ac7699a7ff7ef0ea4473ce4dd6391ed175be53e3c5e884a94ffd51788a008538

General

Target

JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe
Size

16KB
MD5

f9fde476b15ad9fe7da9a629f280ae8c
SHA1

1e06abb6ceceef9fee6170b0590114979e4c1f2c
SHA256

ac7699a7ff7ef0ea4473ce4dd6391ed175be53e3c5e884a94ffd51788a008538
SHA512

df3256bd480ac979ab11d150e9ef28fbce3d82b82492bead078bea7e5bbd9ff4383d2dfcd5b78bccd64c9e41764ff0d3045402a67e5b2cabee4a9b11d896aebe
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0Fi:hDXWipuE+K3/SSHgxm0Q

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2696	DEM5E46.exe
2500	DEMB403.exe
2184	DEMBC4.exe
2860	DEM621D.exe
428	DEMB912.exe
2620	DEMF2D.exe

Loads dropped DLL 6 IoCs

pid	Process
2804	JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe
2696	DEM5E46.exe
2500	DEMB403.exe
2184	DEMBC4.exe
2860	DEM621D.exe
428	DEMB912.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5E46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB403.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBC4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM621D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB912.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2696	2804	JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe	31
PID 2804 wrote to memory of 2696	2804	JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe	31
PID 2804 wrote to memory of 2696	2804	JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe	31
PID 2804 wrote to memory of 2696	2804	JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe	31
PID 2696 wrote to memory of 2500	2696	DEM5E46.exe	33
PID 2696 wrote to memory of 2500	2696	DEM5E46.exe	33
PID 2696 wrote to memory of 2500	2696	DEM5E46.exe	33
PID 2696 wrote to memory of 2500	2696	DEM5E46.exe	33
PID 2500 wrote to memory of 2184	2500	DEMB403.exe	36
PID 2500 wrote to memory of 2184	2500	DEMB403.exe	36
PID 2500 wrote to memory of 2184	2500	DEMB403.exe	36
PID 2500 wrote to memory of 2184	2500	DEMB403.exe	36
PID 2184 wrote to memory of 2860	2184	DEMBC4.exe	38
PID 2184 wrote to memory of 2860	2184	DEMBC4.exe	38
PID 2184 wrote to memory of 2860	2184	DEMBC4.exe	38
PID 2184 wrote to memory of 2860	2184	DEMBC4.exe	38
PID 2860 wrote to memory of 428	2860	DEM621D.exe	40
PID 2860 wrote to memory of 428	2860	DEM621D.exe	40
PID 2860 wrote to memory of 428	2860	DEM621D.exe	40
PID 2860 wrote to memory of 428	2860	DEM621D.exe	40
PID 428 wrote to memory of 2620	428	DEMB912.exe	42
PID 428 wrote to memory of 2620	428	DEMB912.exe	42
PID 428 wrote to memory of 2620	428	DEMB912.exe	42
PID 428 wrote to memory of 2620	428	DEMB912.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\DEM5E46.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5E46.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\DEMB403.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB403.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\DEMBC4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBC4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Users\Admin\AppData\Local\Temp\DEM621D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM621D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Users\Admin\AppData\Local\Temp\DEMB912.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB912.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\DEMF2D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF2D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMB403.exe

Filesize
16KB

MD5
037adf4b6cc48064230c6f891b6f9c19

SHA1
865b9955fe4c83eb75779400c95c9e770d526a98

SHA256
1d6ed390305f7666455cfc43ff312db736e7077ed2c3eb19e90eb8cca45bb559

SHA512
d38722d5d1c0e36ac0f86cc83f63988a28dea1e4145f71b8d48b11b3a06d8192c74d2dd8355d728063e0df57c86d6bb4cc82d31588543387830c0289faa2139c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB912.exe

Filesize
16KB

MD5
fc838cb300a3cd2531c4f9a0a96d467c

SHA1
dcd66a97d77533ad02e98196fc69b70cd423bfdc

SHA256
8e9423adfa049bd5ccbedd798d88f53142cf51aa9b5592cebf2fb365034dd80d

SHA512
200acee2e07d50b45b2e637f8de64aed49e20d4345eaeac744013fba8cd74ea504b7f759c9c50f5330d891a804cf3d05736fb60d8e702547061c331e5d6a3228

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5E46.exe

Filesize
16KB

MD5
08b2359ade3736a22760fd91a361e11d

SHA1
6c9ecd8780585b27460d0b3b0080fd24dfa07ba6

SHA256
74b1f35ab5f06f51aa5b5ad19cc56466353566d908dcd2b3089bc53d369d70f9

SHA512
1e0e68fe7542bf32c3971a9bbb70052d1d76aaed888fb90b7a311ead42a8ff7847ba4b2e1a9f5e70cf5d238302fbff87bfe88142936ddfee47c0fe6fb923503c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM621D.exe

Filesize
16KB

MD5
bdb87000309515ef1447ef787bfe16c2

SHA1
77ca59f410002245bb926d2fa1672894b2cc3f3d

SHA256
8fc91d2031054b91bc915991bb078524fe2c6e956051d3321caf9a277d1f0253

SHA512
7ca1ea68a990e7744fe39f67e1563b36c3df67aa6a22c5559f3684c9994b041488cc0afcbbd21d1e62b24ced76c54b0868b4959b775b3375c82c19a81dbb2b04

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBC4.exe

Filesize
16KB

MD5
075212934bec5e82f8c0577df909853d

SHA1
81af10b7e31340bc01a9bd01813731eb8a53d362

SHA256
a636dbe25bdaf9de6a184a884ba1b10f8fb8f0bd5db9704dfbca10ee908f8f3f

SHA512
bb4402cb272ecada9208236ba392b821f454b914f3346a7499b2e8843d2cb76dab65fc5a466488ad4afe1d5583559e7867daa85ac5929bc2c7aae75ef60ee3cd

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF2D.exe

Filesize
16KB

MD5
f3315d8993c75cfd87322cea196f05a5

SHA1
26a76e29c93a734debc2eb354a07c702a91a9971

SHA256
069150c23bd6a66de29962877864b4674a09ab6fafebf78648c770cdae468af2

SHA512
8ce68049f5f77f688ae3d80feb13eb10a96a97b100bf5ae5b6063707c69e4109dc15b9a2797b7a9c4b3db4b78020fcf34559dbee54d1fcb468d6476a418994e6

Download Submit

Analysis

Sharing