904e7cddf61a5b66323a4677485d50ee9443b6ce69625c062d0239735824871a

General

Target

JaffaCakes118_fa042f188b060d63d27dd6d1f388f6f8.exe
Size

14KB
MD5

fa042f188b060d63d27dd6d1f388f6f8
SHA1

9c944f2d63b630ab37f969bd54bcbaec767759dd
SHA256

904e7cddf61a5b66323a4677485d50ee9443b6ce69625c062d0239735824871a
SHA512

c715af28bb63946bda4a76e564b145fe61bd98b897bf269e1c684d60b9ebb4283ad789dd95fcef4dfa4948da29dc116ec169f6321cc1f7ca8a4ca8d962f80792
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhg:hDXWipuE+K3/SSHgxzg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1832	DEM8B8D.exe
2976	DEME10C.exe
2468	DEM363D.exe
2340	DEM8BBC.exe
1428	DEME12B.exe
484	DEM369A.exe

Loads dropped DLL 6 IoCs

pid	Process
1748	JaffaCakes118_fa042f188b060d63d27dd6d1f388f6f8.exe
1832	DEM8B8D.exe
2976	DEME10C.exe
2468	DEM363D.exe
2340	DEM8BBC.exe
1428	DEME12B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8B8D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME10C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM363D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8BBC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME12B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fa042f188b060d63d27dd6d1f388f6f8.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1832	1748	JaffaCakes118_fa042f188b060d63d27dd6d1f388f6f8.exe	32
PID 1748 wrote to memory of 1832	1748	JaffaCakes118_fa042f188b060d63d27dd6d1f388f6f8.exe	32
PID 1748 wrote to memory of 1832	1748	JaffaCakes118_fa042f188b060d63d27dd6d1f388f6f8.exe	32
PID 1748 wrote to memory of 1832	1748	JaffaCakes118_fa042f188b060d63d27dd6d1f388f6f8.exe	32
PID 1832 wrote to memory of 2976	1832	DEM8B8D.exe	34
PID 1832 wrote to memory of 2976	1832	DEM8B8D.exe	34
PID 1832 wrote to memory of 2976	1832	DEM8B8D.exe	34
PID 1832 wrote to memory of 2976	1832	DEM8B8D.exe	34
PID 2976 wrote to memory of 2468	2976	DEME10C.exe	36
PID 2976 wrote to memory of 2468	2976	DEME10C.exe	36
PID 2976 wrote to memory of 2468	2976	DEME10C.exe	36
PID 2976 wrote to memory of 2468	2976	DEME10C.exe	36
PID 2468 wrote to memory of 2340	2468	DEM363D.exe	38
PID 2468 wrote to memory of 2340	2468	DEM363D.exe	38
PID 2468 wrote to memory of 2340	2468	DEM363D.exe	38
PID 2468 wrote to memory of 2340	2468	DEM363D.exe	38
PID 2340 wrote to memory of 1428	2340	DEM8BBC.exe	40
PID 2340 wrote to memory of 1428	2340	DEM8BBC.exe	40
PID 2340 wrote to memory of 1428	2340	DEM8BBC.exe	40
PID 2340 wrote to memory of 1428	2340	DEM8BBC.exe	40
PID 1428 wrote to memory of 484	1428	DEME12B.exe	42
PID 1428 wrote to memory of 484	1428	DEME12B.exe	42
PID 1428 wrote to memory of 484	1428	DEME12B.exe	42
PID 1428 wrote to memory of 484	1428	DEME12B.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa042f188b060d63d27dd6d1f388f6f8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa042f188b060d63d27dd6d1f388f6f8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\DEM8B8D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8B8D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\DEME10C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME10C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\DEM363D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM363D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Users\Admin\AppData\Local\Temp\DEM8BBC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8BBC.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Users\Admin\AppData\Local\Temp\DEME12B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME12B.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\DEM369A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM369A.exe"
        7⤵
        Executes dropped EXE
        
        PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM369A.exe

Filesize
14KB

MD5
a34f9034b39d7236f1bcd3e4d6fd5584

SHA1
0938a1f4fd41328478adf47bfac19ffeb5a0e74a

SHA256
45558a6e530388d48ab53136e3605e2c12a1a66beafe17116a29b256079fe923

SHA512
3d90e4e9c1f3b4d203db93bf01f1674937364140360f9f8f641d961e9b12a511f2c3b9aaeecd9a7318510cd6c143fe306839844e4575e166fb2f61f9ade1233a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME10C.exe

Filesize
14KB

MD5
06a7d87145af705277f815861c5cb873

SHA1
d75262477e254d00a451fafeddc6fe9737973ff7

SHA256
f0459facba83b8d827d033f1932d0b17b697d1fb41f569807c12ca6a9dc61d63

SHA512
384213f877beb520eeb9f4981199c84ec76d27f8125945c2c5d7c5ec3a5599111a9afb90fae9f68ccf85bc9e2d9ddfcfa6175743c65b9aa07b9b40e01ca4ed14

Download Submit
\Users\Admin\AppData\Local\Temp\DEM363D.exe

Filesize
14KB

MD5
0a3e51f6635680af72eb375a42e986b2

SHA1
1201cb9cae2a8ffa92eb4ac46851b23c2538af3d

SHA256
e695a06c659a9f2b1212ec191bd958350d5a94e5df15993ea7d8c2fe570f275a

SHA512
94649c4c79c5319610abca5d621f3a8706793b8c63319b59d6199b736ac562540354652ecbb92996fd16f7dbda89771bbee8691d65ce3fb4a5d37b4dc70c8968

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8B8D.exe

Filesize
14KB

MD5
7dfaac5ab20c357c9fc548c8bfca610c

SHA1
68570aab6226a6526bac7e2f72915a82201c225d

SHA256
d0a4f3a38a33fd928f91828c4a23ae952b3c1aeaa83bebb3010c5a465ccca5cc

SHA512
5a34bd38bdf29d9dda6c5335f6b5da1f11a0ed256147b08ce99565767a08b2d6c991c5d43fbd5b8d18582b15e38b892b27820ca07d764f48ba6a2abc77c91644

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8BBC.exe

Filesize
14KB

MD5
20ab41a0441a4727f37a3c075516e469

SHA1
cbc662ebdaaf1b9020c5fbeaf50eedaf0b0a70a2

SHA256
4b2fbd2b5e1f8a9360f8197ed44190098ea1f7650533c1af9b6934e8028d95ca

SHA512
c884bda2dd1991263dacc642c0af3abf0ae393725a95c0218119813b3cfd81e28ddfffc9b8b1d475ea019c7869ad8f638e96a7e6285a9812275195b881f1ceaf

Download Submit
\Users\Admin\AppData\Local\Temp\DEME12B.exe

Filesize
14KB

MD5
c2fea06801db1daab130210b785a9148

SHA1
f53b749e7c47e5603ebaa20e8b4cdaf93a19857b

SHA256
0cfb2279595be40e7cfd5bb51080fc2b46e1612e2acba1ef85ba6bb184d644e1

SHA512
c7ac01c2d31ed528cbc934e64b590ee06fef375c8dfaee63ad9d6bbcdf6fbb4d2effb2a9e3618a1a2761859dde0e080cfcd58b551ae7b5bea157bcae0159a37a

Download Submit

Analysis

Sharing