03f5bb9657f3509ade7b7c9d998a11f7f922489aa8de906fa94f70c5487c2901

General

Target

JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe
Size

13KB
MD5

f9feddb8d9d2e15ef6a9d53e7014a152
SHA1

97bed1b600d6d402db7e53de8a3681e5d5918537
SHA256

03f5bb9657f3509ade7b7c9d998a11f7f922489aa8de906fa94f70c5487c2901
SHA512

71e48c41901fc3156fad55c2f5c8878d455c2d326ab47fafc04e65e4efb720970a05c9a49c8d6db6511292c55619d413a299c068e3874bf3ce59f36a56a2d680
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhbuQK:hDXWipuE+K3/SSHgxcQK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2140	DEM232.exe
2892	DEM57A2.exe
2248	DEMAEC6.exe
2836	DEM4E1.exe
2632	DEM5AEC.exe
2500	DEMB155.exe

Loads dropped DLL 6 IoCs

pid	Process
2296	JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe
2140	DEM232.exe
2892	DEM57A2.exe
2248	DEMAEC6.exe
2836	DEM4E1.exe
2632	DEM5AEC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM232.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM57A2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAEC6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4E1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5AEC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2140	2296	JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe	32
PID 2296 wrote to memory of 2140	2296	JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe	32
PID 2296 wrote to memory of 2140	2296	JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe	32
PID 2296 wrote to memory of 2140	2296	JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe	32
PID 2140 wrote to memory of 2892	2140	DEM232.exe	34
PID 2140 wrote to memory of 2892	2140	DEM232.exe	34
PID 2140 wrote to memory of 2892	2140	DEM232.exe	34
PID 2140 wrote to memory of 2892	2140	DEM232.exe	34
PID 2892 wrote to memory of 2248	2892	DEM57A2.exe	36
PID 2892 wrote to memory of 2248	2892	DEM57A2.exe	36
PID 2892 wrote to memory of 2248	2892	DEM57A2.exe	36
PID 2892 wrote to memory of 2248	2892	DEM57A2.exe	36
PID 2248 wrote to memory of 2836	2248	DEMAEC6.exe	38
PID 2248 wrote to memory of 2836	2248	DEMAEC6.exe	38
PID 2248 wrote to memory of 2836	2248	DEMAEC6.exe	38
PID 2248 wrote to memory of 2836	2248	DEMAEC6.exe	38
PID 2836 wrote to memory of 2632	2836	DEM4E1.exe	40
PID 2836 wrote to memory of 2632	2836	DEM4E1.exe	40
PID 2836 wrote to memory of 2632	2836	DEM4E1.exe	40
PID 2836 wrote to memory of 2632	2836	DEM4E1.exe	40
PID 2632 wrote to memory of 2500	2632	DEM5AEC.exe	43
PID 2632 wrote to memory of 2500	2632	DEM5AEC.exe	43
PID 2632 wrote to memory of 2500	2632	DEM5AEC.exe	43
PID 2632 wrote to memory of 2500	2632	DEM5AEC.exe	43

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\DEM232.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM232.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\DEM57A2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM57A2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\DEMAEC6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAEC6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Users\Admin\AppData\Local\Temp\DEM4E1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4E1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Users\Admin\AppData\Local\Temp\DEM5AEC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5AEC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\DEMB155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB155.exe"
        7⤵
        Executes dropped EXE
        
        PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM57A2.exe

Filesize
14KB

MD5
5d7c3f4f4ee4428f1eb517b15ff3d14e

SHA1
3e19bc76c47ae3b7c1cbe2abf29207327d0dedb1

SHA256
ba0450826e901043fa7e852bd8f3aea7edbe7be6390f77379532ed610458ab09

SHA512
d821e102211f7603911f4b95ec320ffc34567d105a1b95899594693a82319e5cf1fae932b00924f8dfba1a6cff3a34297a5d1c6aaeb77e9354ec335b8da52a51

Download Submit
\Users\Admin\AppData\Local\Temp\DEM232.exe

Filesize
13KB

MD5
84a14d79cb9d019cd6027fe7e3b4fb09

SHA1
213da4a98059275e032c784e0d205197f10ba251

SHA256
d1af51b19ad1a18138a168ccec7fd1c908665f4ed7a07a86a99342de779c3ef7

SHA512
c246172374b91835d0cd4fa6523dba96217d4b8df755d717e5530a52aef6c0cb5db75c3f158e53f2e76447338c1f9f230363914d1c342a1d625a05b6edb2151c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4E1.exe

Filesize
14KB

MD5
dc96b752fc9c298a112e0a7bb29df63e

SHA1
cdc16b74833bc4d7704a0193b1076dca1d635b55

SHA256
e723344c68bc120f90cbb410402c60bc48e9a36db89e90f5b24b95e1c336585d

SHA512
226c89cf2108f03d4619bcb7098742a0fa8563089856b23f2dbb64bf2afd047a7c8ab550271b6ba2c618aced241979ab7ade48f4b31b4bcd4a5df6e965629982

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5AEC.exe

Filesize
14KB

MD5
6ea7c0a7dded8b02530e1bd3d8c32776

SHA1
76addb9b3c82402ee497dfc59197d60a6d8115af

SHA256
ab45369d922b6eb3d9dd345f835122e759bdafc64db7bbad6dd366bfa1600c86

SHA512
c6de704b5409254eaf3fec34c735a7ed0a3c9d3d340336bb83e31db6aaf83e27780a1e802a5540008d56c41cd400440826cf1da96e2461dd1618284d5c5ac091

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAEC6.exe

Filesize
14KB

MD5
76ab3b392f1a56b7e9e90e186530436b

SHA1
fb52bdbcc74ce7698c9e503a2592af6b46430e0d

SHA256
6aa31b7ee0b742648b2ad320929d2c657cfaafbd201fa903823769ac53b329e4

SHA512
fc66030edc436e39cdbe4e8b8960e2f5ee578949493aed57b18d99f47a57b4bdc128ffdea1bd6b1a6c7d3c5a9e24c1fd995331e1d03befe45d7d520e33591f0b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB155.exe

Filesize
14KB

MD5
aeffe90da567e25ed38b41609250f203

SHA1
efe3eb6ff8e62fc6cefffe00e621d6e1f8588bc8

SHA256
389c5dbe96f518b8986a73707ced3d20721e043f44785a5dc4b633c1c72dc50e

SHA512
622b148fa7bd18ebce2ba9fb16536ad48e37bf91cd82ec501331d2349dad3b3195d2522073c7071d42852e3ea8cdc83c3eeac5ef4147e218fd4f3013f6e1c6ad

Download Submit

Analysis

Sharing