f045a9eca55ba45e06dbadc664190dcbb61c22e07a64a17fe5c05bd99dd28e19

General

Target

JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe
Size

20KB
MD5

fa0bda39bd5bb8c5b35950a27156bcc9
SHA1

3ceec14f46fba6389d0b315cc8a302ebb2eaff25
SHA256

f045a9eca55ba45e06dbadc664190dcbb61c22e07a64a17fe5c05bd99dd28e19
SHA512

ebda50653458d6fe2c8714c8560dcb86aff40624ef22abaab821ddb8600dd77bafaf4514b921e49deba7af8991ee9f96236ba6077fd2fbd5e6e063d16626a1f3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4ogiA:hDXWipuE+K3/SSHgxmHZoy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2992	DEMEDF7.exe
2720	DEM4431.exe
1300	DEM9AE8.exe
2304	DEMF0E4.exe
2400	DEM47D9.exe
2352	DEM9F1D.exe

Loads dropped DLL 6 IoCs

pid	Process
2424	JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe
2992	DEMEDF7.exe
2720	DEM4431.exe
1300	DEM9AE8.exe
2304	DEMF0E4.exe
2400	DEM47D9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEDF7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4431.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9AE8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF0E4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM47D9.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2992	2424	JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe	30
PID 2424 wrote to memory of 2992	2424	JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe	30
PID 2424 wrote to memory of 2992	2424	JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe	30
PID 2424 wrote to memory of 2992	2424	JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe	30
PID 2992 wrote to memory of 2720	2992	DEMEDF7.exe	32
PID 2992 wrote to memory of 2720	2992	DEMEDF7.exe	32
PID 2992 wrote to memory of 2720	2992	DEMEDF7.exe	32
PID 2992 wrote to memory of 2720	2992	DEMEDF7.exe	32
PID 2720 wrote to memory of 1300	2720	DEM4431.exe	34
PID 2720 wrote to memory of 1300	2720	DEM4431.exe	34
PID 2720 wrote to memory of 1300	2720	DEM4431.exe	34
PID 2720 wrote to memory of 1300	2720	DEM4431.exe	34
PID 1300 wrote to memory of 2304	1300	DEM9AE8.exe	36
PID 1300 wrote to memory of 2304	1300	DEM9AE8.exe	36
PID 1300 wrote to memory of 2304	1300	DEM9AE8.exe	36
PID 1300 wrote to memory of 2304	1300	DEM9AE8.exe	36
PID 2304 wrote to memory of 2400	2304	DEMF0E4.exe	38
PID 2304 wrote to memory of 2400	2304	DEMF0E4.exe	38
PID 2304 wrote to memory of 2400	2304	DEMF0E4.exe	38
PID 2304 wrote to memory of 2400	2304	DEMF0E4.exe	38
PID 2400 wrote to memory of 2352	2400	DEM47D9.exe	40
PID 2400 wrote to memory of 2352	2400	DEM47D9.exe	40
PID 2400 wrote to memory of 2352	2400	DEM47D9.exe	40
PID 2400 wrote to memory of 2352	2400	DEM47D9.exe	40

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\DEMEDF7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEDF7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\DEM4431.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4431.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\DEM9AE8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9AE8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Users\Admin\AppData\Local\Temp\DEMF0E4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF0E4.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Users\Admin\AppData\Local\Temp\DEM47D9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM47D9.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\DEM9F1D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9F1D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4431.exe

Filesize
20KB

MD5
b37439a28ffab86c8e240a42c7bc2f17

SHA1
49a3c324ea00f57938f9cd6993c3ecc297d808c0

SHA256
a7e2f970f1fb3ef6e8ef42eb4533740768ccf3c0e4927076f4c470acc221826c

SHA512
a1d38f2a9dc78680e3e4af7947bb7b02424f7ce80d8d8983e7d610135bfa6cb765b91eb446c535f82c1fb7871fd8203321240869e88b448e5952272802b9ccfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9F1D.exe

Filesize
21KB

MD5
55c9798de2f493dde23947ba3b177070

SHA1
4179e561cc97a0deacf48372bd61b5faed0878a0

SHA256
9910030e112739170d6edc4eddeec3531e42a2f7f814d139faeb00459dcd3e82

SHA512
1219eeaed7aa1a173a3b8ba166ae23e5eed64ffd82c72b0a0b98ee186b1c1a7a5bced3e9d25cdb4f5ba235a86bfd0406b087b8eb324a36aa16ff300188b0da98

Download Submit
\Users\Admin\AppData\Local\Temp\DEM47D9.exe

Filesize
20KB

MD5
5698ebb006e62d18f824f2e26d325daf

SHA1
be91a5270de6774a005d37529d2d1d7cb08f0549

SHA256
e398445b9b2cb88223a034dc7a1c91fc8e8bee14f45893a9a977dbfe80d482fc

SHA512
1ba49b6f851308be0d3120aeffdd32a746dfb9cfb79635eeedba35353ac6630dd9947867a362146291b96f25536182f9d6d7995655d65bb38510090d4bc4b968

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9AE8.exe

Filesize
20KB

MD5
c4ce5771127f48ddce6bb1ee1e783027

SHA1
28c57e95d01d7a6463651bf253e0e1b1e5ae93cd

SHA256
15b403035d82ee5ae8c7abca1cf03982c637fcb00010028667d6e5f01894ad81

SHA512
ff587a4efe6fe9792e643ca5100439be84ff6d8d86364d16d9b3e0066115ec039049010fdc40c0a73a18c8645de0976540fa0ccf65a20b3e55bf8a78a3a08d64

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEDF7.exe

Filesize
20KB

MD5
6c2c3005a86b43bb38cb648ff52c07f4

SHA1
de2a59d142b44b692bdaf991d008c4bf7ba8e5b8

SHA256
cf6a74648ecba9dd1227eac72b3228c99be7887f6882e55128e7ff7c47797c89

SHA512
179833c6b576ddd20f87bfb0c33b016120cf912326b54dfeacf8eb5662311421e54ee15d855cdc6d93e4bab2ed83a4a342a94f4b6a2c2102aa64d24541b2e5bf

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF0E4.exe

Filesize
20KB

MD5
77ed292b1b68b0af411b2ebe3a5d2a2c

SHA1
3523328cbca91e04e496feafd9c47b23396446aa

SHA256
f40ca47ca6ff859b43416a19d5b12d4fda4477339656003f3cc0b69f4a0dce22

SHA512
3fd6d709f5a7fd4971323f39924736dcd381fa1c220ff3bca683b266a4db6d98b009fb5ab22f77ef00a0acab46aa92c392974e8a4f87923be0d9ce1a4e1583df

Download Submit

Analysis

Sharing