668	DEM6142.exe
1512	DEMB693.exe
2604	DEMBD3.exe
336	DEM6114.exe
1152	DEMB635.exe
2240	DEMB47.exe

Loads dropped DLL 6 IoCs

pid	Process
3008	JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe
2668	DEM6142.exe
1512	DEMB693.exe
2604	DEMBD3.exe
336	DEM6114.exe
1152	DEMB635.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6142.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB693.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6114.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB635.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2668	3008	JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe	31
PID 3008 wrote to memory of 2668	3008	JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe	31
PID 3008 wrote to memory of 2668	3008	JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe	31
PID 3008 wrote to memory of 2668	3008	JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe	31
PID 2668 wrote to memory of 1512	2668	DEM6142.exe	34
PID 2668 wrote to memory of 1512	2668	DEM6142.exe	34
PID 2668 wrote to memory of 1512	2668	DEM6142.exe	34
PID 2668 wrote to memory of 1512	2668	DEM6142.exe	34
PID 1512 wrote to memory of 2604	1512	DEMB693.exe	36
PID 1512 wrote to memory of 2604	1512	DEMB693.exe	36
PID 1512 wrote to memory of 2604	1512	DEMB693.exe	36
PID 1512 wrote to memory of 2604	1512	DEMB693.exe	36
PID 2604 wrote to memory of 336	2604	DEMBD3.exe	38
PID 2604 wrote to memory of 336	2604	DEMBD3.exe	38
PID 2604 wrote to memory of 336	2604	DEMBD3.exe	38
PID 2604 wrote to memory of 336	2604	DEMBD3.exe	38
PID 336 wrote to memory of 1152	336	DEM6114.exe	40
PID 336 wrote to memory of 1152	336	DEM6114.exe	40
PID 336 wrote to memory of 1152	336	DEM6114.exe	40
PID 336 wrote to memory of 1152	336	DEM6114.exe	40
PID 1152 wrote to memory of 2240	1152	DEMB635.exe	42
PID 1152 wrote to memory of 2240	1152	DEMB635.exe	42
PID 1152 wrote to memory of 2240	1152	DEMB635.exe	42
PID 1152 wrote to memory of 2240	1152	DEMB635.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\DEM6142.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6142.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\DEMB693.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB693.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\DEMBD3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBD3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Users\Admin\AppData\Local\Temp\DEM6114.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6114.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:336
      - C:\Users\Admin\AppData\Local\Temp\DEMB635.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB635.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\DEMB47.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB47.exe"
        7⤵
        Executes dropped EXE
        
        PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMB47.exe

Filesize
14KB

MD5
5acf8ebc200a2a1f01bab693c995581e

SHA1
64233f3288a89be135e6616d13815589f7785d67

SHA256
e992f4c998d198fd3c3b4c04a81267267091768898957f700ec4936afd5871d1

SHA512
606457b577a151e31af7304899c4c7f1b880a82802605364c03535f753252acd90ad8fbf73e5f35dcae6dfdeac0b3671a90a5ad8d52d99daec67979bd9774386

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB635.exe

Filesize
14KB

MD5
59ecc85e6c6c0dbf6e3a6e978df5e763

SHA1
8eb111e89e1c319b4a73f5965d79dfed5e0748f8

SHA256
8d322ddcddc55ebd711d19d310e9baa14045f93a090cf8234c501dd92658b989

SHA512
3ecf919812fd88c8b4282bf99f5867eaaec6a8ce90507ba507e2e7f42ac16e8d2bcb162125c51cab16901d129b7004b0ba20b8894f81ed3502bb2a1341af4567

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB693.exe

Filesize
14KB

MD5
adada66b26fc31536f17cc2a112b9c5d

SHA1
cec4c69f12a256f65e99200ee958b9216cb7fb64

SHA256
2833a9e26a302a8d62ec7d51d9f01c098f90c59dc58b5f4a6e29d7da4fe7ba12

SHA512
22cf91549a55b38fe312f8f62b52dbd52258b6f0b31ae6b2ea5bb11a2ddc4da4d2bc368393069d9b87dfb236d92d485c506568c610e9ae3e45487036a7eed07d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6114.exe

Filesize
14KB

MD5
f7811e086d174776c9613dbd8efa18de

SHA1
46f723137164e59555ed0a0060224f60b40cbb91

SHA256
0b3cb9da1d532e601299e01032736c8ee470e9968e7c849ff8e908f655097962

SHA512
0a6e55d47fcd9e10b5fef336e1f99485c450fa193e26541d4f4470abd7b03cfa8873a68706ba34cff17d0f596a1e09eb0894b2d4afbae391f90d51c8772bd3e4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6142.exe

Filesize
14KB

MD5
7826f3688a4dbe78c0235723386806a9

SHA1
85d2f1eb7491624818d5978fc778934cd4e58f80

SHA256
7c71a75c7d61c973e98e8475a483148006e3e24d153c26455ac902426ed297cc

SHA512
83372617cf2cb427d3b1540f2676e84960caa995d867129af5a0aaf3b30c24682649f9e295232ded587dbdd1816517bf6ee8ae6c9bd4958da99a50997de42476

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBD3.exe

Filesize
14KB

MD5
63dd45df35d73a6ff0fffa568dd042fa

SHA1
f007085a7d05d72d24f53d9d755b67d3c013872f

SHA256
d83b865781fc04902b9895654ea64bc86a46eaf310352dd2a905221caa27d18c

SHA512
bd746884882d79516c870664a0be1db29777aa0a639cb6558fafb13b973b36351dfb8c403b4dafe9f7fd9d9eb57465ea1737fd73748b940ed2f082ec213cf095

Download Submit

Analysis

Sharing