80b3a0c16810ff162cf3cb7ed29da7cd9345b2fb0863b5e90a24163b1ce5a73a

General

Target

86a3fb0ed7dca3c497f5c8baeee6a116_JaffaCakes118.exe
Size

14KB
MD5

86a3fb0ed7dca3c497f5c8baeee6a116
SHA1

bb2aaaf289b82dc66340f2492a68d9a9b12dc92f
SHA256

80b3a0c16810ff162cf3cb7ed29da7cd9345b2fb0863b5e90a24163b1ce5a73a
SHA512

bbacc76e091e5174fa5e6a027fcdf28d88bbb90b98cfad1cd48d3be4d6361766630081e568666f7bf18754d7b1883902252a1d05f9d53f1bf08bf3f6fd0ae4e5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJBV:hDXWipuE+K3/SSHgx1V

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2508	DEMCA13.exe
2788	DEM201E.exe
2748	DEM760A.exe
2992	DEMCBA8.exe
2712	DEM2108.exe
2852	DEM7713.exe

Loads dropped DLL 6 IoCs

pid	Process
2336	86a3fb0ed7dca3c497f5c8baeee6a116_JaffaCakes118.exe
2508	DEMCA13.exe
2788	DEM201E.exe
2748	DEM760A.exe
2992	DEMCBA8.exe
2712	DEM2108.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86a3fb0ed7dca3c497f5c8baeee6a116_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCA13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM201E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM760A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCBA8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2108.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2508	2336	86a3fb0ed7dca3c497f5c8baeee6a116_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2508	2336	86a3fb0ed7dca3c497f5c8baeee6a116_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2508	2336	86a3fb0ed7dca3c497f5c8baeee6a116_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2508	2336	86a3fb0ed7dca3c497f5c8baeee6a116_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2788	2508	DEMCA13.exe	34
PID 2508 wrote to memory of 2788	2508	DEMCA13.exe	34
PID 2508 wrote to memory of 2788	2508	DEMCA13.exe	34
PID 2508 wrote to memory of 2788	2508	DEMCA13.exe	34
PID 2788 wrote to memory of 2748	2788	DEM201E.exe	36
PID 2788 wrote to memory of 2748	2788	DEM201E.exe	36
PID 2788 wrote to memory of 2748	2788	DEM201E.exe	36
PID 2788 wrote to memory of 2748	2788	DEM201E.exe	36
PID 2748 wrote to memory of 2992	2748	DEM760A.exe	38
PID 2748 wrote to memory of 2992	2748	DEM760A.exe	38
PID 2748 wrote to memory of 2992	2748	DEM760A.exe	38
PID 2748 wrote to memory of 2992	2748	DEM760A.exe	38
PID 2992 wrote to memory of 2712	2992	DEMCBA8.exe	40
PID 2992 wrote to memory of 2712	2992	DEMCBA8.exe	40
PID 2992 wrote to memory of 2712	2992	DEMCBA8.exe	40
PID 2992 wrote to memory of 2712	2992	DEMCBA8.exe	40
PID 2712 wrote to memory of 2852	2712	DEM2108.exe	42
PID 2712 wrote to memory of 2852	2712	DEM2108.exe	42
PID 2712 wrote to memory of 2852	2712	DEM2108.exe	42
PID 2712 wrote to memory of 2852	2712	DEM2108.exe	42

C:\Users\Admin\AppData\Local\Temp\86a3fb0ed7dca3c497f5c8baeee6a116_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86a3fb0ed7dca3c497f5c8baeee6a116_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\DEMCA13.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCA13.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\DEM201E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM201E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\DEM760A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM760A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\DEMCBA8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCBA8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Users\Admin\AppData\Local\Temp\DEM2108.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2108.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\DEM7713.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7713.exe"
        7⤵
        Executes dropped EXE
        
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM201E.exe

Filesize
14KB

MD5
6abc06c4955e46c65df5ce4184bcb080

SHA1
ef4f2b8697537e51336f70cecf0248ed97fae6ce

SHA256
d7bcc361875dc4ca2e4054f2e8a710ce728305ff79fb7b5ee71cc9ce2dbda60d

SHA512
8c79af5a4a726b4b4bfad817dc8062f2a3f67835504a7e9bf894a4bd0b5b2bffa9bcaf032f3cce0c8413d37c50eaaa7b4b99f8a31e187f1367c0abe39dbd5b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2108.exe

Filesize
14KB

MD5
2b15d15767222c46d983575f4b6b1c0b

SHA1
cdb5849afae4497c990026c2a61728e21675a8ac

SHA256
d30dddfd61954f32ad3c4e0d4a33948ed18d3c5009ec4c5f49b0353edec00876

SHA512
714c17f7fa84c092cdec95e443e47c2bb27073dcffbb19a54ac8a2525054e6c9005f67b0db9c488f72e5af73584ef803505de386efef2d8c216d28eaf3012c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCA13.exe

Filesize
14KB

MD5
f9a2d6b0e9eb9eca263ccabf919ae6aa

SHA1
e7f4122a00aedfcd2728497ca56e73094ee79e9a

SHA256
d25800377f3b59cce83ea4c5c7ef8f4b4b1d0c64d3ea48ada181dabb88114ed1

SHA512
76703620dcf169f6d27ceb962973003a4449a6d382101b1d3750974b27010d410ee3714cf02daa7e938837629e0db524511bb6fdbe9ac70e5c62dd1a2beac802

Download Submit
\Users\Admin\AppData\Local\Temp\DEM760A.exe

Filesize
14KB

MD5
92c9acf947c05592329c5b2481fc6423

SHA1
2d9a2e0f752ce742dd14c022c197d8cb672342ba

SHA256
7296acaf6f1a6f33e5cbba9452159b5076d40b07e14327d9f95c750e53c21096

SHA512
11e0fa91a5a7ecc8d93e441d4211e2bf87c5bb124a946c331b8defdcbe48d5b94f64ad9ed8dad9868ad63b29a5ba34f050a04eb9e660b6571e8a9f2325c6dcc8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7713.exe

Filesize
14KB

MD5
494cfb50597b12d464c3e2966438f56e

SHA1
18c12c9d6dbfd5d67de8904b71f0e755c7fc9e41

SHA256
ca52cbbaca107967697954bbd87ca6d2dc06026dea13eaeb0a3ec37d5fec2302

SHA512
9452b0c3d20786974bade407dbc90a55ebb8f5ffbe9cd654f7a8b84e4134fad2f77ec3d035a24cbbc73cade6ae36022984833d64320d0c09265d9b73ba96e391

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCBA8.exe

Filesize
14KB

MD5
8f08c5936a089f0a2b6e243e5f8784ae

SHA1
07fa0ab1b898403147c2dea5349e9dc807dede7a

SHA256
10b49dbf3ca342136884b7ec1ed0cd43a64f5e9d952c39eeaefd28daf1b503f6

SHA512
8652b89f14bc8ab27c3972cdf719663c26e096d66e0ff984ae2838cb61b0187f6cbc462b9b01ade567d63a272da7920905d879cef98af5af410537dbbc1cfb55

Download Submit

Analysis

Sharing