eb62c74dd9d6ec42a398c82936ab7bb858e8af0ed98e02da29d2600f98a57577

General

Target

547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe
Size

14KB
MD5

547c0aa76b09406f9571d24ab21988ca
SHA1

975b352d33cf9745d3e863febb8a08369b5acca8
SHA256

eb62c74dd9d6ec42a398c82936ab7bb858e8af0ed98e02da29d2600f98a57577
SHA512

ba65373c497622a55d099f7ed4285ead530f8a87a30ee81f281c989a232decb25a59e0aee839872ea9cde16b9293236d2496803acae81eca5214a9908d1df7cd
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJx:hDXWipuE+K3/SSHgxt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2840	DEMDC0D.exe
568	DEM31E9.exe
1788	DEM870B.exe
2772	DEMDC7A.exe
2912	DEM31DA.exe
2120	DEM8749.exe

Loads dropped DLL 6 IoCs

pid	Process
2272	547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe
2840	DEMDC0D.exe
568	DEM31E9.exe
1788	DEM870B.exe
2772	DEMDC7A.exe
2912	DEM31DA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDC0D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM31E9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM870B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDC7A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM31DA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2840	2272	547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2840	2272	547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2840	2272	547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2840	2272	547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe	32
PID 2840 wrote to memory of 568	2840	DEMDC0D.exe	34
PID 2840 wrote to memory of 568	2840	DEMDC0D.exe	34
PID 2840 wrote to memory of 568	2840	DEMDC0D.exe	34
PID 2840 wrote to memory of 568	2840	DEMDC0D.exe	34
PID 568 wrote to memory of 1788	568	DEM31E9.exe	36
PID 568 wrote to memory of 1788	568	DEM31E9.exe	36
PID 568 wrote to memory of 1788	568	DEM31E9.exe	36
PID 568 wrote to memory of 1788	568	DEM31E9.exe	36
PID 1788 wrote to memory of 2772	1788	DEM870B.exe	38
PID 1788 wrote to memory of 2772	1788	DEM870B.exe	38
PID 1788 wrote to memory of 2772	1788	DEM870B.exe	38
PID 1788 wrote to memory of 2772	1788	DEM870B.exe	38
PID 2772 wrote to memory of 2912	2772	DEMDC7A.exe	40
PID 2772 wrote to memory of 2912	2772	DEMDC7A.exe	40
PID 2772 wrote to memory of 2912	2772	DEMDC7A.exe	40
PID 2772 wrote to memory of 2912	2772	DEMDC7A.exe	40
PID 2912 wrote to memory of 2120	2912	DEM31DA.exe	42
PID 2912 wrote to memory of 2120	2912	DEM31DA.exe	42
PID 2912 wrote to memory of 2120	2912	DEM31DA.exe	42
PID 2912 wrote to memory of 2120	2912	DEM31DA.exe	42

C:\Users\Admin\AppData\Local\Temp\547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\DEMDC0D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMDC0D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\DEM31E9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM31E9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\DEM870B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM870B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Users\Admin\AppData\Local\Temp\DEMDC7A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDC7A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Users\Admin\AppData\Local\Temp\DEM31DA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM31DA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\DEM8749.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8749.exe"
        7⤵
        Executes dropped EXE
        
        PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM31E9.exe

Filesize
14KB

MD5
bf6f9e326d5ff246261daea8012f7684

SHA1
43b7bb9196a468b0aaf3f262223ccd9236b6e72f

SHA256
62cfb81f03450330bce54899d3f16b076b4b18cdcb33dffa2bc92b563339fab6

SHA512
641bd71b7bdab8492b177fc24bab3d089e289c513110e456357c97036c706c36ae6687324e0a50e798eb7b33a6cde728974d18c9a63a10ae769fa1958a6c785a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM31DA.exe

Filesize
14KB

MD5
32f1602d7c15c693ab4fd70d3a0a9db5

SHA1
7298a74ddf66857c6ad89c8c4830227836dc6081

SHA256
e1b4641896c70115449243060c65141e4fd5538d3c3bee27cfb6fd7c3c2c6019

SHA512
36c92932d8c6bde462555e228a63a06345606fa4a7631827528f70074329401cc3397894362846addd8650b279d2cfb146de0ce5098af2f1869c247c8b22354e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM870B.exe

Filesize
14KB

MD5
5af470cf799a73351abe1a9ffa69651b

SHA1
eccbf798ac18c1c10803f3fdc26a412ff821b673

SHA256
e00549f9550b76327c875ee3589b38fd5c362e1218e289cd818cae6beb1a6065

SHA512
3cd66bfa38f002d9f2623447e95793ee7d66cd8887f9c8d1244b4603731be6e29e73d84c5485db3fa7c5588aaa9a86df4519a5f5681029e541fa9f191189a5e7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8749.exe

Filesize
14KB

MD5
30f499d322d077a4288f45af1bb2fef6

SHA1
b2e4e1e8ac43d66f988a8f29df0beb4530976591

SHA256
006c6847fe0c0a13f969a5947fbb64016ba0159c5be845d404c4cb7b77a37985

SHA512
24ba3e0ede29cda1bdc0ae9049b39da310fd2a143725c8610f4ea5dc7588b5c3dc121e5a10b6080c1bc29ddb5ff2979cdd4a8cd9e22577118a0257839f4bd583

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDC0D.exe

Filesize
14KB

MD5
89e3058126a99debbcf3e6c737a69fca

SHA1
a90028d66e2ed7237872b11c3fb30e46add08e9e

SHA256
06365badd52705e8e1dd37a201558952fbc2f1ea3e30f7f90657db26346844c0

SHA512
1f6280a74d7887fed7adbcb286288dfbaf80381570218e1ed44a00ae1a2b35a2e30b634f93d7a3bf9bae1ab09642fec52ca838dd6dc3dfd4181f5dee63c35021

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDC7A.exe

Filesize
14KB

MD5
99b03374098be89db82bfb88b28d934f

SHA1
08c2b4315048fb923ccd4c4e9035b92959dee9a0

SHA256
fa74f13c506b3c06b29549df4178fde044ea0b382cdaf0823ccf9ca2d44e4238

SHA512
73a1e878896a16bd7a4b76a3bfd892829f68714daaf54cd2792b40271c57c4227597a338fb2a564e3d803a93dbcf7ab35244232cce28cacc5eb2e424e9b26edb

Download Submit

Analysis

Sharing