5315d96a186e061eb815707206c9799745a6c1ebefc893dde8d263e7b8ad8613

General

Target

00220c260fc5e09cb81df1b7e3b4e3ba_JaffaCakes118.exe
Size

16KB
MD5

00220c260fc5e09cb81df1b7e3b4e3ba
SHA1

90d0b4ce7e71a237cae01d35618fd3a8fc5f384e
SHA256

5315d96a186e061eb815707206c9799745a6c1ebefc893dde8d263e7b8ad8613
SHA512

5507ffc37a0e01ad5e3240a7212b55a3a6d9989d61891cfeb12f39280c034429089b10ff01db9b8fa3ca66f90c763048a27539a7e4c34c31fd36b19c5eb845ca
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl5:hDXWipuE+K3/SSHgxml5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2624	DEM4D26.exe
2472	DEMA4E7.exe
2752	DEMFA56.exe
1908	DEM50BF.exe
1224	DEMA757.exe
2240	DEMFE3C.exe

Loads dropped DLL 6 IoCs

pid	Process
1960	00220c260fc5e09cb81df1b7e3b4e3ba_JaffaCakes118.exe
2624	DEM4D26.exe
2472	DEMA4E7.exe
2752	DEMFA56.exe
1908	DEM50BF.exe
1224	DEMA757.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2624	1960	00220c260fc5e09cb81df1b7e3b4e3ba_JaffaCakes118.exe	29
PID 1960 wrote to memory of 2624	1960	00220c260fc5e09cb81df1b7e3b4e3ba_JaffaCakes118.exe	29
PID 1960 wrote to memory of 2624	1960	00220c260fc5e09cb81df1b7e3b4e3ba_JaffaCakes118.exe	29
PID 1960 wrote to memory of 2624	1960	00220c260fc5e09cb81df1b7e3b4e3ba_JaffaCakes118.exe	29
PID 2624 wrote to memory of 2472	2624	DEM4D26.exe	33
PID 2624 wrote to memory of 2472	2624	DEM4D26.exe	33
PID 2624 wrote to memory of 2472	2624	DEM4D26.exe	33
PID 2624 wrote to memory of 2472	2624	DEM4D26.exe	33
PID 2472 wrote to memory of 2752	2472	DEMA4E7.exe	35
PID 2472 wrote to memory of 2752	2472	DEMA4E7.exe	35
PID 2472 wrote to memory of 2752	2472	DEMA4E7.exe	35
PID 2472 wrote to memory of 2752	2472	DEMA4E7.exe	35
PID 2752 wrote to memory of 1908	2752	DEMFA56.exe	37
PID 2752 wrote to memory of 1908	2752	DEMFA56.exe	37
PID 2752 wrote to memory of 1908	2752	DEMFA56.exe	37
PID 2752 wrote to memory of 1908	2752	DEMFA56.exe	37
PID 1908 wrote to memory of 1224	1908	DEM50BF.exe	39
PID 1908 wrote to memory of 1224	1908	DEM50BF.exe	39
PID 1908 wrote to memory of 1224	1908	DEM50BF.exe	39
PID 1908 wrote to memory of 1224	1908	DEM50BF.exe	39
PID 1224 wrote to memory of 2240	1224	DEMA757.exe	41
PID 1224 wrote to memory of 2240	1224	DEMA757.exe	41
PID 1224 wrote to memory of 2240	1224	DEMA757.exe	41
PID 1224 wrote to memory of 2240	1224	DEMA757.exe	41

C:\Users\Admin\AppData\Local\Temp\00220c260fc5e09cb81df1b7e3b4e3ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00220c260fc5e09cb81df1b7e3b4e3ba_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\DEM4D26.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4D26.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\DEMA4E7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA4E7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\DEMFA56.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFA56.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\DEM50BF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM50BF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Users\Admin\AppData\Local\Temp\DEMA757.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA757.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\DEMFE3C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFE3C.exe"
        7⤵
        Executes dropped EXE
        
        PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA4E7.exe

Filesize
16KB

MD5
cd21630b2c2b2f52044cef42c95bcc4c

SHA1
76a5d8e26aea57f79caa714fe09525c4d530d727

SHA256
6e48cb582d54ecd7f0728bd66d44e8ef65692da8546820a53d1d952218576512

SHA512
933979e792e77e56716d3c218adcc41f0c57c91dad766c7849bf5c391b4c57e1abd0abc86b7014c955e1e255f88444a1f7bb11b4a74e0a6d0ecd4e93d3c73dac

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4D26.exe

Filesize
16KB

MD5
138c8662f08fe1aa05f257d7749a5afc

SHA1
1d81ac4dbad1a0785f123722b1d9d37694ef2c82

SHA256
c94fe18682083f56c0b4db3bf80241b91e33f46caff0e0a1b418f5a9a455f858

SHA512
6b944d724eede61a62778c793154e2ac8e303954754ec121ebf52fa68eeefcdc326f47db46c21b95f7a136182ae2c8cf7b0d90695916584ed1d89656e4c5854c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM50BF.exe

Filesize
16KB

MD5
ebd3e3b6df473e614b18cb0eaa379b36

SHA1
24e938c7dbcdc023544a85dfd8a736d91cd7bc9c

SHA256
7b8a9099487a93d4faf2bbaa5f4b46d23d76d62a2002217daf8039c458d99f07

SHA512
ed51700240c10eec6b2e60c5b6eb72b981fd5e8e91b169066f3ae6cb982b7cb2b7093957f599f6b6c0a1150cd726b06d7c789441a3a8ae7d7fa688418d19b6d6

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA757.exe

Filesize
16KB

MD5
d58abad129c20c4391be407e8ef9feee

SHA1
4f0a9f02531b68f3fd94417a32b9d3a1f11b4c71

SHA256
31eea34f8964dc5322767736f7d259b84e87df482afc8f04cba8990dab138a99

SHA512
cdc7a3cc3aa0d8c36df914e4c6aac92408af8fa755f4e2ee6da6fc584bd15155ed90a6dbe8c7f9cf7a2cb2777094bba8b8bafd7f6b969df550529cd2e4751bef

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFA56.exe

Filesize
16KB

MD5
a74ec5e7d50c438e25d34c26057aba53

SHA1
265d345059739f44bb895a8d6fbf0a9c84e85172

SHA256
ac9c96c60cc33c68dbc80ae50371353472164d182b3777a9155a507a3dc2a74c

SHA512
e7dec7a4975af6699f4536bf17ca3913f30ec81d73f612bc20adacd7f482da52ad8e6d7a8b2cb608b61c3280f6a80abaa6ccf805b992669ed449ca3e8b0dac3e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFE3C.exe

Filesize
16KB

MD5
19a873d66a9fe22108e1445716992851

SHA1
eb85b4a24b55c5f26ea272f84d5abb0f22af0996

SHA256
4d2fe5980a62daf7b46f7ebc93a6b56c308cd3c61b2dfff71db85e5c7ea0f53e

SHA512
46dacbc4f8a61f44d74f7c5a629b268b0783a579e729c6b2ede80f0c4e0e8cde601a2791fbeacf07e482758d87473bc8f57a1afb41c25ebf616a159ecc4dbd3a

Download Submit

Analysis

Sharing