75f99829f4fbc88a68dd9b5c3aa950f4e3b03d6d272b2588abae02f5453e5904

General

Target

8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe
Size

14KB
MD5

8d10d9f0a277588bd04e433850620e5b
SHA1

b4a622d23b186d09928fdcf3e90cb396c6d14661
SHA256

75f99829f4fbc88a68dd9b5c3aa950f4e3b03d6d272b2588abae02f5453e5904
SHA512

be6c95e3381f53cc83934e93680bb77c2089049ff89887b78992b2aaf1f9824c2902e2bed3e50e21a1f082975989de76cf4f432fafe0d5ab804fd64c2d711581
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5M:hDXWipuE+K3/SSHgxl5M

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2860	DEM54D4.exe
596	DEMAA34.exe
2272	DEMFF26.exe
2904	DEM5476.exe
1324	DEMA9D6.exe
2072	DEMFF84.exe

Loads dropped DLL 6 IoCs

pid	Process
2780	8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe
2860	DEM54D4.exe
596	DEMAA34.exe
2272	DEMFF26.exe
2904	DEM5476.exe
1324	DEMA9D6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA9D6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM54D4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAA34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFF26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5476.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2860	2780	8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe	31
PID 2780 wrote to memory of 2860	2780	8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe	31
PID 2780 wrote to memory of 2860	2780	8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe	31
PID 2780 wrote to memory of 2860	2780	8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe	31
PID 2860 wrote to memory of 596	2860	DEM54D4.exe	34
PID 2860 wrote to memory of 596	2860	DEM54D4.exe	34
PID 2860 wrote to memory of 596	2860	DEM54D4.exe	34
PID 2860 wrote to memory of 596	2860	DEM54D4.exe	34
PID 596 wrote to memory of 2272	596	DEMAA34.exe	36
PID 596 wrote to memory of 2272	596	DEMAA34.exe	36
PID 596 wrote to memory of 2272	596	DEMAA34.exe	36
PID 596 wrote to memory of 2272	596	DEMAA34.exe	36
PID 2272 wrote to memory of 2904	2272	DEMFF26.exe	38
PID 2272 wrote to memory of 2904	2272	DEMFF26.exe	38
PID 2272 wrote to memory of 2904	2272	DEMFF26.exe	38
PID 2272 wrote to memory of 2904	2272	DEMFF26.exe	38
PID 2904 wrote to memory of 1324	2904	DEM5476.exe	40
PID 2904 wrote to memory of 1324	2904	DEM5476.exe	40
PID 2904 wrote to memory of 1324	2904	DEM5476.exe	40
PID 2904 wrote to memory of 1324	2904	DEM5476.exe	40
PID 1324 wrote to memory of 2072	1324	DEMA9D6.exe	42
PID 1324 wrote to memory of 2072	1324	DEMA9D6.exe	42
PID 1324 wrote to memory of 2072	1324	DEMA9D6.exe	42
PID 1324 wrote to memory of 2072	1324	DEMA9D6.exe	42

C:\Users\Admin\AppData\Local\Temp\8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\DEM54D4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM54D4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\DEMAA34.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAA34.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\DEMFF26.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFF26.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Users\Admin\AppData\Local\Temp\DEM5476.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5476.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Users\Admin\AppData\Local\Temp\DEMA9D6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA9D6.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\DEMFF84.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFF84.exe"
        7⤵
        Executes dropped EXE
        
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMAA34.exe

Filesize
15KB

MD5
4752a4680fc20dd2f53c4c01da2b4c7e

SHA1
91268b7ec13dd8820ef22d01a711ef877b322975

SHA256
9ef542b80ba5b80c7938128528845b431fd40e7df4501daec65217a82bc84167

SHA512
a53996a2b1b8f4aa2a7b72cc85ab792918efbf25cb331a369a31e3402a1732c97bc9648fcd6c0f7112be596b744bae8fcea6531d8700dd2b07bcc8439d326440

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFF26.exe

Filesize
15KB

MD5
f5463673d738756071338b06f3d9aed6

SHA1
a3d383b9c280f940c1f061ced5e440c042cdea81

SHA256
46f942c7a1333f007e259c46079eb191369b1d4afb01b9be8d678422678410f4

SHA512
d93183210a3805057e6f68de952b3e13dd2b34b9401b2a21a6b2cb40ccb620cf061fd7a37a5dd5e655015e523d493b66cf30f1f79681a663a12c22b1af7dc6e8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5476.exe

Filesize
15KB

MD5
f656b59fd03e8bb8ef39899372b129c2

SHA1
a709dba219de0d0b2c01a368dd7c85668c3f02b0

SHA256
4684aca55e06202e4a5c4c9e736e36a32fabb4b7b79b85bec1ad082b1e89a2fc

SHA512
660a48586cd8d79b860cc666153bed2bf58e2563e215da54ff86eeef04ecbd1530ee4c3b72cd15606ea240341c1d42344e774016290dee151b6819b23c819387

Download Submit
\Users\Admin\AppData\Local\Temp\DEM54D4.exe

Filesize
15KB

MD5
35b0178618bf9c73970dba6c30f49c90

SHA1
8c3c543662c7c37ff98b3465b619b9824bf3a724

SHA256
8dc7ebe53fa3c95f8c5430fc1c4bb642260c7b78df3bd3ec18ea916d1d8f3872

SHA512
228f99ae5d68bac5cf88db3bb769dab90fef9e374b9dcb080f5a5048649e835f4bd0aa2a322115a056e3162fd6cd7ecea1edd9035f21dbe78abc65315d466aa7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA9D6.exe

Filesize
15KB

MD5
aea5f638445a0b6663a1e44668f27dc8

SHA1
532c7bd6408e1618dc5dd7c6fcac7b825ce8eb34

SHA256
bf89c81c1b3c893efafdf94b91c22398387adc336173b6a1197e84ddec26a9c0

SHA512
fa6dbeeb3511b494f4275e8aee8c1dc332edb37ee652310f0693d7614fb381c7bc1864a0660972e1ecce77e069cf6807c4da720aed50200813fa8f7fc2973375

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFF84.exe

Filesize
15KB

MD5
f075784453c2281660edced7909738c5

SHA1
35816eb8db9f8f255392fcd6d3b439d3afb7acc2

SHA256
f2614446d38b48f2a1523304a48f26a2b88e4dd51cec07f8fa6470859e36433c

SHA512
bdc342250848600bb09378b182a0c095003ea6f12921c3e72e03dda3bdeffd6bbda2921cd66e603645301458d8e36b2d790ce60cd5f82956860ccc7a35a35435

Download Submit

Analysis

Sharing