1c4637218bae390ccd7f8e8d54d6b9cff2168be44c4fc3f3511dde16457d919d

General

Target

5664d9b4ae4e6ca0251b4560df98c73f_JaffaCakes118.exe
Size

14KB
MD5

5664d9b4ae4e6ca0251b4560df98c73f
SHA1

e9c155e8b60ada0f6ec2917fc9b996edeb4af870
SHA256

1c4637218bae390ccd7f8e8d54d6b9cff2168be44c4fc3f3511dde16457d919d
SHA512

c4ef8194e457ba25f9de730cb0e5c2fedc6953cb465e7689a022090a7a3af2d0b2978c9a624e8bf98ce34b3585af463cbbf4ec231b0cefa190bf04707dca2b2c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5U:hDXWipuE+K3/SSHgxmC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2984	DEMCACE.exe
2744	DEM20CA.exe
3040	DEM76C5.exe
2112	DEMCCA2.exe
2568	DEM2388.exe
2836	DEM79F1.exe

Loads dropped DLL 6 IoCs

pid	Process
2820	5664d9b4ae4e6ca0251b4560df98c73f_JaffaCakes118.exe
2984	DEMCACE.exe
2744	DEM20CA.exe
3040	DEM76C5.exe
2112	DEMCCA2.exe
2568	DEM2388.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5664d9b4ae4e6ca0251b4560df98c73f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCACE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM20CA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM76C5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCCA2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2388.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2984	2820	5664d9b4ae4e6ca0251b4560df98c73f_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2984	2820	5664d9b4ae4e6ca0251b4560df98c73f_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2984	2820	5664d9b4ae4e6ca0251b4560df98c73f_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2984	2820	5664d9b4ae4e6ca0251b4560df98c73f_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2744	2984	DEMCACE.exe	33
PID 2984 wrote to memory of 2744	2984	DEMCACE.exe	33
PID 2984 wrote to memory of 2744	2984	DEMCACE.exe	33
PID 2984 wrote to memory of 2744	2984	DEMCACE.exe	33
PID 2744 wrote to memory of 3040	2744	DEM20CA.exe	35
PID 2744 wrote to memory of 3040	2744	DEM20CA.exe	35
PID 2744 wrote to memory of 3040	2744	DEM20CA.exe	35
PID 2744 wrote to memory of 3040	2744	DEM20CA.exe	35
PID 3040 wrote to memory of 2112	3040	DEM76C5.exe	37
PID 3040 wrote to memory of 2112	3040	DEM76C5.exe	37
PID 3040 wrote to memory of 2112	3040	DEM76C5.exe	37
PID 3040 wrote to memory of 2112	3040	DEM76C5.exe	37
PID 2112 wrote to memory of 2568	2112	DEMCCA2.exe	39
PID 2112 wrote to memory of 2568	2112	DEMCCA2.exe	39
PID 2112 wrote to memory of 2568	2112	DEMCCA2.exe	39
PID 2112 wrote to memory of 2568	2112	DEMCCA2.exe	39
PID 2568 wrote to memory of 2836	2568	DEM2388.exe	41
PID 2568 wrote to memory of 2836	2568	DEM2388.exe	41
PID 2568 wrote to memory of 2836	2568	DEM2388.exe	41
PID 2568 wrote to memory of 2836	2568	DEM2388.exe	41

C:\Users\Admin\AppData\Local\Temp\5664d9b4ae4e6ca0251b4560df98c73f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5664d9b4ae4e6ca0251b4560df98c73f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\DEMCACE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCACE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\DEM20CA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM20CA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\DEM76C5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM76C5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Users\Admin\AppData\Local\Temp\DEMCCA2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCCA2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Users\Admin\AppData\Local\Temp\DEM2388.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2388.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\DEM79F1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM79F1.exe"
        7⤵
        Executes dropped EXE
        
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM20CA.exe

Filesize
14KB

MD5
52539ee95fe7370684591e36ee033df2

SHA1
e6c7ee694ef18e7063956bbc10ab8606f05a4e10

SHA256
662e5f5b7d130284cbeddd5a3542424537b8355d32b8713c1394de630a4fdb0c

SHA512
883e13136d422b6ddc63b1e17c5936ae235cee424c50599042d57031896784296b54e86fe1bea1740e402eaea80d3c56e17280c296634d347c50d63dce106eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM79F1.exe

Filesize
14KB

MD5
b0ec49cfa8837258aaf54921a4ad6f49

SHA1
200a69e2c092b8da8fdce7d6585c3ad8675e01b6

SHA256
c18c074fc00fbc7a786cd63c30c4b9b042d7cc30bf63887616537f7c8037dcb1

SHA512
4864bf8417b5f84c2b0934dcc4ab9ce4902dafc1621fe943710f1011be5125b3ca8bf96c058963b0160116e4de518de96741d6daf8f826e5798dd7756b5149f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCACE.exe

Filesize
14KB

MD5
5190c576d8f8d656f9b36ba184092bb8

SHA1
2385e0ee1666e2e8db1197d3ce235675ea409298

SHA256
e5e80a734e2b74c11d0d3112f8b2571980fefd46b25d60375c8b4c0b5ee9fa07

SHA512
37fb9cc9a8d746e5bd855e5a5693f4cf93acc9cc55dc095352bd55c1a09e4cc8c7c19075280c65c1327f02c62152dd627d4a28ac1b47152ba2f078153f47b9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCCA2.exe

Filesize
14KB

MD5
a23f833662f2c15849b6f81c8a69b6a5

SHA1
61a92acdec8f625c5468912c1d931513556783e6

SHA256
fdce976c857bad90f9da3eebdf4824de34dc6264406c0f7c4529290040c0e0c6

SHA512
2ed91d2ff6ddc0f35a969b5fe897b9aba2229f6abff60723e958c70f836f2872b12839aa6773258ba5a78993c3a3a669034958a837ef1b6d8ced5c5dc4e122ac

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2388.exe

Filesize
14KB

MD5
a1a019ee3de689b4306fe7958fd53b6f

SHA1
0a9ba15e7100bf2199c480aaa35a195670e55f58

SHA256
53e1a2369ca96b7ed6e97dd3bdef27b43c7397b6e821b6c5ac0ac62c0a412cba

SHA512
3351b8f17a70d966944dbc7c8e69ccb415ca2c1eca064d36e8403cad48d5b0d4d000da5547675e51ca8f6a18524ea8d3af2740993d84da79cd31a5b9e22f561b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM76C5.exe

Filesize
14KB

MD5
85968a90423ca9650515dfe6df554a4d

SHA1
6a1ce7178029d139fe7d024d6d788d862d335666

SHA256
9b8bc48847d66ab71ea55ab04e3b1c650f5637837a8d07500b144fc67ef2a8b5

SHA512
e786b24fb4ada7596cadec64d161cd17ade5817a885d70cbdae1d3d503ec8540373e87b3a4c3b643a33ad55ded348cc6bb23d4d397ffcd57fbd7b106e98139c5

Download Submit

Analysis

Sharing