31d4bf0c500737a1ce00c203e82d9d8592d009b819f48064e4fb48b22fa874e6

General

Target

b73e8dd4ef7d08455b5fff63948f322b_JaffaCakes118.exe
Size

14KB
MD5

b73e8dd4ef7d08455b5fff63948f322b
SHA1

498e6c84c3ee30c663e3b6fd80ab35ca0a111aaa
SHA256

31d4bf0c500737a1ce00c203e82d9d8592d009b819f48064e4fb48b22fa874e6
SHA512

45225cdc222dc1bc311c90953f725459fb45e10c4dc240ba8c4671de2f96b4da4d56476c1ee86c7e628bdf3e38361bf37901c4dc1c7fd500168ad29805c7ac31
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhD88:hDXWipuE+K3/SSHgxtT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2860	DEMA61F.exe
2868	DEMFB7E.exe
2564	DEM50BF.exe
2456	DEMA5E0.exe
592	DEMFAF2.exe
2836	DEM50C0.exe

Loads dropped DLL 6 IoCs

pid	Process
1648	b73e8dd4ef7d08455b5fff63948f322b_JaffaCakes118.exe
2860	DEMA61F.exe
2868	DEMFB7E.exe
2564	DEM50BF.exe
2456	DEMA5E0.exe
592	DEMFAF2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA61F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFB7E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM50BF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA5E0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFAF2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b73e8dd4ef7d08455b5fff63948f322b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2860	1648	b73e8dd4ef7d08455b5fff63948f322b_JaffaCakes118.exe	32
PID 1648 wrote to memory of 2860	1648	b73e8dd4ef7d08455b5fff63948f322b_JaffaCakes118.exe	32
PID 1648 wrote to memory of 2860	1648	b73e8dd4ef7d08455b5fff63948f322b_JaffaCakes118.exe	32
PID 1648 wrote to memory of 2860	1648	b73e8dd4ef7d08455b5fff63948f322b_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2868	2860	DEMA61F.exe	34
PID 2860 wrote to memory of 2868	2860	DEMA61F.exe	34
PID 2860 wrote to memory of 2868	2860	DEMA61F.exe	34
PID 2860 wrote to memory of 2868	2860	DEMA61F.exe	34
PID 2868 wrote to memory of 2564	2868	DEMFB7E.exe	36
PID 2868 wrote to memory of 2564	2868	DEMFB7E.exe	36
PID 2868 wrote to memory of 2564	2868	DEMFB7E.exe	36
PID 2868 wrote to memory of 2564	2868	DEMFB7E.exe	36
PID 2564 wrote to memory of 2456	2564	DEM50BF.exe	38
PID 2564 wrote to memory of 2456	2564	DEM50BF.exe	38
PID 2564 wrote to memory of 2456	2564	DEM50BF.exe	38
PID 2564 wrote to memory of 2456	2564	DEM50BF.exe	38
PID 2456 wrote to memory of 592	2456	DEMA5E0.exe	40
PID 2456 wrote to memory of 592	2456	DEMA5E0.exe	40
PID 2456 wrote to memory of 592	2456	DEMA5E0.exe	40
PID 2456 wrote to memory of 592	2456	DEMA5E0.exe	40
PID 592 wrote to memory of 2836	592	DEMFAF2.exe	42
PID 592 wrote to memory of 2836	592	DEMFAF2.exe	42
PID 592 wrote to memory of 2836	592	DEMFAF2.exe	42
PID 592 wrote to memory of 2836	592	DEMFAF2.exe	42

C:\Users\Admin\AppData\Local\Temp\b73e8dd4ef7d08455b5fff63948f322b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b73e8dd4ef7d08455b5fff63948f322b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\DEMA61F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA61F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\DEMFB7E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFB7E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\DEM50BF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM50BF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Users\Admin\AppData\Local\Temp\DEMA5E0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA5E0.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2456
      - C:\Users\Admin\AppData\Local\Temp\DEMFAF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFAF2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\DEM50C0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM50C0.exe"
        7⤵
        Executes dropped EXE
        
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM50BF.exe

Filesize
14KB

MD5
d4b9a18791e462622a7e4f82727d4f83

SHA1
acd302981456721ca47bb77a303351328ce3399d

SHA256
bcbf3d871e0fab4df7427333a662036b0ab2fb721755be21bd6e65e4c3a89180

SHA512
354dc5cb50a284c75304227a30e633ee5fa498ab4bc76a8f6e72e6cffe4462d1ce98a29f111b3b2af2e80725ec4b6a577a99b22124298710be63fb8c84c86941

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM50C0.exe

Filesize
14KB

MD5
ca9d2e31565ea5e63b5218773f55abec

SHA1
143f5669bbfce04280bd9b873768843ab7e0cd30

SHA256
4dc81a2551b1551de8875b259f439f58c58ed04352104b350a7aeed3bdabd0d1

SHA512
3b2d77b2d4a0119d43627e82a6e046c9f72df901e094bbee0e372748bfbb4b30e69e7b0e40289e7e229700d3dc006de15223058c5d4a8cd7c7d7b7f94d982bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA5E0.exe

Filesize
14KB

MD5
1c3f6dc8812ec1acbd7311b4b0bf7233

SHA1
ed250114f6c0e993760e15b625a4fb70b1a64672

SHA256
6e3735d2671f0455f0ec1191688aaf70f4445f57fb9755ae1dc5528ccb399f1d

SHA512
b36c6de9745f04f5d4242e3c6fffc8b8e8a1832188c27c4252543b7ced440390b9470307ff666015be6e4a0882901214722c86d5c8393b720fe5c9505c366ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFB7E.exe

Filesize
14KB

MD5
633c1b386208826919e2c53483778318

SHA1
a3fd70d1a707c070cf6a0a17e560f696de6031ba

SHA256
fcdba79b93df3274039a845037b45e9f9eee46ac9c14f42c405301df2426e819

SHA512
b474a10d06a3898927819457966d378f8557e28af5e7ba4d61d299bcfe08a36237c0dc13d95ff86cac31dd3e3ebb3f7b2e18983bb1b0fa1af9e6931bb95d7851

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA61F.exe

Filesize
14KB

MD5
afa5a632c74864e6cddd21325c2627e6

SHA1
c360c07dca45b99d5338fb5d5115de85229ed3a1

SHA256
ce2cfe0b901565ce28d0c389b0cde6d7710f76957e6c2c7a144a3addd12bb05b

SHA512
5573c55edb2b65fc79c2712fac745e6ace4f91a6161dee4239ed8f6eec4c5917faea289a83dd5177c72588d9cc7a6d904700fb3cff09bcbda5bb8db2ca8b6dc1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFAF2.exe

Filesize
14KB

MD5
f470cde7ab083f0f2016c3951e64406b

SHA1
aeac6133f17d48787a1080b42b5b76532b62b662

SHA256
57e3d890d9439cd60c19707d21572386eea1180a68426b39a805d52e7a9af066

SHA512
92db0138d9d3fe775d849ebcebd515756ee1868742c6ec46fa67b8b8a16ee4fd23507da752f40d6ab173d40a02a30ad6935f343b6130fc2f96d3cbddacd5dc94

Download Submit

Analysis

Sharing