adacfbbc6327e0bd2b3fbff76df0c14889c626841a5523f6046892c683a2d5fb

General

Target

10a53986abe4219167be5645d9570ce9_JaffaCakes118.exe
Size

14KB
MD5

10a53986abe4219167be5645d9570ce9
SHA1

f03ce9277c137afa965d99d183948b7b1d510def
SHA256

adacfbbc6327e0bd2b3fbff76df0c14889c626841a5523f6046892c683a2d5fb
SHA512

52ac30033585bb9415015035e3b8ff4409195e2d85d5ea7dd9eaee2827815fa967a9bb4f1d430e04f120d0a570956a4d3065d6f72c073d88dd4ecf997353aa4b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhh:hDXWipuE+K3/SSHgxT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2720	DEMDC4B.exe
2960	DEM318C.exe
2612	DEM86CC.exe
2280	DEMDC1C.exe
2716	DEM311E.exe
840	DEM866F.exe

Loads dropped DLL 6 IoCs

pid	Process
2024	10a53986abe4219167be5645d9570ce9_JaffaCakes118.exe
2720	DEMDC4B.exe
2960	DEM318C.exe
2612	DEM86CC.exe
2280	DEMDC1C.exe
2716	DEM311E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10a53986abe4219167be5645d9570ce9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDC4B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM318C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM86CC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDC1C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM311E.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2720	2024	10a53986abe4219167be5645d9570ce9_JaffaCakes118.exe	32
PID 2024 wrote to memory of 2720	2024	10a53986abe4219167be5645d9570ce9_JaffaCakes118.exe	32
PID 2024 wrote to memory of 2720	2024	10a53986abe4219167be5645d9570ce9_JaffaCakes118.exe	32
PID 2024 wrote to memory of 2720	2024	10a53986abe4219167be5645d9570ce9_JaffaCakes118.exe	32
PID 2720 wrote to memory of 2960	2720	DEMDC4B.exe	34
PID 2720 wrote to memory of 2960	2720	DEMDC4B.exe	34
PID 2720 wrote to memory of 2960	2720	DEMDC4B.exe	34
PID 2720 wrote to memory of 2960	2720	DEMDC4B.exe	34
PID 2960 wrote to memory of 2612	2960	DEM318C.exe	36
PID 2960 wrote to memory of 2612	2960	DEM318C.exe	36
PID 2960 wrote to memory of 2612	2960	DEM318C.exe	36
PID 2960 wrote to memory of 2612	2960	DEM318C.exe	36
PID 2612 wrote to memory of 2280	2612	DEM86CC.exe	38
PID 2612 wrote to memory of 2280	2612	DEM86CC.exe	38
PID 2612 wrote to memory of 2280	2612	DEM86CC.exe	38
PID 2612 wrote to memory of 2280	2612	DEM86CC.exe	38
PID 2280 wrote to memory of 2716	2280	DEMDC1C.exe	41
PID 2280 wrote to memory of 2716	2280	DEMDC1C.exe	41
PID 2280 wrote to memory of 2716	2280	DEMDC1C.exe	41
PID 2280 wrote to memory of 2716	2280	DEMDC1C.exe	41
PID 2716 wrote to memory of 840	2716	DEM311E.exe	43
PID 2716 wrote to memory of 840	2716	DEM311E.exe	43
PID 2716 wrote to memory of 840	2716	DEM311E.exe	43
PID 2716 wrote to memory of 840	2716	DEM311E.exe	43

C:\Users\Admin\AppData\Local\Temp\10a53986abe4219167be5645d9570ce9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10a53986abe4219167be5645d9570ce9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\DEMDC4B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMDC4B.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\DEM318C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM318C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\DEM86CC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM86CC.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Users\Admin\AppData\Local\Temp\DEMDC1C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDC1C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Users\Admin\AppData\Local\Temp\DEM311E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM311E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\DEM866F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM866F.exe"
        7⤵
        Executes dropped EXE
        
        PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM318C.exe

Filesize
14KB

MD5
fa119b715ea0ae9a15645212330651d1

SHA1
133042e6dbe5ee9ab59d69b5002be7f430b2b59e

SHA256
73cb806784f295f9b28b1c4b0a9b218e07eeb98cdfc107cca213cbbfcb69ccad

SHA512
8b69b4445991659e17937caef8ec8bd9bde21eaedb17821004d354dbd5d98b3d9451ab0beb1363a55503cf1ee9cfc072642fab90bd5d11b50d2ee075be288dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM866F.exe

Filesize
14KB

MD5
bdb7ecaf4c1f907d31ab9b557ef6c84b

SHA1
8c0e97505604194bcfbe6306f8751ccbf1a443bc

SHA256
ac7f32aae975069024d9fb6ee283ede127082b639d4a555b62fbb50a87cedb30

SHA512
82f14c2f7f4a989df84dda3cba4cc7563ed2c37e837861e8a4814bd8b07d2aa2c87a24c4ee75bebf93a7a3e528f90a9cd02cd75cacc589b2a951c539910f3fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDC4B.exe

Filesize
14KB

MD5
16d68ce1e6467a4dfdbaa672594fc2e4

SHA1
c66057cb4e9c2a7f7892678493f63c22d87275b1

SHA256
09c518815e8d4fe70032f29787519928626e7a9a64d8976fec01cc2fd16ffeef

SHA512
9db64fd8ed2219685feb8b169e8b864755cb03885787080839b4098593816e51d4bf440762e5593c7e7d41ff37e0aa215ed9b1f351bde26c74eebd6847a594f7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM311E.exe

Filesize
14KB

MD5
8504d2083f2298a2038bd55e8482c56c

SHA1
afb8bd143f7f05ce2999ff3e6abede0e80065a55

SHA256
64b5e873cd232c0698887823e6bb6007a3c31545f649670b4c0a7a77d3f3fd4b

SHA512
ca73be29d7c394a750b6065dd9e805c4a4f602f6048bf2152ec63a184cda5d1dc7255c1e3a8cf78db55d909d8405b832d8c91c43adf009e65dee20725fefde2e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM86CC.exe

Filesize
14KB

MD5
b218301101c07609ca79093a885bd9f5

SHA1
b5806593a597e9eddf4fb1564096140bba353542

SHA256
351a58fdb3c6ae3215f8a1deb6995eb5f51065a2dd03e0dec700c93e4fd450fc

SHA512
60f7a718840eb1bc9d32783ac5d90e3c8491f6c9bb3bb1959db6c3960139bf829d741c09543162c238bb9d9286c575a94f8915359a8afe7f1d6ec6c0fb09418e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDC1C.exe

Filesize
14KB

MD5
dabaf3d8000448c46318e192c801201f

SHA1
ad20a0d7e14e3c5fb3a0d0f48ea519fa6764b523

SHA256
df2af67845e737240aaa9e86899a3a1039bea9b8d96a7f51a3763f4315256d1c

SHA512
6c8d2753353d81a3971315d5ae8fcd8f4707a88e0abded44162220a56dccab7809b12d6567bf1171d74ec00e2db8e1170c18939c37101697af6f4b4a3635b516

Download Submit

Analysis

Sharing