90fdc770207c928acbd0ca0ec55169e703f41c77166cbea7b8bf33232560e1b0

General

Target

8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe
Size

15KB
MD5

8c9d302712a038b86289881a5a88e426
SHA1

bdc3b75970d0650138201853eb591f1730598ee1
SHA256

90fdc770207c928acbd0ca0ec55169e703f41c77166cbea7b8bf33232560e1b0
SHA512

4320f5dbfe6c10adb2953adf9ad6c3d50314aa097ef78a72905fa4903170722e6647d4e6af2f8e1550f8fef13eae177c8717700d92f4f14f51636b062266594c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx9:hDXWipuE+K3/SSHgxmHD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2852	DEM58E9.exe
484	DEMAE1A.exe
2320	DEM32C.exe
2944	DEM589B.exe
1480	DEMAEE5.exe
2164	DEM474.exe

Loads dropped DLL 6 IoCs

pid	Process
2836	8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe
2852	DEM58E9.exe
484	DEMAE1A.exe
2320	DEM32C.exe
2944	DEM589B.exe
1480	DEMAEE5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM58E9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAE1A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM32C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM589B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAEE5.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2852	2836	8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe	31
PID 2836 wrote to memory of 2852	2836	8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe	31
PID 2836 wrote to memory of 2852	2836	8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe	31
PID 2836 wrote to memory of 2852	2836	8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe	31
PID 2852 wrote to memory of 484	2852	DEM58E9.exe	34
PID 2852 wrote to memory of 484	2852	DEM58E9.exe	34
PID 2852 wrote to memory of 484	2852	DEM58E9.exe	34
PID 2852 wrote to memory of 484	2852	DEM58E9.exe	34
PID 484 wrote to memory of 2320	484	DEMAE1A.exe	36
PID 484 wrote to memory of 2320	484	DEMAE1A.exe	36
PID 484 wrote to memory of 2320	484	DEMAE1A.exe	36
PID 484 wrote to memory of 2320	484	DEMAE1A.exe	36
PID 2320 wrote to memory of 2944	2320	DEM32C.exe	38
PID 2320 wrote to memory of 2944	2320	DEM32C.exe	38
PID 2320 wrote to memory of 2944	2320	DEM32C.exe	38
PID 2320 wrote to memory of 2944	2320	DEM32C.exe	38
PID 2944 wrote to memory of 1480	2944	DEM589B.exe	40
PID 2944 wrote to memory of 1480	2944	DEM589B.exe	40
PID 2944 wrote to memory of 1480	2944	DEM589B.exe	40
PID 2944 wrote to memory of 1480	2944	DEM589B.exe	40
PID 1480 wrote to memory of 2164	1480	DEMAEE5.exe	42
PID 1480 wrote to memory of 2164	1480	DEMAEE5.exe	42
PID 1480 wrote to memory of 2164	1480	DEMAEE5.exe	42
PID 1480 wrote to memory of 2164	1480	DEMAEE5.exe	42

C:\Users\Admin\AppData\Local\Temp\8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\DEM58E9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM58E9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\DEMAE1A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAE1A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\Users\Admin\AppData\Local\Temp\DEM32C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM32C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\DEM589B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM589B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Users\Admin\AppData\Local\Temp\DEMAEE5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAEE5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\DEM474.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM474.exe"
        7⤵
        Executes dropped EXE
        
        PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMAE1A.exe

Filesize
15KB

MD5
d4b8602175840072ac7de98eaee37940

SHA1
d56749dd8e8c8f1c0ddd4801b829f4bd8a63c059

SHA256
8e143c19f583c6f49ecfe7dd16571490c8f60a757cae5c952c4856fd82b89377

SHA512
b2f22cf8a2bad0e81b2bc5a3e4d0d001992cb8d5ab364354d7154133448a997077776aaa0160deb8f60c9ae83e709b50a929cb0b62acbf7bd6d2e1b278a2e39a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM32C.exe

Filesize
15KB

MD5
a8d6d7e301273e4e1c6192c75fe0f5c7

SHA1
5af7849febead895a1f5a249ac2799e93843ec29

SHA256
2a32104b28106cce2bbf74ff859cfc834b22e814b715b842d092ec946270ee21

SHA512
20a2f11996ecc021c2f0923fafcd394c4328698436f925fe79e56becae65637bc84078df6ea81421c989f53c2d9247df945834c19001f28a5d103989fcd5ee08

Download Submit
\Users\Admin\AppData\Local\Temp\DEM474.exe

Filesize
15KB

MD5
c4e3fc6f17752d9d1157145ee365ecea

SHA1
7aefe6f95880d7fd755edb5b8c5aac1cec40e9d7

SHA256
d50ae82a8f7ec6b585d8e2b6c6785183d15c9e3a05aa763983c1334a355d8176

SHA512
ba5f4e29985c29e40c0198cce4b6459c4bb70c35e2ffb38b17ef7bc74be3b2a5609b3ba5957ff0288fd1f74105a7eb26eb3e76dd05907f50ffa1a78c5bbb9f11

Download Submit
\Users\Admin\AppData\Local\Temp\DEM589B.exe

Filesize
15KB

MD5
98389b479be2c900f2057da325493ee4

SHA1
7219e534c820bf39cfb8abedd6e11fa4ee60fbd8

SHA256
2ddbbb70f603687946a4dae77d6da2a4e52723736a7c0c2c5bb56a4fc2ea5ae4

SHA512
b3878ebc3d646cb7a3455069c306ae5eb1bd335909faba4c4dfdccdee9cbd904ee44c2bbff2ad56944dc79a866c98289a6ceb650381abced821b0a8771b1d064

Download Submit
\Users\Admin\AppData\Local\Temp\DEM58E9.exe

Filesize
15KB

MD5
ab37ffe7fa4f529be483524b8d35516e

SHA1
df223eeaa32af2eaf100cb162c4a7e6ddd017705

SHA256
e74f469b601556994739ca135120dd0962fac788cf381f60ffc1062ca3477a0d

SHA512
7441655c933b193e49a6b0577f6917aceed8bcd0acd38c0cece7ac0e090a0de71130186c51e565848a4bd80bbf4bc775219693216852f21d2c9ff1daded8f46a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAEE5.exe

Filesize
15KB

MD5
43840508754bce3568ab88e0058ced6c

SHA1
fdc139b666beea780e7ccc1604f8618375050152

SHA256
be39c77ad6083580c38de8e7c1ab448d6f85d4a6c39fd647ee71ba7c48a228cf

SHA512
07d812910e97319d81e39f1d6d2d56420a49bf5307561f45832b18f62684f9b11b0e84be704f080cd5ccdca44a601be516eaa3eece962831912ff7a3519a40d9

Download Submit

Analysis

Sharing