5f26590dc3d7a7896d2945a7d2e0f817f32aefe858412474470a9c2c0eb60501

General

Target

8525ae55508a05a66bd491339c654110_JaffaCakes118.exe
Size

14KB
MD5

8525ae55508a05a66bd491339c654110
SHA1

93c1cdeb4e5994bf78d5a250c447e0dbe01b7cf7
SHA256

5f26590dc3d7a7896d2945a7d2e0f817f32aefe858412474470a9c2c0eb60501
SHA512

742e5033c0c2730f8766e07cd9238ae0dbee9006a54a40118c70939bb9cc872d7211f0459894b944ea858f9da481107f577e6d39e7f2ef02541cc096a1bf2d96
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhvu:hDXWipuE+K3/SSHgxlu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2856	DEMB490.exe
2864	DEM9C1.exe
2672	DEM5F9D.exe
1912	DEMB4ED.exe
2068	DEM9F0.exe
536	DEM5FEB.exe

Loads dropped DLL 6 IoCs

pid	Process
2316	8525ae55508a05a66bd491339c654110_JaffaCakes118.exe
2856	DEMB490.exe
2864	DEM9C1.exe
2672	DEM5F9D.exe
1912	DEMB4ED.exe
2068	DEM9F0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5F9D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB4ED.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9F0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8525ae55508a05a66bd491339c654110_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB490.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9C1.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2856	2316	8525ae55508a05a66bd491339c654110_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2856	2316	8525ae55508a05a66bd491339c654110_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2856	2316	8525ae55508a05a66bd491339c654110_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2856	2316	8525ae55508a05a66bd491339c654110_JaffaCakes118.exe	32
PID 2856 wrote to memory of 2864	2856	DEMB490.exe	34
PID 2856 wrote to memory of 2864	2856	DEMB490.exe	34
PID 2856 wrote to memory of 2864	2856	DEMB490.exe	34
PID 2856 wrote to memory of 2864	2856	DEMB490.exe	34
PID 2864 wrote to memory of 2672	2864	DEM9C1.exe	36
PID 2864 wrote to memory of 2672	2864	DEM9C1.exe	36
PID 2864 wrote to memory of 2672	2864	DEM9C1.exe	36
PID 2864 wrote to memory of 2672	2864	DEM9C1.exe	36
PID 2672 wrote to memory of 1912	2672	DEM5F9D.exe	38
PID 2672 wrote to memory of 1912	2672	DEM5F9D.exe	38
PID 2672 wrote to memory of 1912	2672	DEM5F9D.exe	38
PID 2672 wrote to memory of 1912	2672	DEM5F9D.exe	38
PID 1912 wrote to memory of 2068	1912	DEMB4ED.exe	40
PID 1912 wrote to memory of 2068	1912	DEMB4ED.exe	40
PID 1912 wrote to memory of 2068	1912	DEMB4ED.exe	40
PID 1912 wrote to memory of 2068	1912	DEMB4ED.exe	40
PID 2068 wrote to memory of 536	2068	DEM9F0.exe	42
PID 2068 wrote to memory of 536	2068	DEM9F0.exe	42
PID 2068 wrote to memory of 536	2068	DEM9F0.exe	42
PID 2068 wrote to memory of 536	2068	DEM9F0.exe	42

C:\Users\Admin\AppData\Local\Temp\8525ae55508a05a66bd491339c654110_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8525ae55508a05a66bd491339c654110_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\DEMB490.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB490.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\DEM9C1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9C1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\DEM5F9D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5F9D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Users\Admin\AppData\Local\Temp\DEMB4ED.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB4ED.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Users\Admin\AppData\Local\Temp\DEM9F0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9F0.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\DEM5FEB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5FEB.exe"
        7⤵
        Executes dropped EXE
        
        PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM9C1.exe

Filesize
14KB

MD5
6977afdf4eba5c82c05c7b7aed5e91a9

SHA1
2a3c136694c94797b0d3dd14a79f535b646acd19

SHA256
5a4c5642d2cd92e50ee889602d5638d731259ab84aee11cc595783f2f3e4fd95

SHA512
ec589dd67d2bc7582f2c43d977a96518219f89a6e8d271aa1cca59e1fcd5f898915fbf0eee76f55b6c5f130bcb8a2b4ab57293a6ea3416694e1ae9df2c58e02f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5F9D.exe

Filesize
14KB

MD5
d972acfd3761da13b0fe7c7e12bf0a4e

SHA1
1221bdbbf23b6deecf039a983180ab0f0b6b9f2b

SHA256
d02884bc7ecc0f4c305ab91bccf91cfbd4fbb32b1c6a0487efcb546994cf3bb1

SHA512
1a9080d8879605af433d089f27cefb9fff4243a872119cf0a53ed49a436fe1b23cb094646eae52bec38c3fa1f70ba074c362f8f6e065014adaadbfde6bbdeb62

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5FEB.exe

Filesize
14KB

MD5
810fe41149de3616faac74540ccfe7c3

SHA1
d665744707c85bebf8f49c0103811ad6c5718bc7

SHA256
befd7ff4b18194e4fb793a881f50499b6f23adf1c3b7c3526bcca86d5afffe27

SHA512
fcc2c1d6b3e2ac15637b298ab6377eab3997ba446b4a796a31d037d2968e50634213d01fb0c87700cfc34e751a345c9fb9ae14caf8caa2e2f07b5a1bd970cc48

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9F0.exe

Filesize
14KB

MD5
7b9c65063e5f464d9e031c9352aa3596

SHA1
703812403e1d6c5db9e0ad7e52a260d8ad0d5a90

SHA256
58e35e195cfa77ab43bdb1e878a76aee846698292b2b9f7094df87dc790ce830

SHA512
0387b6a7c1b9158c39f52a6defdb62d00d38cdb78870d39a1a7273a8aba63d13b04fdd920f3ae44fa729b1f27d13da3cd811b9740655e926d787847690ef44af

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB490.exe

Filesize
14KB

MD5
289c9fe68da39190b75d473b2cc4e3c7

SHA1
b0e62a79f7d887575649574cf40d9401d72d4b1f

SHA256
092d7c56beb214fb5c22d69a65c3ba42966bd37e03ffeec854e0c08319818414

SHA512
caeaa2a53101b56bfbd7012b0b1b63e972e468c1431d8d1ef1f429c34a5805252893b4083bf1a41d8f3d60d3e5afe4fecfcfa5344c19f59510f8ba957aaee7f2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB4ED.exe

Filesize
14KB

MD5
482c86808a1999dc45ea0c0be41cd7c9

SHA1
e7d463f1a19a8ca62bfd6f720e4b19cb9b6a6a0c

SHA256
1773a58e526e0066022226f36f1b2b6c36832b2cc8f1439537b78b8272c0b102

SHA512
96588540e70d4bda5eb25b7d194002e97d37f5bc905b6989fb9239a9f456a9e500e1b71271145f3af017d29aaadd600719d969652ade0c479bdfc2024306f5f0

Download Submit

Analysis

Sharing