dd882c2385e3729dcb1aa4cc78826274e8edb4d7e7b2aea3d316f9079091a3d2

General

Target

0b93e4be58600ec559beb4526210af52_JaffaCakes118.exe
Size

14KB
MD5

0b93e4be58600ec559beb4526210af52
SHA1

78f15f3063e7283e3ab264bd1d452fc0466cdd8d
SHA256

dd882c2385e3729dcb1aa4cc78826274e8edb4d7e7b2aea3d316f9079091a3d2
SHA512

99fd2335dcf93ccf933eb6eea0d6c79e563766f66c3f02e32c73434276f12deb0672db37bea806fbee9b5fd5607a13d2057905055f97ce80f537d4b5a9c9a6ad
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYW:hDXWipuE+K3/SSHgxmW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1980	DEM88FE.exe
2648	DEMDE00.exe
2664	DEM3302.exe
856	DEM87E5.exe
2280	DEMDE01.exe
848	DEM3360.exe

Loads dropped DLL 6 IoCs

pid	Process
2384	0b93e4be58600ec559beb4526210af52_JaffaCakes118.exe
1980	DEM88FE.exe
2648	DEMDE00.exe
2664	DEM3302.exe
856	DEM87E5.exe
2280	DEMDE01.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3302.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM87E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDE01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b93e4be58600ec559beb4526210af52_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM88FE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDE00.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1980	2384	0b93e4be58600ec559beb4526210af52_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1980	2384	0b93e4be58600ec559beb4526210af52_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1980	2384	0b93e4be58600ec559beb4526210af52_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1980	2384	0b93e4be58600ec559beb4526210af52_JaffaCakes118.exe	31
PID 1980 wrote to memory of 2648	1980	DEM88FE.exe	33
PID 1980 wrote to memory of 2648	1980	DEM88FE.exe	33
PID 1980 wrote to memory of 2648	1980	DEM88FE.exe	33
PID 1980 wrote to memory of 2648	1980	DEM88FE.exe	33
PID 2648 wrote to memory of 2664	2648	DEMDE00.exe	35
PID 2648 wrote to memory of 2664	2648	DEMDE00.exe	35
PID 2648 wrote to memory of 2664	2648	DEMDE00.exe	35
PID 2648 wrote to memory of 2664	2648	DEMDE00.exe	35
PID 2664 wrote to memory of 856	2664	DEM3302.exe	37
PID 2664 wrote to memory of 856	2664	DEM3302.exe	37
PID 2664 wrote to memory of 856	2664	DEM3302.exe	37
PID 2664 wrote to memory of 856	2664	DEM3302.exe	37
PID 856 wrote to memory of 2280	856	DEM87E5.exe	39
PID 856 wrote to memory of 2280	856	DEM87E5.exe	39
PID 856 wrote to memory of 2280	856	DEM87E5.exe	39
PID 856 wrote to memory of 2280	856	DEM87E5.exe	39
PID 2280 wrote to memory of 848	2280	DEMDE01.exe	41
PID 2280 wrote to memory of 848	2280	DEMDE01.exe	41
PID 2280 wrote to memory of 848	2280	DEMDE01.exe	41
PID 2280 wrote to memory of 848	2280	DEMDE01.exe	41

C:\Users\Admin\AppData\Local\Temp\0b93e4be58600ec559beb4526210af52_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b93e4be58600ec559beb4526210af52_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\DEM88FE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM88FE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\DEMDE00.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDE00.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\DEM3302.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3302.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\DEM87E5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM87E5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Users\Admin\AppData\Local\Temp\DEMDE01.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDE01.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\DEM3360.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3360.exe"
        7⤵
        Executes dropped EXE
        
        PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3302.exe

Filesize
14KB

MD5
78e1f9540884ba2f955198a960a67dd7

SHA1
e9d16255dbf4b42165f31e7731a81a5889465c25

SHA256
e819ed404a9c2212d995465626e531acc5506ebdc838d33303e703676083d875

SHA512
1e1a99ffbdf265949516667dd22d750f72f714d8b6e9a16e07da90eb5cab26b80b7ceb740c998bc94369fc343ae5f33d8325cf3b3c2e7a01c43e8a07161cb645

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3360.exe

Filesize
14KB

MD5
20baa272c50693270005ae858e74a626

SHA1
b83be6ba7798da992ade1a3f74361dc5969219ce

SHA256
1d7e1f8e885481f43a16628092556b67dd80b6cf68a1721743a0d658a1a3ce32

SHA512
d5a8757aac5a1f918547d0bc91936c6cd37506d30c6d1b782b64cf0529cb46cbde0d3b7b03deb3b316160ebaff52a6ee85ef53f9df39840d64b6327ad7e8d2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM87E5.exe

Filesize
14KB

MD5
8dfc27ee9b23e303708f5bbf78b1b21b

SHA1
e401d746709b39701ac3a406848c393eb7e71829

SHA256
197a1a4721f9c4123f1e9f0ffa433e8428f5d77be29e3d16c9c44e52ba04ea3c

SHA512
ce63f03ec2940ba1638b26f843553e441d368894965cddd7f465386443813ab8c79762cd6ee22fe59823b9c6daeb22abbaf6f1fd57cc52f9799a089d3ab30702

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM88FE.exe

Filesize
14KB

MD5
95ef9f38249a3befeb57d407bda8a907

SHA1
07493d3a3266c72ed1e735da9e740db5b4c2c564

SHA256
cb7a90af6079671d9904273b83b2c541aa43decbee5c2aef003f9bbde01d1183

SHA512
712664702f112c107d6126522e9fdf20de86c72c0d1885b2c65bfca10ebae058312dd3b82ffb81a0af0b3409d64896990702d1230446abba8b4fb197b680201d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE00.exe

Filesize
14KB

MD5
f825abd316a77d5fd3d1f566f6690128

SHA1
40458a28290568a9bfd0c0f93b4cd5232bb21fc1

SHA256
23a8b13d9e43d585848697b9a47585da9e0f2d3d8e97be4f5ef27e87103a4215

SHA512
aaf6674ec7530f3405ce0f5f7b95e9bc0df8779566adf583566aaed447157b7325e6f0178d94d5f200c99bb32b5b342c9a83c0c35a6586bf8669f9cec11e5ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE01.exe

Filesize
14KB

MD5
a881544cc6792fb837776bbfe7c1a7e6

SHA1
903db2c2940f9ebdf99f8bf309f257b79d5da33e

SHA256
b08dd246153c8293cb343bdc3a60127c541489dec2720db9c2134a2bf77638a0

SHA512
d169b8c1f6fe858d21611f89091f17187ba9bf43dcddb9a44708230ceb266245bfb5f4b9eb6adca2c46c44959656c10d35f68d1271e33d974ea8c709db8f346b

Download Submit

Analysis

Sharing