5a861a44030c9655c1cefb4038f12373fb827b575bb24a3a67edd9b153ab7f3b

General

Target

09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe
Size

14KB
MD5

09a5384ab701ea41c20b218e6356d5c2
SHA1

c42c2ad956f5d7703dac83107ea7511e5c6c20e8
SHA256

5a861a44030c9655c1cefb4038f12373fb827b575bb24a3a67edd9b153ab7f3b
SHA512

3a47ddb8184f92ae9e491f430cf8fa7eb0132187a276eac9d9c9f0ef3b036323b19849f9c8874c445099094d981af5cc31514d01bc69f3de3c6c66cb40ed6f8a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZU:hDXWipuE+K3/SSHgx3U

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2924	DEMCE47.exe
2716	DEM257B.exe
3008	DEM7B48.exe
2280	DEMD20E.exe
1860	DEM2839.exe
2116	DEM7E73.exe

Loads dropped DLL 6 IoCs

pid	Process
1348	09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe
2924	DEMCE47.exe
2716	DEM257B.exe
3008	DEM7B48.exe
2280	DEMD20E.exe
1860	DEM2839.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCE47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM257B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7B48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD20E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2839.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2924	1348	09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe	31
PID 1348 wrote to memory of 2924	1348	09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe	31
PID 1348 wrote to memory of 2924	1348	09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe	31
PID 1348 wrote to memory of 2924	1348	09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2716	2924	DEMCE47.exe	33
PID 2924 wrote to memory of 2716	2924	DEMCE47.exe	33
PID 2924 wrote to memory of 2716	2924	DEMCE47.exe	33
PID 2924 wrote to memory of 2716	2924	DEMCE47.exe	33
PID 2716 wrote to memory of 3008	2716	DEM257B.exe	35
PID 2716 wrote to memory of 3008	2716	DEM257B.exe	35
PID 2716 wrote to memory of 3008	2716	DEM257B.exe	35
PID 2716 wrote to memory of 3008	2716	DEM257B.exe	35
PID 3008 wrote to memory of 2280	3008	DEM7B48.exe	37
PID 3008 wrote to memory of 2280	3008	DEM7B48.exe	37
PID 3008 wrote to memory of 2280	3008	DEM7B48.exe	37
PID 3008 wrote to memory of 2280	3008	DEM7B48.exe	37
PID 2280 wrote to memory of 1860	2280	DEMD20E.exe	39
PID 2280 wrote to memory of 1860	2280	DEMD20E.exe	39
PID 2280 wrote to memory of 1860	2280	DEMD20E.exe	39
PID 2280 wrote to memory of 1860	2280	DEMD20E.exe	39
PID 1860 wrote to memory of 2116	1860	DEM2839.exe	41
PID 1860 wrote to memory of 2116	1860	DEM2839.exe	41
PID 1860 wrote to memory of 2116	1860	DEM2839.exe	41
PID 1860 wrote to memory of 2116	1860	DEM2839.exe	41

C:\Users\Admin\AppData\Local\Temp\09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\DEMCE47.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCE47.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\DEM257B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM257B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\DEM7B48.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7B48.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Users\Admin\AppData\Local\Temp\DEMD20E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD20E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Users\Admin\AppData\Local\Temp\DEM2839.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2839.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\DEM7E73.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7E73.exe"
        7⤵
        Executes dropped EXE
        
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM257B.exe

Filesize
14KB

MD5
23585434646cb73648dcb930f5d99c89

SHA1
cdec141c80df25ce376fb90f6de4340afd3922a4

SHA256
696d56ef7379422b13a9f664101aa8499de365464822ec16e2fb3b73fbcaa26a

SHA512
75411d6a3d51ca4640df0ca5acbbd983cad3aa59ff5d7f660b84e3a15cf3dd24473b74b11e2598ee015a2e69e2c5bc9ae7716c767b9d34e6cb932acbb47487c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2839.exe

Filesize
14KB

MD5
759c08e864648b7743b661872ba1d032

SHA1
31c742c31bb30986d08a6a2a413b43e8cc617817

SHA256
33fa7745de0a4dc9d23608e6397bdaa68b6158d03363c133ab960be9db2b51f7

SHA512
b0060ff390747024aa801c0396c51e862bc570b7f67cca6b090d55408aa23528b127f9f822dee0edd66be2c719789532e5eacac585d5f6686a206b7ff1dcc3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7B48.exe

Filesize
14KB

MD5
c2c7dd96c5c64969da65ca6300ac3f39

SHA1
9376f3128253b1193731b0d6df3a34660034474c

SHA256
30a6d8d543e1e95b10bc0aca185a028e5e0a339b0702866de69dad80da4d299d

SHA512
9ffd5bbaf13516fda2e37922741a2f7a4acde6e920b4cf9341be4a3b6bf490e6a0ffce547e1779d97b07d28208ae86d1177405947f16270f27c932cdf6bf8e9a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7E73.exe

Filesize
14KB

MD5
8260006f38050edef755fba5b726f07f

SHA1
20d06c2d6bab01efaaa71d94f81ba269ba91616d

SHA256
b98da43da8229844f11169c7e286157d32c23f7ec5592103e1413cda0e78014e

SHA512
3bc1097d3654394ef7b2b1a41090cdf1a9816c8fa9664b4b889e124ed2e56a9bcb294f979b2392e0a8bbb167f366675e87c9befb2b652abf67005c0999aa97a7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCE47.exe

Filesize
14KB

MD5
fd6474b3fcd0500971aea39d55a6f2ed

SHA1
247a26c24ab0c0dda433698f9197ef39c006c9f2

SHA256
f29bc4a4c08b713d172d74811120df3d1cbe66f8fcef34b979a39e6a291a3082

SHA512
e84b49d24cbe8690f478367748cd4608dd93309a86e60484336feff419926f5275c9d705095cc71e8a7447da822a4d2d3ec819baf34eba0315e73d053aef9cb4

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD20E.exe

Filesize
14KB

MD5
e60b7e1e7d36a2569bd89cbd2a5d93da

SHA1
b6cc9c423a3650aa957c157a24ad113e375491d9

SHA256
4665ca5b4aefe84662cb36f5ff80527e196381491b2734aedfc96d45dc908024

SHA512
6fe9dc54d97a52bafcb19f08ac3bc97290a8b41752c6908704363f191ce5847cf6624f32e37cb320bf6be02bfda6fc64466264e1e13c8723a699ec552cde033b

Download Submit

Analysis

Sharing