a3af1cb9e96111f1b22cf571faee8b8b8853649375f3c3866605178c03054e1a

General

Target

114923912de5c2f125812a476724ce51_JaffaCakes118.exe
Size

14KB
MD5

114923912de5c2f125812a476724ce51
SHA1

1bc16556b93ec6118d47a761098ebde9de4db657
SHA256

a3af1cb9e96111f1b22cf571faee8b8b8853649375f3c3866605178c03054e1a
SHA512

361afadb639d7f8c6115e5a815992dfb00188d07f36a750e7b8e72ea33699bbf4686f50cb41ddace6eb7abda46740dc0f5dfaadf5f94ea17adf79b9db2c454c6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0xEp:hDXWipuE+K3/SSHgxm0Cp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2664	DEM1FA1.exe
2872	DEM7511.exe
2756	DEMCA8F.exe
1984	DEM1FEF.exe
1168	DEM7512.exe
1852	DEMCA61.exe

Loads dropped DLL 6 IoCs

pid	Process
2492	114923912de5c2f125812a476724ce51_JaffaCakes118.exe
2664	DEM1FA1.exe
2872	DEM7511.exe
2756	DEMCA8F.exe
1984	DEM1FEF.exe
1168	DEM7512.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2664	2492	114923912de5c2f125812a476724ce51_JaffaCakes118.exe	29
PID 2492 wrote to memory of 2664	2492	114923912de5c2f125812a476724ce51_JaffaCakes118.exe	29
PID 2492 wrote to memory of 2664	2492	114923912de5c2f125812a476724ce51_JaffaCakes118.exe	29
PID 2492 wrote to memory of 2664	2492	114923912de5c2f125812a476724ce51_JaffaCakes118.exe	29
PID 2664 wrote to memory of 2872	2664	DEM1FA1.exe	33
PID 2664 wrote to memory of 2872	2664	DEM1FA1.exe	33
PID 2664 wrote to memory of 2872	2664	DEM1FA1.exe	33
PID 2664 wrote to memory of 2872	2664	DEM1FA1.exe	33
PID 2872 wrote to memory of 2756	2872	DEM7511.exe	35
PID 2872 wrote to memory of 2756	2872	DEM7511.exe	35
PID 2872 wrote to memory of 2756	2872	DEM7511.exe	35
PID 2872 wrote to memory of 2756	2872	DEM7511.exe	35
PID 2756 wrote to memory of 1984	2756	DEMCA8F.exe	37
PID 2756 wrote to memory of 1984	2756	DEMCA8F.exe	37
PID 2756 wrote to memory of 1984	2756	DEMCA8F.exe	37
PID 2756 wrote to memory of 1984	2756	DEMCA8F.exe	37
PID 1984 wrote to memory of 1168	1984	DEM1FEF.exe	39
PID 1984 wrote to memory of 1168	1984	DEM1FEF.exe	39
PID 1984 wrote to memory of 1168	1984	DEM1FEF.exe	39
PID 1984 wrote to memory of 1168	1984	DEM1FEF.exe	39
PID 1168 wrote to memory of 1852	1168	DEM7512.exe	41
PID 1168 wrote to memory of 1852	1168	DEM7512.exe	41
PID 1168 wrote to memory of 1852	1168	DEM7512.exe	41
PID 1168 wrote to memory of 1852	1168	DEM7512.exe	41

C:\Users\Admin\AppData\Local\Temp\114923912de5c2f125812a476724ce51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\114923912de5c2f125812a476724ce51_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\DEM1FA1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1FA1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\DEM7511.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7511.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\DEMCA8F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCA8F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Users\Admin\AppData\Local\Temp\DEM1FEF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1FEF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\DEM7512.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7512.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\DEMCA61.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCA61.exe"
        7⤵
        Executes dropped EXE
        
        PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1FA1.exe

Filesize
15KB

MD5
69d31ea0b3058293684e0a56061b5440

SHA1
edcfbb4125b05660eb67193fbd6382fd028c965b

SHA256
7dc9c3e5dab48bde8d84d61c4c15ca5d64839a513465e1d76f807a16d723abd5

SHA512
271f2a24ca0119d6a5d268aad1151d100e347958f84ed1c7eb7286471dfcb70adc8f9e72aa07e8340994ad3c5f09492b32a923b0252574f435faefba45d61d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7511.exe

Filesize
15KB

MD5
40283715d8861b599926545ebd867698

SHA1
fd35ffb4cf494a6a3f0391d2a7f96202aa3a298d

SHA256
382c06dfb6f3dc74ebf7b7a982fdd4e4c4f343f1a315a13590abd9e22a868c53

SHA512
d793fec024a8580225a16f034f0e33310edef76efd748896ff65cff823d18d7e12bdec39a1752a46033f6415d50a3bb6e72007cece3374b7f14c37685a43c66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7512.exe

Filesize
15KB

MD5
79cd48f52f2f8099f1698e3356aaf2fb

SHA1
d7cce50a8e4c55d325b1890812f81c618883b61f

SHA256
a646370db15f46fb618441c7f8bdcde2baf6cbbbfa11f030b2d748ed3a712735

SHA512
7c6a0c0973347a21a9ed9ae4f09b5da12c05d12da892a586fc8ee4bb68154055f5997acb250168a0903cefc75f8fd314b9eaaa25077553fce44dfb0acae780d7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1FEF.exe

Filesize
15KB

MD5
c8b22ed7db968ef065707e01f0f914f8

SHA1
acdd8b2b2eaef6a94322d1c718e7045f716f8840

SHA256
4ecfbec6b31e6adcc37b015937289c63e25d13ff9f656f84cad206ca5171eecd

SHA512
563a2baf379b1eea2fa0e4adca4dfa7da2bf867b2b46db23ddb0887bcbca67769ac08368af4a4915dea0b422917a322b944d1f272481d9790cfb36460f028c6f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCA61.exe

Filesize
15KB

MD5
ca25913bfd33b90f8e46173de5e8d069

SHA1
8f9689027c67714e702a3aa1235acdb4db36af84

SHA256
70b4468296dcdd460df01f71939d09a0fe0d7c5141ae7deb47ac6fdc75690518

SHA512
679c9356a7baf51a5f76d97608b6907aff7b6867f26d8077046827095af3bbe6b738ffd6c29de58c6e396d9b0719fbdbf867a768d07f0a7d9733bd8a38416c54

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCA8F.exe

Filesize
15KB

MD5
bac52f2afba2d4f0c97ad0d5b554fe70

SHA1
4cbf45a6ac3c74ec34e889c5147899cb5d977a93

SHA256
c914148faf560ac86e820ecfd1f88cf60e7d32247ef5557fa5dba64688b2bc5f

SHA512
c9b4c027044dfb2669e83cd76563c3ee52234090f42c45641a1590b5e37b30c244fee0a04af6ab21abc9041ae89529c7107f302046a87edbf64ea30271678a9e

Download Submit

Analysis

Sharing