8125aaff2ea6e46a43a9eed3db341fe8ed97373e34eae60e1619bc61fbbd4751

General

Target

ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe
Size

15KB
MD5

ba9f40b1d2fad8457615c91c21bdfd0e
SHA1

a9118a3ed6a2853eb8fb3947047a60ba36abe3ca
SHA256

8125aaff2ea6e46a43a9eed3db341fe8ed97373e34eae60e1619bc61fbbd4751
SHA512

d67a3d9ab77377bf30bd2f492c1885ad48ac7a33551f6ece838569fdd10965103ef16f4a4fb80786d9e5d2f902718248c720bbad7ea93e5aae669df352f34821
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEHr:hDXWipuE+K3/SSHgxWr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2328	DEMA94A.exe
2624	DEMFE7B.exe
3036	DEM53DA.exe
1564	DEMA93A.exe
1952	DEMFED8.exe
2472	DEM5457.exe

Loads dropped DLL 6 IoCs

pid	Process
2304	ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe
2328	DEMA94A.exe
2624	DEMFE7B.exe
3036	DEM53DA.exe
1564	DEMA93A.exe
1952	DEMFED8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA93A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFED8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA94A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFE7B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM53DA.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2328	2304	ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe	32
PID 2304 wrote to memory of 2328	2304	ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe	32
PID 2304 wrote to memory of 2328	2304	ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe	32
PID 2304 wrote to memory of 2328	2304	ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe	32
PID 2328 wrote to memory of 2624	2328	DEMA94A.exe	34
PID 2328 wrote to memory of 2624	2328	DEMA94A.exe	34
PID 2328 wrote to memory of 2624	2328	DEMA94A.exe	34
PID 2328 wrote to memory of 2624	2328	DEMA94A.exe	34
PID 2624 wrote to memory of 3036	2624	DEMFE7B.exe	36
PID 2624 wrote to memory of 3036	2624	DEMFE7B.exe	36
PID 2624 wrote to memory of 3036	2624	DEMFE7B.exe	36
PID 2624 wrote to memory of 3036	2624	DEMFE7B.exe	36
PID 3036 wrote to memory of 1564	3036	DEM53DA.exe	38
PID 3036 wrote to memory of 1564	3036	DEM53DA.exe	38
PID 3036 wrote to memory of 1564	3036	DEM53DA.exe	38
PID 3036 wrote to memory of 1564	3036	DEM53DA.exe	38
PID 1564 wrote to memory of 1952	1564	DEMA93A.exe	40
PID 1564 wrote to memory of 1952	1564	DEMA93A.exe	40
PID 1564 wrote to memory of 1952	1564	DEMA93A.exe	40
PID 1564 wrote to memory of 1952	1564	DEMA93A.exe	40
PID 1952 wrote to memory of 2472	1952	DEMFED8.exe	42
PID 1952 wrote to memory of 2472	1952	DEMFED8.exe	42
PID 1952 wrote to memory of 2472	1952	DEMFED8.exe	42
PID 1952 wrote to memory of 2472	1952	DEMFED8.exe	42

C:\Users\Admin\AppData\Local\Temp\ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\DEMA94A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA94A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\DEMFE7B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFE7B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\DEM53DA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM53DA.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\DEMA93A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA93A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1564
      - C:\Users\Admin\AppData\Local\Temp\DEMFED8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFED8.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\DEM5457.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5457.exe"
        7⤵
        Executes dropped EXE
        
        PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM53DA.exe

Filesize
15KB

MD5
a6580e6aac66c7d592b7558e15b924fc

SHA1
7dd0989c2debdaf3f44e4c88d829e0af435acd4c

SHA256
e0e9b1cb05ce4530691f0e3fb1c3a5e6c34ab4121ec3abc0f11ec2d2e787ddea

SHA512
32a264bc0d7736353ef429f7740527523e2699bc230543c91e338f3820f10bbfcfd71feefe5cecafd06d18dde7b62c157d6c42162e5deedab9ad247d372d7519

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFE7B.exe

Filesize
15KB

MD5
c537cd87de2c87a646ed855ba89b96ff

SHA1
1089c697439d581db350dd63e90be7c8800c165d

SHA256
06280cf14ce21fd2a53b126fa5fb729e1e1a5435869601035256ed33980af710

SHA512
e94bf8e9c8da4737089cce69288c8fdf0da584c7b0874083ccb666276a49762d6e87911d92c26035fe380c1b1f6ca19bfa1c23e9618196c9d0fa066a0a0433a4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5457.exe

Filesize
15KB

MD5
0af902175255f5d4ddec0fff227b9615

SHA1
7bca9dce7b58a8b97c6702d8c857e7ab35d6e0f8

SHA256
e375f37fe281d9878ea078f1b00785429b4a5b2d81e6f0d8c8aba369fe602b0d

SHA512
587522e11c1dbafb598d04ef582e01bf2a0de3768e8ee2d97dc687019e8f41e053fce7ede7e7eeb0c9292c07003a55dfaf26f208ef06b40848579e10bebe920d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA93A.exe

Filesize
15KB

MD5
3b7d8ea50f0aa3707c6f4ca93b6962dd

SHA1
bf70d3403878c58e4a3ac49398b93e25d31e2621

SHA256
1b4f40981956e940e5cd02d364f59dc5eeb549677ea5256d4a11e00fe27ca526

SHA512
fe92b59273fc92fb19e27f0ec62ce19fce96a5dbbe894affe2c56abdb9ef1dd5a729ee64e3f1c8fefed3cd3dbe9d6b2a112d72fd5b7035e0907a2c03d3065821

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA94A.exe

Filesize
15KB

MD5
45cd71597c679154c9b8588b1328a202

SHA1
9d38d113cad0e51f8e455c8a7953c0ab544cf6ac

SHA256
1b9463c38a3a114d459b05297d60ead50a68127365a3a3948f9096d4e6744472

SHA512
c19d624c4bccb7492dc89993fc3c2dfd50e3034ed7182aa6a31d11156cde33248cf644e3cd58abaa193c2a6a08f616b11d739005cc557498264ba18f05f67002

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFED8.exe

Filesize
15KB

MD5
7cb11c0594b7b3614066d7530d02f5c2

SHA1
b2f614886ec19e2bf63a29bff0392801edfdeac8

SHA256
8e8d519df115f8b34e277fc2c5d2e1f73add1aa8acc59ce2e2dd9a84b953c52e

SHA512
bbd68894b6e4823a79fcd4f786627ec27e4a14ed66a68b8eb4e93df9ff343f78f3102cad29b0939d2369cc2602a059f2c7cd2adcb2bdb20f5891c5a1bbe86935

Download Submit

Analysis

Sharing