9805ece8c7410316d9a7e1b4438aa1be201e6319d38ec443ce3a4b88ff03b6b2

General

Target

0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe
Size

14KB
MD5

0521dc76431d25b55b8a84183dc7f6e3
SHA1

b29546b4db76dc5f9a89abeda7c790a88aca572e
SHA256

9805ece8c7410316d9a7e1b4438aa1be201e6319d38ec443ce3a4b88ff03b6b2
SHA512

e2adb9f88e61d8cfd17fa5e71a87d2813bc004054b54240c4435eeb653b2554019d0d8b6bdcb2db6208974107516d42f815ad9848c1d2a09d9dd3d5f78054aac
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhh75:hDXWipuE+K3/SSHgxz9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2852	DEM4F0.exe
2484	DEM5A60.exe
2136	DEMB00D.exe
1860	DEM52F.exe
1512	DEM5ACD.exe
1960	DEMB05B.exe

Loads dropped DLL 6 IoCs

pid	Process
2360	0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe
2852	DEM4F0.exe
2484	DEM5A60.exe
2136	DEMB00D.exe
1860	DEM52F.exe
1512	DEM5ACD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2852	2360	0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe	29
PID 2360 wrote to memory of 2852	2360	0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe	29
PID 2360 wrote to memory of 2852	2360	0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe	29
PID 2360 wrote to memory of 2852	2360	0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe	29
PID 2852 wrote to memory of 2484	2852	DEM4F0.exe	31
PID 2852 wrote to memory of 2484	2852	DEM4F0.exe	31
PID 2852 wrote to memory of 2484	2852	DEM4F0.exe	31
PID 2852 wrote to memory of 2484	2852	DEM4F0.exe	31
PID 2484 wrote to memory of 2136	2484	DEM5A60.exe	35
PID 2484 wrote to memory of 2136	2484	DEM5A60.exe	35
PID 2484 wrote to memory of 2136	2484	DEM5A60.exe	35
PID 2484 wrote to memory of 2136	2484	DEM5A60.exe	35
PID 2136 wrote to memory of 1860	2136	DEMB00D.exe	37
PID 2136 wrote to memory of 1860	2136	DEMB00D.exe	37
PID 2136 wrote to memory of 1860	2136	DEMB00D.exe	37
PID 2136 wrote to memory of 1860	2136	DEMB00D.exe	37
PID 1860 wrote to memory of 1512	1860	DEM52F.exe	39
PID 1860 wrote to memory of 1512	1860	DEM52F.exe	39
PID 1860 wrote to memory of 1512	1860	DEM52F.exe	39
PID 1860 wrote to memory of 1512	1860	DEM52F.exe	39
PID 1512 wrote to memory of 1960	1512	DEM5ACD.exe	41
PID 1512 wrote to memory of 1960	1512	DEM5ACD.exe	41
PID 1512 wrote to memory of 1960	1512	DEM5ACD.exe	41
PID 1512 wrote to memory of 1960	1512	DEM5ACD.exe	41

C:\Users\Admin\AppData\Local\Temp\0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\DEM4F0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4F0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\DEM5A60.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5A60.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\DEMB00D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB00D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Users\Admin\AppData\Local\Temp\DEM52F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM52F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Users\Admin\AppData\Local\Temp\DEM5ACD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5ACD.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\DEMB05B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB05B.exe"
        7⤵
        Executes dropped EXE
        
        PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4F0.exe

Filesize
14KB

MD5
cef3a3086bb114bca648f292f6b5dcf8

SHA1
494714117242a2e9a4d2fc6430dcbcbe6115379f

SHA256
ed6742e5543f539c6766ff2d7cf427cab00ad993641feeac8bffa89ec6348863

SHA512
ad57d71452d79c2abc186dabf9d20dc38afb70257c9ed279a143326db774b66c83ed3701cdc72d745d979596aa57328a9386f78e127fd7243520c812668b6ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM52F.exe

Filesize
14KB

MD5
125f8ab7a9c8bd6186faf5e2a45d8132

SHA1
161a8b7c77ef539f40745bd502267c88e82e9aa2

SHA256
4d6ab64d3347e569d5aced7c371d89768d746507c4a2ec872c4a0e47e2ef3498

SHA512
5d7b460423ca3ac4ea7f858a30d323230c19225a5123cf9a0da71d35c7e1a0d617d58191cf415f48afd5f2e5776506c2b7941f6e82e589c792e107f2edda2a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5A60.exe

Filesize
14KB

MD5
2ed2cb94d4f3d3cc2f4e02317f45fa7f

SHA1
2a8ab299bb286231a051361c26b798cec4eadaef

SHA256
76de46a0f839cd7ec37fdccc558417a480308ea1b8a975e903cdc55a6b07b8dc

SHA512
acaca37da64e23965ff347c7bfb8be0546a8a4e9c59af2f80714ba6c02dac5caad77b482f1891b5bea212fffd61ab259166a1646a60064043744feb697629450

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5ACD.exe

Filesize
14KB

MD5
594384cdbed85085dde361627d94e544

SHA1
34233901a7d15e5ad4bea5001718ec86e9b75d2c

SHA256
c193550453adc60aeffe3f11287d2b55f7547370d98aab9e660b4bb0cbc62d8f

SHA512
c0c77b490e59f58da4dcbb0595482b37a8580372977c4636f3d87843560152ba02c44f7a64028951f064e3c5e52f3f5034b5a555d7fd9aa55eba13aae7ae0a3b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB00D.exe

Filesize
14KB

MD5
9750dedcbab17de1bb4995d5927a033e

SHA1
d5be75f2018173919117fd6794c2781f6ac6ccfe

SHA256
5565ff94ce27fcf7dc61b3c92596c5704a818d691e831b9701b5e9618973eede

SHA512
be3e8df478c7e106d7ada649031d273ccb35f752d47c9cba4262c17a8ada117810f541d85b89048dab4e02318e99d6347d0f33b117094c9dd2556e125b35f5a9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB05B.exe

Filesize
14KB

MD5
eba18d872d40b50eb15137f9b61e3a68

SHA1
48c2902bfdccfa6e2cc19597dfd13069de795014

SHA256
161f9b08a6b8675ac5f0204de1ce4be4ff8cb8ae3d513256b77659463b58b633

SHA512
3ac00dc925cfc33e39eb431e6f3d81f660c5bf966f448ccefc3db9a307b464e7a59830ee5bcc82894a2619a56cf4eb8c5163220922444b8b3bdb2b08933f2ad2

Download Submit

Analysis

Sharing