c8cf450e8ca86adf749fbe06cecfb54212af7c70559be622f64401da093bcf69

General

Target

bc67597d9e4ca5332ae4a680ba1c5954_JaffaCakes118.exe
Size

14KB
MD5

bc67597d9e4ca5332ae4a680ba1c5954
SHA1

18e0a1c34bc90751c6ca4fccbb9f7ee2baf3661e
SHA256

c8cf450e8ca86adf749fbe06cecfb54212af7c70559be622f64401da093bcf69
SHA512

a620ca7f03701eebd3e07a41415e703c23ec6d70862e61ebb62ee54fc84b8002e24fd3718ca659b5317010c9c60a144c3b6b4e00aba155dc5320afccbdfa6577
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY414:hDXWipuE+K3/SSHgxmy4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2328	DEM88EE.exe
2824	DEMDE1F.exe
2696	DEM33CD.exe
2096	DEM88DF.exe
2168	DEMDDD1.exe
3012	DEM3312.exe

Loads dropped DLL 6 IoCs

pid	Process
2528	bc67597d9e4ca5332ae4a680ba1c5954_JaffaCakes118.exe
2328	DEM88EE.exe
2824	DEMDE1F.exe
2696	DEM33CD.exe
2096	DEM88DF.exe
2168	DEMDDD1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc67597d9e4ca5332ae4a680ba1c5954_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM88EE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDE1F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM33CD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM88DF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDDD1.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2328	2528	bc67597d9e4ca5332ae4a680ba1c5954_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2328	2528	bc67597d9e4ca5332ae4a680ba1c5954_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2328	2528	bc67597d9e4ca5332ae4a680ba1c5954_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2328	2528	bc67597d9e4ca5332ae4a680ba1c5954_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2824	2328	DEM88EE.exe	32
PID 2328 wrote to memory of 2824	2328	DEM88EE.exe	32
PID 2328 wrote to memory of 2824	2328	DEM88EE.exe	32
PID 2328 wrote to memory of 2824	2328	DEM88EE.exe	32
PID 2824 wrote to memory of 2696	2824	DEMDE1F.exe	34
PID 2824 wrote to memory of 2696	2824	DEMDE1F.exe	34
PID 2824 wrote to memory of 2696	2824	DEMDE1F.exe	34
PID 2824 wrote to memory of 2696	2824	DEMDE1F.exe	34
PID 2696 wrote to memory of 2096	2696	DEM33CD.exe	36
PID 2696 wrote to memory of 2096	2696	DEM33CD.exe	36
PID 2696 wrote to memory of 2096	2696	DEM33CD.exe	36
PID 2696 wrote to memory of 2096	2696	DEM33CD.exe	36
PID 2096 wrote to memory of 2168	2096	DEM88DF.exe	38
PID 2096 wrote to memory of 2168	2096	DEM88DF.exe	38
PID 2096 wrote to memory of 2168	2096	DEM88DF.exe	38
PID 2096 wrote to memory of 2168	2096	DEM88DF.exe	38
PID 2168 wrote to memory of 3012	2168	DEMDDD1.exe	40
PID 2168 wrote to memory of 3012	2168	DEMDDD1.exe	40
PID 2168 wrote to memory of 3012	2168	DEMDDD1.exe	40
PID 2168 wrote to memory of 3012	2168	DEMDDD1.exe	40

C:\Users\Admin\AppData\Local\Temp\bc67597d9e4ca5332ae4a680ba1c5954_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc67597d9e4ca5332ae4a680ba1c5954_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\DEM88EE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM88EE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\DEMDE1F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDE1F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\DEM33CD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM33CD.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\DEM88DF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM88DF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Users\Admin\AppData\Local\Temp\DEMDDD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDDD1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\DEM3312.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3312.exe"
        7⤵
        Executes dropped EXE
        
        PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM33CD.exe

Filesize
14KB

MD5
37ad82e47365d57f5896cc9174cff3b9

SHA1
16fe030e7095396c0c67c1a918d1993b3b65c7dd

SHA256
433a98da3f3647e8827273138784945bd3336923086ec00d21a0ed0ee9c9df64

SHA512
f0ad6965e407479227a334daafce4d837090c44c7c73e1e8954158f406dc901845c5f783e46c6ae1b093940ed3d9f61efdec0393b0830d5659a730b8bcfda74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM88DF.exe

Filesize
15KB

MD5
ac38dd55c5779f8d4b4daf6c98493870

SHA1
52f3791913d406e57be96aca9dd45fe16516d030

SHA256
5bc929493a391c8aeac7fc805b8df123978fb96856f2ab8737002fff094ad37e

SHA512
221e71945338967433d6b85d6172173ab02afc0c4d01a1999e9455084410fd2e868c9449736906ede4ba89b2ffe16c8cc46de532ec013d5e7b887c927c439f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM88EE.exe

Filesize
14KB

MD5
bbf9eadc1ea9ddb7ec6e7af84d238a89

SHA1
51125661c9a2bc04f7dfa629a3d75216c45f345d

SHA256
1bd051a01fc417a4aece99fe1daec8d3110537b013c628185f2d5fcbf6ba5f57

SHA512
1a04dbfe3252d0b28f5da2e500b4e0fe60bf80227310716b5f7041457eb268ce8f947ec317b3dd1606595d4896eb080d397573ae16ece39e6998d08648753562

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE1F.exe

Filesize
14KB

MD5
c091be6f6b4e78456c334f6bbd6344ad

SHA1
634e27f4dac057c2163becf4067c01397f6db076

SHA256
8cb37532fe7962781599530c3daf983a2b2f793abd76073df7666a83769fb1ad

SHA512
788231cc43ebe0026a38b6490e45328af78359da74c6a855a84070fca76f8828231feed00799386dbd2e259b03435eaa929f2264de1dcc63e24f83144a564842

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3312.exe

Filesize
15KB

MD5
3bbe1373ee49f355ec34bdbe71cbe753

SHA1
0ddaa0bc1f23a754fc6a3b0cd1560efbba18b237

SHA256
bb9f591e5ba1558a0f127f190d5a9b3d4f921cad4daa2ef1991cf1a6812ba3fc

SHA512
235d95ae82a984a07c2138bf9c38c87e5e78bcf03e3e8fd044811c3d75ac6670b8e8dacc5c95c68a825bd3b9017a4e32a9488b882b1d8508dc2ff8c53f8fb6ae

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDDD1.exe

Filesize
15KB

MD5
5d1e7e2409272cb8a359c339f362a078

SHA1
9e5ba0674fa75b1738601462af085d65b978da28

SHA256
29c54411b6a43b8ccd2165e76587feda4e49659fa7b82f7ff63e9ba4d8a3efaa

SHA512
a9adbb6477f225b6f899a7ea17e5f69f3c075283d27a9286111ae3ff08ea9c8e95095f670c837795a58cf2a8b45af9235d727a049f98356027c5d1b6f605532e

Download Submit

Analysis

Sharing