e39fad7d5cf0cb5addf715e73253bc8d5e45dd68cf50a720b80cf9bd524801ac

General

Target

f603cbd332ba99efa547948f39c63825_JaffaCakes118.exe
Size

14KB
MD5

f603cbd332ba99efa547948f39c63825
SHA1

4040a5778c72d7ed19f1baadd6f3a4e47314f43b
SHA256

e39fad7d5cf0cb5addf715e73253bc8d5e45dd68cf50a720b80cf9bd524801ac
SHA512

1264cb317faa3867d24827066e4e14d8c7097b56a18386e6ab5e65ee34feb7476306fa4d383a01d72166e41b8d199c8299f3f0b34d19728b5dcac962ec984971
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJG6:hDXWipuE+K3/SSHgxmw6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2876	DEMADA.exe
2612	DEM601A.exe
2360	DEMB52C.exe
1004	DEMA6C.exe
1792	DEM5FCC.exe
2608	DEMB50D.exe

Loads dropped DLL 6 IoCs

pid	Process
3028	f603cbd332ba99efa547948f39c63825_JaffaCakes118.exe
2876	DEMADA.exe
2612	DEM601A.exe
2360	DEMB52C.exe
1004	DEMA6C.exe
1792	DEM5FCC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f603cbd332ba99efa547948f39c63825_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMADA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM601A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB52C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA6C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5FCC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2876	3028	f603cbd332ba99efa547948f39c63825_JaffaCakes118.exe	31
PID 3028 wrote to memory of 2876	3028	f603cbd332ba99efa547948f39c63825_JaffaCakes118.exe	31
PID 3028 wrote to memory of 2876	3028	f603cbd332ba99efa547948f39c63825_JaffaCakes118.exe	31
PID 3028 wrote to memory of 2876	3028	f603cbd332ba99efa547948f39c63825_JaffaCakes118.exe	31
PID 2876 wrote to memory of 2612	2876	DEMADA.exe	33
PID 2876 wrote to memory of 2612	2876	DEMADA.exe	33
PID 2876 wrote to memory of 2612	2876	DEMADA.exe	33
PID 2876 wrote to memory of 2612	2876	DEMADA.exe	33
PID 2612 wrote to memory of 2360	2612	DEM601A.exe	35
PID 2612 wrote to memory of 2360	2612	DEM601A.exe	35
PID 2612 wrote to memory of 2360	2612	DEM601A.exe	35
PID 2612 wrote to memory of 2360	2612	DEM601A.exe	35
PID 2360 wrote to memory of 1004	2360	DEMB52C.exe	38
PID 2360 wrote to memory of 1004	2360	DEMB52C.exe	38
PID 2360 wrote to memory of 1004	2360	DEMB52C.exe	38
PID 2360 wrote to memory of 1004	2360	DEMB52C.exe	38
PID 1004 wrote to memory of 1792	1004	DEMA6C.exe	40
PID 1004 wrote to memory of 1792	1004	DEMA6C.exe	40
PID 1004 wrote to memory of 1792	1004	DEMA6C.exe	40
PID 1004 wrote to memory of 1792	1004	DEMA6C.exe	40
PID 1792 wrote to memory of 2608	1792	DEM5FCC.exe	42
PID 1792 wrote to memory of 2608	1792	DEM5FCC.exe	42
PID 1792 wrote to memory of 2608	1792	DEM5FCC.exe	42
PID 1792 wrote to memory of 2608	1792	DEM5FCC.exe	42

C:\Users\Admin\AppData\Local\Temp\f603cbd332ba99efa547948f39c63825_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f603cbd332ba99efa547948f39c63825_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\DEMADA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMADA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\DEM601A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM601A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\DEMB52C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB52C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\DEMA6C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA6C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1004
      - C:\Users\Admin\AppData\Local\Temp\DEM5FCC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5FCC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\DEMB50D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB50D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM601A.exe

Filesize
14KB

MD5
4edd2fba60fd1f68a3f69fba86232579

SHA1
f387e0dad0c44713818e2666a86a34f1033229b2

SHA256
05b36c407511ba37e162d63a3691346929e43e9ce0f8fc9ce27be5054a0138b8

SHA512
9c8816d2a4918794ae2ac8d598818f86f49fb2f4c9732c63752f1f8d44d808322b2c7343bd586ad00b9b128cfa6d7c2e2d23d3f94ad25ab50a790096b407fd66

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5FCC.exe

Filesize
14KB

MD5
7cd0bceac69c08de3c6b21fe2b2e2fda

SHA1
d83976f8a1efbdce10067ba19061c4fd23c6619e

SHA256
d6d9b55ab3e4f168c81191f9fa606502efa63028348fd99c1737f3737ea8db12

SHA512
4e692a726f77fb139a5afb6625f19a9cce7a9607e952ca690efcb45a20c786c70a39fc1a222752ee3d4ab40468cbaf743845651e305e9beaa408d125923e2841

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA6C.exe

Filesize
14KB

MD5
fbddeaf0e94a04b684a099d652a1175d

SHA1
536389a16abb21ecf68752baeee95800391f5f74

SHA256
4df8bb9a2d1acadc0745630a7dfcce9aac325c4f7a3b1767f8c81fade625c026

SHA512
eea2e3f864066ec912f6962ca34e66721fa35d6593c24b0d87eebbdaab91f7881fd57395304ff75e2212a78ca596d06ef2f94d2a043374f925f2ad53deae7236

Download Submit
\Users\Admin\AppData\Local\Temp\DEMADA.exe

Filesize
14KB

MD5
8d90498329d74b53d034129f08a2024d

SHA1
9f3daad6c68a4dfdf9ea7ef46de8a156b4fd56ca

SHA256
71839e5543053531f9e0ed4847c5c0c02adcf98d3739544f70ba8374d9d09066

SHA512
8c117063f4c8514ed20a3e61cd3a06f533d1cdf079ef8a98f4af70ff4716a2fa3cb515826d96e70c6c160123a483efb1638b8c7a8d5db61624368d1a8d4f8c63

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB50D.exe

Filesize
14KB

MD5
6f9312bf098d0b820672d4d21e0a88a9

SHA1
b411874f8e1616180f90eddeea81cc164aff7509

SHA256
b5298a523bffae7c0db6345f994f02ae2f390a126229406ceffcacfead7508ae

SHA512
2ee372a5dd5779ee8ced3c43b8e2addd115c7bcbd01f6aa8bce67218e603508881a4cb4fd174006f7430f09857e8ee6968818c53585b5eb3d309332375223e63

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB52C.exe

Filesize
14KB

MD5
921fa1050de705a56a625e32fb8bab1c

SHA1
c8f05d1199c189b2a37cfb4e34890240e493fc1e

SHA256
aeedbcac6306e48a26467db443b112d8d08121152343e553f21efc80dea71063

SHA512
60249b8cbcc334db7e9826dee5b3dec28e010831ae09654657f88fb60f79df4ff2b50ef50ecbc5d03b5d7c6346ed8d3070a98057ccf4b2b893016966975fdd57

Download Submit

Analysis

Sharing