06561f54de1ce9e77ff17382731ce71ee516ae5fc2417de5bb42e8b7fb0e9cf1

General

Target

8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe
Size

14KB
MD5

8463685ce8efb742c9a9e316cef62bc4
SHA1

9294354bb2456a5e93db41caebd2cda95750fa61
SHA256

06561f54de1ce9e77ff17382731ce71ee516ae5fc2417de5bb42e8b7fb0e9cf1
SHA512

236380e7c84637ad171aa8d2fc7a1fadddd0afc6be70b727116c54286296cdad5ee703e23fac66703bff7960a8975e0fcea5f35719bf359b46c1dd6182d5b0bf
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJElo:hDXWipuE+K3/SSHgx5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2700	DEMCC44.exe
2664	DEM21B4.exe
2568	DEM76C5.exe
2432	DEMCBF6.exe
1232	DEM2146.exe
2964	DEM76C6.exe

Loads dropped DLL 6 IoCs

pid	Process
2068	8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe
2700	DEMCC44.exe
2664	DEM21B4.exe
2568	DEM76C5.exe
2432	DEMCBF6.exe
1232	DEM2146.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCC44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM21B4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM76C5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCBF6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2146.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2700	2068	8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2700	2068	8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2700	2068	8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2700	2068	8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2664	2700	DEMCC44.exe	34
PID 2700 wrote to memory of 2664	2700	DEMCC44.exe	34
PID 2700 wrote to memory of 2664	2700	DEMCC44.exe	34
PID 2700 wrote to memory of 2664	2700	DEMCC44.exe	34
PID 2664 wrote to memory of 2568	2664	DEM21B4.exe	36
PID 2664 wrote to memory of 2568	2664	DEM21B4.exe	36
PID 2664 wrote to memory of 2568	2664	DEM21B4.exe	36
PID 2664 wrote to memory of 2568	2664	DEM21B4.exe	36
PID 2568 wrote to memory of 2432	2568	DEM76C5.exe	38
PID 2568 wrote to memory of 2432	2568	DEM76C5.exe	38
PID 2568 wrote to memory of 2432	2568	DEM76C5.exe	38
PID 2568 wrote to memory of 2432	2568	DEM76C5.exe	38
PID 2432 wrote to memory of 1232	2432	DEMCBF6.exe	40
PID 2432 wrote to memory of 1232	2432	DEMCBF6.exe	40
PID 2432 wrote to memory of 1232	2432	DEMCBF6.exe	40
PID 2432 wrote to memory of 1232	2432	DEMCBF6.exe	40
PID 1232 wrote to memory of 2964	1232	DEM2146.exe	42
PID 1232 wrote to memory of 2964	1232	DEM2146.exe	42
PID 1232 wrote to memory of 2964	1232	DEM2146.exe	42
PID 1232 wrote to memory of 2964	1232	DEM2146.exe	42

C:\Users\Admin\AppData\Local\Temp\8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\DEMCC44.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCC44.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\DEM21B4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM21B4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\DEM76C5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM76C5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Users\Admin\AppData\Local\Temp\DEMCBF6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCBF6.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Users\Admin\AppData\Local\Temp\DEM2146.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2146.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\DEM76C6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM76C6.exe"
        7⤵
        Executes dropped EXE
        
        PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM21B4.exe

Filesize
14KB

MD5
61236f7aa3807c3bf10704bb346f93a5

SHA1
62a96d1ddd1b7c4d14382fde33f822a525341463

SHA256
189f87a0128f96a8d91fe15fdfb74e9ff067019d9ce1a7341359f55925b9c998

SHA512
cd704e06c39dec32af177dcded738cf8dfee2d8b6b301957003ec2b06cbc0aff2665ddfe857826c623aba663c956e37cd2285ca89a301ae1cce54b2f526be2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM76C6.exe

Filesize
14KB

MD5
df85c5935cbd9f3cff2f387437edf83f

SHA1
cc6986c74c2421e638de70d73f7ddd648d2dc194

SHA256
34d5bd8e79167b61f63c0087a7f2b670246299b1dbeb649b267d26ab17b5c364

SHA512
a222696905d495a4b5b0cbc8d5706f4e3ce9317cff976f53f1c114924136d369dd2ce996ec34adf69a75cb198786d2583e9253d9f36869d5608d6aad684356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCBF6.exe

Filesize
14KB

MD5
861e615f0e2145a7319da43f9015345b

SHA1
44f8a61ef6db75d52f6005887ec60320465aed8f

SHA256
5be32d4999a165b8b234f6765ddc55613d723bbba24cb15295d808dc6691ad1e

SHA512
87b589c32f12941f26fe943034ac37651192985eb0f33fab3d5b2b0a79b01df40b1eca5db20492b6c4f301a4698704a20f1eb896693f9426400150f6d87b64b2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2146.exe

Filesize
14KB

MD5
daf0419a37462ea2cf47d9f5badb09e8

SHA1
f93caec6172ed92493bc9313e617d9f39d923f35

SHA256
7c3534c1fef44b9ea76641eb5675962d9db9831300042d7dfd3d3ea3046cdb88

SHA512
0524ed9a141cf0f2a6f72aa6342a37dc56e2cbb6c442a5e0685c6b3c2c46b28bc2b6b5e5de20b1217e5fec355862482b31610f7ce630c1437210e9a979bc5d1f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM76C5.exe

Filesize
14KB

MD5
02c5e8c1d6f73968cc01047884f762f8

SHA1
0b5b4312b4d9f074e517e0a5b91d8541bcd3a523

SHA256
388637150960ea5f5629b9a7b96cba7d0462901c323566ee1f25f9cfb6f0d749

SHA512
4fdd58bf3f7078e30af5ea28f18007d7246f4d310e45270d3d63709222f73717448b65e2f684a898715fa4d2756f60dfa3f7adaa45ca80e07888430a49006d9c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCC44.exe

Filesize
14KB

MD5
888362a58ab1d91210c259f22d02ef11

SHA1
3cad0189d88b715270dd7c305f8a186338fe9384

SHA256
165eda649fc106fa79ee601b0fc80ecc4a983803cba8f0aab7e17a7cbfa63c03

SHA512
672c82d0ed9f5ac29294e8d874aec094793a7d035fb754cc7472b217fa0bb9ddf765da9a8a00e6d36c18dc191e5768c54a8322f4d788c690007ed91d1a9b042b

Download Submit

Analysis

Sharing