c98ab7441e92ba4107cf63062c8b43ec8c0bc0e0b40c66e870194dea78360a09

General

Target

004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe
Size

16KB
MD5

004df9eda4bb9a7589cdc8d4e5ed9620
SHA1

35c6338c8dc3f3a89dcb6ad89722697e82ef04e6
SHA256

c98ab7441e92ba4107cf63062c8b43ec8c0bc0e0b40c66e870194dea78360a09
SHA512

61254800e0aa4658cb60946a999a3c8a80bca3b309fd28eb822b2b8501adf4a932190ad4aae33b809cfa925b571d37e591864717d46d1867793353a70da3194f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJUc+2:hDXWipuE+K3/SSHgxy2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2392	DEM4450.exe
2304	DEM9B94.exe
2488	DEMF1AF.exe
1624	DEM4808.exe
2464	DEM9E90.exe
2200	DEMF586.exe

Loads dropped DLL 6 IoCs

pid	Process
2760	004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe
2392	DEM4450.exe
2304	DEM9B94.exe
2488	DEMF1AF.exe
1624	DEM4808.exe
2464	DEM9E90.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2392	2760	004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe	29
PID 2760 wrote to memory of 2392	2760	004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe	29
PID 2760 wrote to memory of 2392	2760	004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe	29
PID 2760 wrote to memory of 2392	2760	004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe	29
PID 2392 wrote to memory of 2304	2392	DEM4450.exe	33
PID 2392 wrote to memory of 2304	2392	DEM4450.exe	33
PID 2392 wrote to memory of 2304	2392	DEM4450.exe	33
PID 2392 wrote to memory of 2304	2392	DEM4450.exe	33
PID 2304 wrote to memory of 2488	2304	DEM9B94.exe	35
PID 2304 wrote to memory of 2488	2304	DEM9B94.exe	35
PID 2304 wrote to memory of 2488	2304	DEM9B94.exe	35
PID 2304 wrote to memory of 2488	2304	DEM9B94.exe	35
PID 2488 wrote to memory of 1624	2488	DEMF1AF.exe	37
PID 2488 wrote to memory of 1624	2488	DEMF1AF.exe	37
PID 2488 wrote to memory of 1624	2488	DEMF1AF.exe	37
PID 2488 wrote to memory of 1624	2488	DEMF1AF.exe	37
PID 1624 wrote to memory of 2464	1624	DEM4808.exe	39
PID 1624 wrote to memory of 2464	1624	DEM4808.exe	39
PID 1624 wrote to memory of 2464	1624	DEM4808.exe	39
PID 1624 wrote to memory of 2464	1624	DEM4808.exe	39
PID 2464 wrote to memory of 2200	2464	DEM9E90.exe	41
PID 2464 wrote to memory of 2200	2464	DEM9E90.exe	41
PID 2464 wrote to memory of 2200	2464	DEM9E90.exe	41
PID 2464 wrote to memory of 2200	2464	DEM9E90.exe	41

C:\Users\Admin\AppData\Local\Temp\004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\DEM4450.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4450.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\DEM9B94.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9B94.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\DEMF1AF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF1AF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\DEM4808.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4808.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\DEM9E90.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9E90.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\DEMF586.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF586.exe"
        7⤵
        Executes dropped EXE
        
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4808.exe

Filesize
16KB

MD5
9bfc0fb4549473888231ea7b689ba61c

SHA1
4acf7612b6ab27db9e7cdfcfbc1853fbc6116402

SHA256
a2b0b89252679bf947949c73bfa24229a706b47cbc65f0b59ad2c34f1e0da714

SHA512
0d6d6eaf42d560f4101d3c65cc689ed41d72f5f2800ea554ddde2283ecbecd828990b0d10853c244989bf7e60cd3c4744f65f24ce7fff7c4758c3412ad577c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9B94.exe

Filesize
16KB

MD5
bf67aa5e38f95e6ef6af53dce044f99a

SHA1
a3f61545f09802e5bffc2cd803715d74357fb99b

SHA256
275da2ab4973c305d1d883565ce9fcb8e373af801b03ded961c20d8e5ea5b58d

SHA512
c361a4aa23210b61457c159f54c06d7af477facd820424d931627b2d31771767a2fae16029da8642a3508f980ee7e5f3e5a3c84595f32e61214bf58209826d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF1AF.exe

Filesize
16KB

MD5
261d91d9a00ce23480f4df78b185184d

SHA1
5f44fc981f26ceb17757dbce4549d0426fb1cbbf

SHA256
92507b4da443414b01e7cf598d450475ecc69a7c085cc7b56d137a4f5b56cb0e

SHA512
0a797f20146aafadfd659a7060b7606010887f6c8ef1f2c7b32265fbddd763cbfbb4dc5e683517351c393275598cbeea8c035923537685246d47bdf4fd98df91

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4450.exe

Filesize
16KB

MD5
da1ce5625ebe9a5e52acf77aebafd06f

SHA1
3821c781df745bdf923f1fe0ed16f1f0602d32fa

SHA256
3d58b18dfbb9cf858a41425d029e2720601a21880aedc62db70bcc406bf59337

SHA512
20d04b436fe9bf9cd50953c6c434a365e6ba44331cf01b758e2be790daf1098a6f465accaf893e9bc4035e0647ab17799c60b5c1160f8fc75f3868d4ae7dacf3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9E90.exe

Filesize
16KB

MD5
49be196c81fcbc259add422a383fe3ed

SHA1
a2363d5dc097da3580f32db73af33d6473047631

SHA256
0b093c9908f3e70f969e684ca8fe09e75d7296d815efad771e4b261bed6c90dc

SHA512
34b7bffa3511596eafc6da51a5c426fa2209f3c4eebf472babc686901a49f6417cb523ecebaa5c30c476f3bd87701984f3286557207680706b2d1d2400616cea

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF586.exe

Filesize
16KB

MD5
e0d692eb028e9a9119bcf7aa4ddd1049

SHA1
3c2d24a468c385d6205dbdcf449405ac63f728e0

SHA256
3575844d6dda2115137be1aff6e7c54d9e5460a66873bb0880e6a15b5a852f4f

SHA512
5deb3761835d748d58fc0e225467b937aa7109c451ebd4bc80eda3651c7786c8c87344dfbc715a47b5004626d507dfdac709e503987decb1b310d4540d4b3cd5

Download Submit

Analysis

Sharing