97c393ef2044de3ffcdbde4dadf3ed916510c22a98004f361c25494ace4f0f66

General

Target

04888e51688f4632e40bab6741f61020_JaffaCakes118.exe
Size

14KB
MD5

04888e51688f4632e40bab6741f61020
SHA1

64967a6dc97ba5e4bddbadecbaafc5e28fb7a52f
SHA256

97c393ef2044de3ffcdbde4dadf3ed916510c22a98004f361c25494ace4f0f66
SHA512

4163d2b9f56a5b84f64b88a6421752388111f2acd4cc7e3da38e15986ac74de166875bac543c845dba7ff9303ae8a319f1d2ad992500cbc252e7113a6f19b7f1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyOQF:hDXWipuE+K3/SSHgxmyOQF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
632	DEMCD8C.exe
2928	DEM22BD.exe
1292	DEM78E7.exe
2424	DEMCE76.exe
2988	DEM23F5.exe
804	DEM7955.exe

Loads dropped DLL 6 IoCs

pid	Process
2332	04888e51688f4632e40bab6741f61020_JaffaCakes118.exe
632	DEMCD8C.exe
2928	DEM22BD.exe
1292	DEM78E7.exe
2424	DEMCE76.exe
2988	DEM23F5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCD8C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM22BD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM78E7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCE76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM23F5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04888e51688f4632e40bab6741f61020_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 632	2332	04888e51688f4632e40bab6741f61020_JaffaCakes118.exe	32
PID 2332 wrote to memory of 632	2332	04888e51688f4632e40bab6741f61020_JaffaCakes118.exe	32
PID 2332 wrote to memory of 632	2332	04888e51688f4632e40bab6741f61020_JaffaCakes118.exe	32
PID 2332 wrote to memory of 632	2332	04888e51688f4632e40bab6741f61020_JaffaCakes118.exe	32
PID 632 wrote to memory of 2928	632	DEMCD8C.exe	34
PID 632 wrote to memory of 2928	632	DEMCD8C.exe	34
PID 632 wrote to memory of 2928	632	DEMCD8C.exe	34
PID 632 wrote to memory of 2928	632	DEMCD8C.exe	34
PID 2928 wrote to memory of 1292	2928	DEM22BD.exe	36
PID 2928 wrote to memory of 1292	2928	DEM22BD.exe	36
PID 2928 wrote to memory of 1292	2928	DEM22BD.exe	36
PID 2928 wrote to memory of 1292	2928	DEM22BD.exe	36
PID 1292 wrote to memory of 2424	1292	DEM78E7.exe	38
PID 1292 wrote to memory of 2424	1292	DEM78E7.exe	38
PID 1292 wrote to memory of 2424	1292	DEM78E7.exe	38
PID 1292 wrote to memory of 2424	1292	DEM78E7.exe	38
PID 2424 wrote to memory of 2988	2424	DEMCE76.exe	41
PID 2424 wrote to memory of 2988	2424	DEMCE76.exe	41
PID 2424 wrote to memory of 2988	2424	DEMCE76.exe	41
PID 2424 wrote to memory of 2988	2424	DEMCE76.exe	41
PID 2988 wrote to memory of 804	2988	DEM23F5.exe	43
PID 2988 wrote to memory of 804	2988	DEM23F5.exe	43
PID 2988 wrote to memory of 804	2988	DEM23F5.exe	43
PID 2988 wrote to memory of 804	2988	DEM23F5.exe	43

C:\Users\Admin\AppData\Local\Temp\04888e51688f4632e40bab6741f61020_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04888e51688f4632e40bab6741f61020_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\DEMCD8C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCD8C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\DEM22BD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM22BD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\DEM78E7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM78E7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Users\Admin\AppData\Local\Temp\DEMCE76.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCE76.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Users\Admin\AppData\Local\Temp\DEM23F5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM23F5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\DEM7955.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7955.exe"
        7⤵
        Executes dropped EXE
        
        PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM22BD.exe

Filesize
14KB

MD5
fbf25e259a8d8819a90dd3e56b270618

SHA1
89f65be1c2787c38b602e5f05bf5f3578dad720a

SHA256
e239c37494fbbaa440fc9c55dda3c2d98a072734624ff659cf9b32feac7bf589

SHA512
1cf826cfb006ed4a57ead891bcacde9808863e9a68ab88dc436a13b4f857d7e7ac84e90ccaa4f315bb94c01c92ae4b1bb69077a71327a3fbdb1f1014afc53ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM23F5.exe

Filesize
14KB

MD5
ac2983976ca73536d4b0b8a25eef3c04

SHA1
062af0a95e701cf28981d01495ff7b4b0b1d8643

SHA256
a6574de33e2fe2bd6c2192975fde29e5aab353c0b32c87a071e5b778f2a8224f

SHA512
b7ab17b23820a6ce9cb80d9a4b8605648fb28cb34c6af69aedecf12b94f495ed5cf73a8e001ff2e24889904f490436604df3177037429abe2ae37c7891efeb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7955.exe

Filesize
14KB

MD5
019a44e625e6d3d034143dd514722957

SHA1
5bff28136f011bd3ccb6f0b7401cbec66ade628e

SHA256
b20699d0fd6ee14db93e2c4aaeb2b82c107087487f05d2f4a901c8292d8b6ddb

SHA512
bebc1bd036893be80b2af47f203a406c4668130fd1a76bb13c9cca46ede523340fca850db934bdaae127bcaffde18cd1483fc247fc8cc61a49d456ccb7c63ec4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM78E7.exe

Filesize
14KB

MD5
bf0a8bd17d927f7684bf76c19cc6b8ae

SHA1
a292dbb6107eab8c9724033370919441a4071f67

SHA256
1bb13d21f0df52bb6a92eaeaa24d884bea60690a87feea4c645a9d58893f65ab

SHA512
6ca258063999e97de925f7d93455a7d0172cda30832c8f7babf08b19a03f5e04fd08457617ca77d1ae4ab7facd989f1cc7cfc6d52603ec960eed63742c83b683

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCD8C.exe

Filesize
14KB

MD5
a4cdeda7411ab0b32c691cf4a36ff93d

SHA1
2eb30931bbe5030aec9866ed35bc55b5cf536fa9

SHA256
060e67af75c0da327896af0d9f2e0393acbfeed9fbf262c6faaacf3803aa57bd

SHA512
8eb94adf06317ee2eb087772550baac8a17f1b23ae8654fcffd31b3a209e017af7a9fad6d7f5a93abf43df8952183a7ef9181be58b7834f8e853e85e84312c01

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCE76.exe

Filesize
14KB

MD5
44f6204ffcdd01ce4a258ca05dd3830f

SHA1
f52e861a5ed3f9c9896012d8e9b5635b1c9a76a6

SHA256
d6effd8bfd784ebc0baa0f6113f00f2a5e779898749355777a4f82ba856eba6e

SHA512
5735944fbd641831a765ce3fd9f6c37ea378e7730e19663ec3f3175600509e1b4d7657c76eb835c87e564866ac237a8b326734b692e187d40cf83cd6c4783791

Download Submit

Analysis

Sharing