254d08013a3f145a263402d2b553ae7a4e425badf981a3799b15a42463fe10f7

General

Target

01ea79435cd0d3392e4c0bf370e2ffb9_JaffaCakes118.exe
Size

15KB
MD5

01ea79435cd0d3392e4c0bf370e2ffb9
SHA1

bc852ffeaf81dc7690445e53667840f54b5075dc
SHA256

254d08013a3f145a263402d2b553ae7a4e425badf981a3799b15a42463fe10f7
SHA512

44a98c46e81a7ed565441c410b118112030259932d062a74770a40e1300e96ffaa57941d4e7bc26551355e59d4649d227be8a239289f61f307503cd47e681180
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhilr:hDXWipuE+K3/SSHgxLil

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2624	DEM4135.exe
2480	DEM98E5.exe
2476	DEMEED2.exe
1692	DEM4588.exe
2752	DEM9CAD.exe
3020	DEMF400.exe

Loads dropped DLL 6 IoCs

pid	Process
1620	01ea79435cd0d3392e4c0bf370e2ffb9_JaffaCakes118.exe
2624	DEM4135.exe
2480	DEM98E5.exe
2476	DEMEED2.exe
1692	DEM4588.exe
2752	DEM9CAD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2624	1620	01ea79435cd0d3392e4c0bf370e2ffb9_JaffaCakes118.exe	29
PID 1620 wrote to memory of 2624	1620	01ea79435cd0d3392e4c0bf370e2ffb9_JaffaCakes118.exe	29
PID 1620 wrote to memory of 2624	1620	01ea79435cd0d3392e4c0bf370e2ffb9_JaffaCakes118.exe	29
PID 1620 wrote to memory of 2624	1620	01ea79435cd0d3392e4c0bf370e2ffb9_JaffaCakes118.exe	29
PID 2624 wrote to memory of 2480	2624	DEM4135.exe	33
PID 2624 wrote to memory of 2480	2624	DEM4135.exe	33
PID 2624 wrote to memory of 2480	2624	DEM4135.exe	33
PID 2624 wrote to memory of 2480	2624	DEM4135.exe	33
PID 2480 wrote to memory of 2476	2480	DEM98E5.exe	35
PID 2480 wrote to memory of 2476	2480	DEM98E5.exe	35
PID 2480 wrote to memory of 2476	2480	DEM98E5.exe	35
PID 2480 wrote to memory of 2476	2480	DEM98E5.exe	35
PID 2476 wrote to memory of 1692	2476	DEMEED2.exe	37
PID 2476 wrote to memory of 1692	2476	DEMEED2.exe	37
PID 2476 wrote to memory of 1692	2476	DEMEED2.exe	37
PID 2476 wrote to memory of 1692	2476	DEMEED2.exe	37
PID 1692 wrote to memory of 2752	1692	DEM4588.exe	39
PID 1692 wrote to memory of 2752	1692	DEM4588.exe	39
PID 1692 wrote to memory of 2752	1692	DEM4588.exe	39
PID 1692 wrote to memory of 2752	1692	DEM4588.exe	39
PID 2752 wrote to memory of 3020	2752	DEM9CAD.exe	41
PID 2752 wrote to memory of 3020	2752	DEM9CAD.exe	41
PID 2752 wrote to memory of 3020	2752	DEM9CAD.exe	41
PID 2752 wrote to memory of 3020	2752	DEM9CAD.exe	41

C:\Users\Admin\AppData\Local\Temp\01ea79435cd0d3392e4c0bf370e2ffb9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01ea79435cd0d3392e4c0bf370e2ffb9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\DEM4135.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4135.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\DEM98E5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM98E5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\DEMEED2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEED2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Users\Admin\AppData\Local\Temp\DEM4588.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4588.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Users\Admin\AppData\Local\Temp\DEM9CAD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9CAD.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\DEMF400.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF400.exe"
        7⤵
        Executes dropped EXE
        
        PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4588.exe

Filesize
15KB

MD5
48a825dd30556deee63cb4a1d1ee36a2

SHA1
d90b8df760ae1d6cce91dcd9d014408865c177c4

SHA256
25989dae34fa00cede4b65f349406f9128c0154966a164e5dcd2aa8bc644e937

SHA512
57cea8b4352ee416d8b10d1707ed39383cb8c8ac78585adbf14e2197efe2f5b2bf99677a0886f3ba628cd510947119178d9e535a6f39538580247bdb2d15241e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM98E5.exe

Filesize
15KB

MD5
0db8472e48ed17ec9ca874719eb39d6d

SHA1
76718bd48b96c6f448fc8f1c59f868daa7842014

SHA256
c1121d0c3a75d042d61c9459ca41dcf42190fb33f65b353fcdcd716236a713dc

SHA512
36bb7858a49ce611e8ab3d99d03de12e80739b2faa6748454cb6a110e3c62a0412685734ebc4fb489b14827926c017e3608ffb58559ea095855009bab20cf758

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9CAD.exe

Filesize
15KB

MD5
7282dfd4d570a4902f370577c8be0ef3

SHA1
4c6a2234e1e7da06756b082ce7dd9bd24f5b8ded

SHA256
039c2df97b7647b7fe3226be273aad0f82ba5b7c1938d8773ead7f013874bbfb

SHA512
156560c318d6f28c984560e819ae3309402abae31053ffb32215ff9241e12de1d806adc231696c9af68c43f4c7b8671aad1a689415504ab0ec3240ffddbeba74

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4135.exe

Filesize
15KB

MD5
ebf7b4c06c63fce122bf3f0ee317228c

SHA1
c5c0e7c004dfb4e9bf1fa19e10f5e0e65d4b55c9

SHA256
514b18403ca0052498faaa2fbf69c8c67e88ab3cae06e416e4c862462801fd4c

SHA512
f03f1b5da51098636a341b4bb9a19f96ae984ab33b62c6dc60bd2dde64ef5a8d114e464677f8cb52b7cbf864bc18090c0145a764fc8e222d7952ae253672d096

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEED2.exe

Filesize
15KB

MD5
5f052f410100e05c32eba3473256ee8d

SHA1
fd80876d68ab10da0e31d3087753b69288011f13

SHA256
388034bbf0aaae4955c3de7ea996e17c668bc8dd73f335c6c24c30b639b4d04b

SHA512
9bc5ca6cc437c8954b3a70a861c95679b6b434067f1175f7739c7ed7b9356fd834065a4970dbddd187a40b3a0bb7959920772ba3c79d533458a84f76b66d5e2a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF400.exe

Filesize
15KB

MD5
8022964b15056dc7fb393766684a2870

SHA1
5580dc2e8d491185e6a408d672bbb552c6ae989f

SHA256
43f2546bfd76e8206bd2a1ac3bd143bfe4e763b2c43304294021c57699b637b8

SHA512
e29ae9ca2a303f3e05810c9ed27241a550b011c646549d7779abbb27a42ad5c1ff728e7bf33bbbe84cc056e61101df97fb2920e7a4b36da0ece44fcf7752c1ba

Download Submit

Analysis

Sharing