aa34cdf87b9db56b727daa5c26c9fadf1002de12be6e9249dc096d87d872c4d0

General

Target

548f6abbaa1258cd35aac4ba588c2487_JaffaCakes118.exe
Size

14KB
MD5

548f6abbaa1258cd35aac4ba588c2487
SHA1

cff3bd002e38e7265adf3b8e872e092b3147bd50
SHA256

aa34cdf87b9db56b727daa5c26c9fadf1002de12be6e9249dc096d87d872c4d0
SHA512

365809b01e029c26e2446dee18f47b29ef6bf1099fb99e4a6c86021575764aad331777e79bac9fac4cdbd03db9cb08560cb83e388846e380d603246698401e18
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYu0+:hDXWipuE+K3/SSHgxmZ+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2856	DEM7511.exe
2784	DEMCB5A.exe
2744	DEM2137.exe
2964	DEM7713.exe
2912	DEMCD4E.exe
820	DEM22DC.exe

Loads dropped DLL 6 IoCs

pid	Process
2304	548f6abbaa1258cd35aac4ba588c2487_JaffaCakes118.exe
2856	DEM7511.exe
2784	DEMCB5A.exe
2744	DEM2137.exe
2964	DEM7713.exe
2912	DEMCD4E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCB5A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2137.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7713.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCD4E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	548f6abbaa1258cd35aac4ba588c2487_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7511.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2856	2304	548f6abbaa1258cd35aac4ba588c2487_JaffaCakes118.exe	30
PID 2304 wrote to memory of 2856	2304	548f6abbaa1258cd35aac4ba588c2487_JaffaCakes118.exe	30
PID 2304 wrote to memory of 2856	2304	548f6abbaa1258cd35aac4ba588c2487_JaffaCakes118.exe	30
PID 2304 wrote to memory of 2856	2304	548f6abbaa1258cd35aac4ba588c2487_JaffaCakes118.exe	30
PID 2856 wrote to memory of 2784	2856	DEM7511.exe	32
PID 2856 wrote to memory of 2784	2856	DEM7511.exe	32
PID 2856 wrote to memory of 2784	2856	DEM7511.exe	32
PID 2856 wrote to memory of 2784	2856	DEM7511.exe	32
PID 2784 wrote to memory of 2744	2784	DEMCB5A.exe	34
PID 2784 wrote to memory of 2744	2784	DEMCB5A.exe	34
PID 2784 wrote to memory of 2744	2784	DEMCB5A.exe	34
PID 2784 wrote to memory of 2744	2784	DEMCB5A.exe	34
PID 2744 wrote to memory of 2964	2744	DEM2137.exe	36
PID 2744 wrote to memory of 2964	2744	DEM2137.exe	36
PID 2744 wrote to memory of 2964	2744	DEM2137.exe	36
PID 2744 wrote to memory of 2964	2744	DEM2137.exe	36
PID 2964 wrote to memory of 2912	2964	DEM7713.exe	38
PID 2964 wrote to memory of 2912	2964	DEM7713.exe	38
PID 2964 wrote to memory of 2912	2964	DEM7713.exe	38
PID 2964 wrote to memory of 2912	2964	DEM7713.exe	38
PID 2912 wrote to memory of 820	2912	DEMCD4E.exe	40
PID 2912 wrote to memory of 820	2912	DEMCD4E.exe	40
PID 2912 wrote to memory of 820	2912	DEMCD4E.exe	40
PID 2912 wrote to memory of 820	2912	DEMCD4E.exe	40

C:\Users\Admin\AppData\Local\Temp\548f6abbaa1258cd35aac4ba588c2487_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\548f6abbaa1258cd35aac4ba588c2487_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\DEM7511.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7511.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\DEMCB5A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCB5A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\DEM2137.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2137.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\DEM7713.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7713.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Users\Admin\AppData\Local\Temp\DEMCD4E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCD4E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\DEM22DC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM22DC.exe"
        7⤵
        Executes dropped EXE
        
        PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2137.exe

Filesize
14KB

MD5
cd21bde776605a97a0c27ba3cd19183b

SHA1
090d05ccbef466390f6ed350270122fd05bcd2f9

SHA256
d957594d21f32aa39f36ce5202c020616b23ab98197d66a29fb8a4ca913b85b9

SHA512
1d88e5da2e8ba6a59ac22a567045d4d9a932f60e13aead6747b7e90bcd68f0f3d3ed231c6cde29ecfa2b6711ef0ad25cb74cedfd37c6d49230a9d60a22e3b79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM22DC.exe

Filesize
14KB

MD5
34fc20780d407b82edae9644fabb702d

SHA1
6517c3497c104bc15e5ac96358d67a07e788dcd5

SHA256
ddd6630d1388f063504b1ab4099566199665c82310890b8c69befc0d8b7d93f3

SHA512
3a2146a336b6df9b150f61cd48d9cc9ee29f72ad2c8961729553b708d13c1d6616d0f5f168e231a4b919f22da91726f4811a121ee1ef55e48dc206fd4f5dcdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7713.exe

Filesize
14KB

MD5
e1c698f6f88687da12f9f421c71ecbc5

SHA1
244de9f00006aac07a02c00fe2e72f4d28f8c88f

SHA256
59f9094721e1d1d0b703caa7eb850bf82b8a20dd86e6f0d39234154c24dd310d

SHA512
24dd6ce3c737009750745b2b6f6dc8ff80a63b642ec271df0a1a690efee54fcea40c1a931ed6f50668bcadb2e9ab1849c98dab263d46cf0f2b038b7b03033c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCB5A.exe

Filesize
14KB

MD5
eb06bc36f176785b25e0f6ad92b90aff

SHA1
52a71ff5b65a4e63729f34a943ef8f0da67404e0

SHA256
a0baf1115417e85d80ec33533a29fbdc0c49b011b7cbcf8b465f2e180380cdc8

SHA512
71cd39a77acf6e1b59da65ea6ac29e5e97faef61fb637d25b9bb1885a89958a9de86ac067c57a4d2fb3c234db68b91919e75c752ab343e4812efcb9fd617e7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCD4E.exe

Filesize
14KB

MD5
6d5c174e82d8101674a2bf0b9beb5047

SHA1
8b1a31d132a08974d7141a08ac1d8c4423679efb

SHA256
aa5a1e841c9947e64ece1e33742277746125d6a5ed9e2857596660bc96a7cea5

SHA512
580bd3cbb97a79c5d510165797368f6272b04d65d39a67c8c16f86cf52d2f6814a85a12bf168f21e7605b8fa9d681be34818509431f1024737d32b1a9fbb032f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7511.exe

Filesize
14KB

MD5
87559746ddfb24af971f616553205396

SHA1
588a2d846e0af99477f109c358aab2bf269c550c

SHA256
db67ba0b4477991bf137c77e3cfaa2cdf20ce3db5fbfa2adb9a051023380159a

SHA512
35eec5128341e8a328aaca46a7187e3ad9a78888e5a254038bb3576cebac6f0ba491342b9b8809c1f0f66d76949c76fa891847edf66ad44312a5af1d255eb1fd

Download Submit

Analysis

Sharing