78fa00ae23d5774f63fe6c1d551784a4315e1cafc5819d8720166672582fbb2f

General

Target

JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe
Size

16KB
MD5

fa06181159d36bbedacb464b849b0ec3
SHA1

354576fec1117a68d02ce8527374d81c1ccb419a
SHA256

78fa00ae23d5774f63fe6c1d551784a4315e1cafc5819d8720166672582fbb2f
SHA512

10f861b83d85fd7553580601bd4d1e9f73fb97058a6891a9825ef9da80c3b6d61127bd4ac256c6b904772eb86fefd27d82619fa9d74b0553653830e1ac3ca5c6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl0rJHPSU9:hDXWipuE+K3/SSHgxmlOJH7

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2136	DEMB8E3.exe
2208	DEME14.exe
2616	DEM6336.exe
1092	DEMB838.exe
1840	DEMD3A.exe
2928	DEM624C.exe

Loads dropped DLL 6 IoCs

pid	Process
2296	JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe
2136	DEMB8E3.exe
2208	DEME14.exe
2616	DEM6336.exe
1092	DEMB838.exe
1840	DEMD3A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6336.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB838.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD3A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB8E3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME14.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2136	2296	JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe	32
PID 2296 wrote to memory of 2136	2296	JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe	32
PID 2296 wrote to memory of 2136	2296	JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe	32
PID 2296 wrote to memory of 2136	2296	JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe	32
PID 2136 wrote to memory of 2208	2136	DEMB8E3.exe	34
PID 2136 wrote to memory of 2208	2136	DEMB8E3.exe	34
PID 2136 wrote to memory of 2208	2136	DEMB8E3.exe	34
PID 2136 wrote to memory of 2208	2136	DEMB8E3.exe	34
PID 2208 wrote to memory of 2616	2208	DEME14.exe	36
PID 2208 wrote to memory of 2616	2208	DEME14.exe	36
PID 2208 wrote to memory of 2616	2208	DEME14.exe	36
PID 2208 wrote to memory of 2616	2208	DEME14.exe	36
PID 2616 wrote to memory of 1092	2616	DEM6336.exe	38
PID 2616 wrote to memory of 1092	2616	DEM6336.exe	38
PID 2616 wrote to memory of 1092	2616	DEM6336.exe	38
PID 2616 wrote to memory of 1092	2616	DEM6336.exe	38
PID 1092 wrote to memory of 1840	1092	DEMB838.exe	40
PID 1092 wrote to memory of 1840	1092	DEMB838.exe	40
PID 1092 wrote to memory of 1840	1092	DEMB838.exe	40
PID 1092 wrote to memory of 1840	1092	DEMB838.exe	40
PID 1840 wrote to memory of 2928	1840	DEMD3A.exe	42
PID 1840 wrote to memory of 2928	1840	DEMD3A.exe	42
PID 1840 wrote to memory of 2928	1840	DEMD3A.exe	42
PID 1840 wrote to memory of 2928	1840	DEMD3A.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\DEMB8E3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB8E3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\DEME14.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME14.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\DEM6336.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6336.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\DEMB838.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB838.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\Users\Admin\AppData\Local\Temp\DEMD3A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD3A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\DEM624C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM624C.exe"
        7⤵
        Executes dropped EXE
        
        PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6336.exe

Filesize
16KB

MD5
9528c6c37c2ed1295591c3cbc0e7128a

SHA1
ce95f757f266bb199110df40386f0983eae304ef

SHA256
d837869a0d260f40d3461b9700916f3fdb53328fccf8375b35797b525875b4c9

SHA512
0c9fb048d38ed4720f7372d041289c5b07c8193b0ddce596f46f8d0fd4eaaa23fb1ba82eabc41c59cb788685e3274cdb0b5bfe0348e42ada2a1a8a126c583c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB838.exe

Filesize
16KB

MD5
932afad10d7b39e94f431b8ac7b42e3d

SHA1
c6640f0a009ee9c279f92509ed476902094b870c

SHA256
fe8aedf27c89d3b13a164e4fe3e3f88756e0af462cd97a2618b40a4f300dd854

SHA512
00ea78b2505a6349b0dee09d072c1c911729c79154b894c3af289f85e404b1a7ac50868bf721013abf46c44bb886b8ee30d28679712582b7d1a59cd133e30511

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME14.exe

Filesize
16KB

MD5
42361b35c3257f0087f9aa77964b6160

SHA1
c65e4c4f776a9c8196ed4ba126a02f7c003758cf

SHA256
252e9e0caaa1c1db063d2a97385e114ba81033098fca5c685653d41787eb717d

SHA512
364921bd88f5eba3a2bfe868aac9b58deadc77b8599b84102214a0c5357de29dbc614e5c2ccddafb7d91f84f4ea7bde67549958d178fc31ecc245a36a0fe1cce

Download Submit
\Users\Admin\AppData\Local\Temp\DEM624C.exe

Filesize
16KB

MD5
42f0386677366a3addf63df48a7f2998

SHA1
2d71e8e9fa3e8fa235d8a657ad451aec14fc2321

SHA256
8d25dedba71042c212afd3f53a96b4eb58bf1f4cb2fe7f5683c3a24c92d686bd

SHA512
7736d54c256c10f11a2e2514b85d601b54568377a72ea066375e833342693bd0f286f8977c2ab32c410b1dbcbc8ce8fbcafbde578d53a8d58c153a23eef34a51

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB8E3.exe

Filesize
16KB

MD5
8b19aad1342c4242b61d4e5d7ad5bf0d

SHA1
c4a29a6fef7447baae872680fa9d02c0190ff3ef

SHA256
5026eb0cbac359f913b4ca5a3fda58080ea1e246c3ee1cdb374ef67f60f1152b

SHA512
b15beedf9726a31bfe9d8bb451d9593e8ed7b9415d37c7bb2b499386ca092c959d8be62d306016d5a50611e479299863eae1985fde6547a9e9a1b68d9215bb5e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD3A.exe

Filesize
16KB

MD5
b156923502d0ba2fd87ca4f25ec10180

SHA1
4584152912127e7b1807e532732b5d8818c247db

SHA256
8530eb6787c70bd8dde5c4d9d136ee02fe71ebeb44c0e079ef3cdabccbe97145

SHA512
f078bc98815a110db10129e7fb426e802d2495dfe343af23c37093c491bca1be2cb4728c31e7d04978f1a456ebaaef0c5bac16d4db33e7b072684b05ec8762dc

Download Submit

Analysis

Sharing