1e6aa573c08c3e33f848576d62f99387fb8d23902530c40ed946a6e363f21445

General

Target

15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe
Size

14KB
MD5

15dcdae961d3953948845deb0e8bfcbe
SHA1

9fd7b608fd42fd504556828bec00b42956c9a845
SHA256

1e6aa573c08c3e33f848576d62f99387fb8d23902530c40ed946a6e363f21445
SHA512

b39b31022593e88d934ae42f4b769de317d8a3f27c20fcd8342eecc6a826ea5cd2682e485a0f29df2687bc4a34572ea0ec17d65bbf7ef0686c547dbbeee7edad
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYqNG:hDXWipuE+K3/SSHgxmqY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1804	DEMA93A.exe
2856	DEMFF74.exe
3036	DEM54E4.exe
1304	DEMAAFF.exe
1420	DEM6E.exe
2220	DEM55AF.exe

Loads dropped DLL 6 IoCs

pid	Process
2060	15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe
1804	DEMA93A.exe
2856	DEMFF74.exe
3036	DEM54E4.exe
1304	DEMAAFF.exe
1420	DEM6E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA93A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFF74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM54E4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAAFF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6E.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1804	2060	15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe	32
PID 2060 wrote to memory of 1804	2060	15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe	32
PID 2060 wrote to memory of 1804	2060	15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe	32
PID 2060 wrote to memory of 1804	2060	15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe	32
PID 1804 wrote to memory of 2856	1804	DEMA93A.exe	34
PID 1804 wrote to memory of 2856	1804	DEMA93A.exe	34
PID 1804 wrote to memory of 2856	1804	DEMA93A.exe	34
PID 1804 wrote to memory of 2856	1804	DEMA93A.exe	34
PID 2856 wrote to memory of 3036	2856	DEMFF74.exe	36
PID 2856 wrote to memory of 3036	2856	DEMFF74.exe	36
PID 2856 wrote to memory of 3036	2856	DEMFF74.exe	36
PID 2856 wrote to memory of 3036	2856	DEMFF74.exe	36
PID 3036 wrote to memory of 1304	3036	DEM54E4.exe	38
PID 3036 wrote to memory of 1304	3036	DEM54E4.exe	38
PID 3036 wrote to memory of 1304	3036	DEM54E4.exe	38
PID 3036 wrote to memory of 1304	3036	DEM54E4.exe	38
PID 1304 wrote to memory of 1420	1304	DEMAAFF.exe	40
PID 1304 wrote to memory of 1420	1304	DEMAAFF.exe	40
PID 1304 wrote to memory of 1420	1304	DEMAAFF.exe	40
PID 1304 wrote to memory of 1420	1304	DEMAAFF.exe	40
PID 1420 wrote to memory of 2220	1420	DEM6E.exe	42
PID 1420 wrote to memory of 2220	1420	DEM6E.exe	42
PID 1420 wrote to memory of 2220	1420	DEM6E.exe	42
PID 1420 wrote to memory of 2220	1420	DEM6E.exe	42

C:\Users\Admin\AppData\Local\Temp\15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\DEMA93A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA93A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\DEMFF74.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFF74.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\DEM54E4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM54E4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\DEMAAFF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAAFF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1304
      - C:\Users\Admin\AppData\Local\Temp\DEM6E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\DEM55AF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM55AF.exe"
        7⤵
        Executes dropped EXE
        
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMFF74.exe

Filesize
14KB

MD5
c171339516fd57ca9910ad37e777e040

SHA1
2d53be16118c20069a1dafedfa4d5007e95af654

SHA256
36797107402f4cc0f4621047d88f965df0dce54456ebca866fbc4f07eee61b63

SHA512
92f25dd7bf98e761df1568a89eda3e2bf5564afc5a690e365ef17ef7fc37d19bf1d3d4c489c7cc625f83618d564f3d7be855ab35a8230df9ff226c1894182644

Download Submit
\Users\Admin\AppData\Local\Temp\DEM54E4.exe

Filesize
14KB

MD5
023f4f67e44569014428690afc900b8f

SHA1
a3a521894ea62ed617be0198e8af98875627a1d2

SHA256
46bb6e46947dcbaf11ecb8756c06699ea610e5813fe6c197c5f8531123deec8d

SHA512
2e46f7fe8ff9d223fb1372b2f9ee840e3b96e6fbd01ccc936032e8940d5764142fdda7f98c2e4a1ea3e49d28068bca2d2ad06712297fe99bc989f336abfd47a1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM55AF.exe

Filesize
14KB

MD5
af31d17657700218ae8da37f1c41c4ec

SHA1
36ed6c8b4fd827356cf6fa20911d56ad00dc4716

SHA256
4980f48a1821f380e2d98bc6bc7c585e38fabbfd7e34b7c89f8104e05222bb8c

SHA512
f5b3a27a228ccb594a7e8652400a0da368f69075ae15f1dad9e44630c37d622a07b5c57dfeeba32dc02de1fe870c4265f635d9eb2e217d49aceb3e4ec3910ae2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6E.exe

Filesize
14KB

MD5
bff7656a56596cb7131b9b61cfbca5a7

SHA1
439825d1eee0641250e89b91cd30fb83f4765a9b

SHA256
14b76d2b2d84b5eb655c066fe33502a5cdb85c3b03dc77a0492e6a54368175b9

SHA512
3e1d1d22d4cb06c0c9d45f76f298d1ba4d859dce0cb01669fd74d0a7c168d27bd4e3897de532a9d96cb2fce4225e9900e8ea8b79cce81c857b48217a79e65945

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA93A.exe

Filesize
14KB

MD5
0f94513ed8123ef9642a988ce8e5b24c

SHA1
37abda51d9580520b2979f520b6101abcbcfbeff

SHA256
59ac5daec542431f4e2b3df9e02c2cc6fe77295d60fbd2460e7724137f5ea172

SHA512
a7d7a677a2b52f359e51db1b45b8bb7fd425e3936269a7ab9d3ffeb40d16d8c0cb224655166cfd2142a5dc885731e1f5e69b1c11a3f627a6a7024ea58823cdaf

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAAFF.exe

Filesize
14KB

MD5
62b69a86c72e9120ce06af2d1094a18f

SHA1
f29128fbcada49cdec948a7a7ef188b8beb0a60a

SHA256
b5d13732bda338d9a6b34ccbaa347a0cb0653373325b6c9084955204be522c87

SHA512
e963e05002e8648de47acfc8b86f04c6754a09f7fa4d1968b0ffbaada21f3233bcd0e5ae3beb5076818b5e40993e4d6e2ea10f0d0164ebf3a529394996312ba6

Download Submit

Analysis

Sharing