3e41c2ea1a89210df7294916a78b395c8ac4430a763dd3efef3f70816d544d26

General

Target

047822d172306197d883786aa0e7a1e5_JaffaCakes118.exe
Size

15KB
MD5

047822d172306197d883786aa0e7a1e5
SHA1

4c3fc6df4cdb0da129cf5382802dba4342b61907
SHA256

3e41c2ea1a89210df7294916a78b395c8ac4430a763dd3efef3f70816d544d26
SHA512

1078d7c86f62dec814caf934c7d866e9a8b3de7ad6a6186bb5232dafa740ca025817a0d9c9afe0a37d6712d7a0e96d10b0e33eb3f5566987c99459b5b9318216
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYF:hDXWipuE+K3/SSHgxmF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2036	DEM1D50.exe
2476	DEM7291.exe
2764	DEMC89C.exe
1084	DEM1DEC.exe
2744	DEM73C9.exe
384	DEMC919.exe

Loads dropped DLL 6 IoCs

pid	Process
2972	047822d172306197d883786aa0e7a1e5_JaffaCakes118.exe
2036	DEM1D50.exe
2476	DEM7291.exe
2764	DEMC89C.exe
1084	DEM1DEC.exe
2744	DEM73C9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2036	2972	047822d172306197d883786aa0e7a1e5_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2036	2972	047822d172306197d883786aa0e7a1e5_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2036	2972	047822d172306197d883786aa0e7a1e5_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2036	2972	047822d172306197d883786aa0e7a1e5_JaffaCakes118.exe	29
PID 2036 wrote to memory of 2476	2036	DEM1D50.exe	31
PID 2036 wrote to memory of 2476	2036	DEM1D50.exe	31
PID 2036 wrote to memory of 2476	2036	DEM1D50.exe	31
PID 2036 wrote to memory of 2476	2036	DEM1D50.exe	31
PID 2476 wrote to memory of 2764	2476	DEM7291.exe	35
PID 2476 wrote to memory of 2764	2476	DEM7291.exe	35
PID 2476 wrote to memory of 2764	2476	DEM7291.exe	35
PID 2476 wrote to memory of 2764	2476	DEM7291.exe	35
PID 2764 wrote to memory of 1084	2764	DEMC89C.exe	37
PID 2764 wrote to memory of 1084	2764	DEMC89C.exe	37
PID 2764 wrote to memory of 1084	2764	DEMC89C.exe	37
PID 2764 wrote to memory of 1084	2764	DEMC89C.exe	37
PID 1084 wrote to memory of 2744	1084	DEM1DEC.exe	39
PID 1084 wrote to memory of 2744	1084	DEM1DEC.exe	39
PID 1084 wrote to memory of 2744	1084	DEM1DEC.exe	39
PID 1084 wrote to memory of 2744	1084	DEM1DEC.exe	39
PID 2744 wrote to memory of 384	2744	DEM73C9.exe	41
PID 2744 wrote to memory of 384	2744	DEM73C9.exe	41
PID 2744 wrote to memory of 384	2744	DEM73C9.exe	41
PID 2744 wrote to memory of 384	2744	DEM73C9.exe	41

C:\Users\Admin\AppData\Local\Temp\047822d172306197d883786aa0e7a1e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\047822d172306197d883786aa0e7a1e5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\DEM1D50.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1D50.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\DEM7291.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7291.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\DEM1DEC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1DEC.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1084
      - C:\Users\Admin\AppData\Local\Temp\DEM73C9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM73C9.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\DEMC919.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC919.exe"
        7⤵
        Executes dropped EXE
        
        PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7291.exe

Filesize
15KB

MD5
d8d33d5406e67f41d419c0582c1ff9eb

SHA1
d3beaaf7aabbfb4fa95ba51db3b9b8915a7f748b

SHA256
aaf63f009e38520283b09a1f2885e81f5c6922d89576a667863e69eae3535dad

SHA512
a3e10381f4326557384115f2d099e4281712e6a9ac705bd7cf0b613178d98c1c8755cb814cc1905276a75b9e1a8af9d60aeaca03666d48b950970260148afe53

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1D50.exe

Filesize
15KB

MD5
ddabbe01cd23a37c5ba78f9b2250c65b

SHA1
1c589803f00f8dabd681abbcbc36ac246226a22d

SHA256
3aa843f264db3940f7ac87abe4d691d6957682fbb782ea87836b438b87d23d1f

SHA512
370e1fbeded547ef060265137a58cae3e8942cd42ba4ad3cde122ebcc349c5a2dbecebd5199cd9815732fe5b99c23102b81f062d494c4c3ccbe58370bac66c68

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1DEC.exe

Filesize
15KB

MD5
04a7d3023334301aeb1cb321164c3914

SHA1
de830fba96017710a006f8b1dfc0d662cbc4e51e

SHA256
9eac5e9eac06f06ac613a07fb138c88d406fd0b6931c6a2e0db61159d1cb40a8

SHA512
610cde692a0cef5e89a9f2dea1ad420587b293b9f023b65d70194d5306cc0c606d16a24f59a5b94a391a62d32b780b8eebb91ecce6c3dfd7ca8051bc527c15e2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM73C9.exe

Filesize
15KB

MD5
002bd50aea8e6f5ca271e82b73960c57

SHA1
5272f2fa4953f0d252d1fbfa27fe29b9c48360d8

SHA256
dba970c1db5742383028d53031bcaea0fa0c94bd6fedaa2405e353fef22171c2

SHA512
29f87cf4fb6015159f51cbe7612cccdb461d2b017a222ab2ba96bcc49c1c0675b84f88dbf097b3193a731f6df788d675e13fae4cd149a0742662ae6677b07a4d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC89C.exe

Filesize
15KB

MD5
d52f2888b4a31f7a5d6d9bda475c03d8

SHA1
519680fc47fab17284df8b37800cd93783bbab5a

SHA256
8a900a9018b628e8aefe870dc1459145b2ccfa37cbb8c0b446a90b86aa8a1d00

SHA512
48d7beba58932934abfa284e8060b2b39c4826c3dd92a7ef8427bab5a5d5899b8b9f39efe6a6ab137021086ea975bd1781b4ba2eb0f55bac4a10048784e77bb4

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC919.exe

Filesize
15KB

MD5
56ca48574f7f9c05c93fe2fc6ee5db78

SHA1
742b187a1ce990a0f8a35d82166cb157921cc1c4

SHA256
7a2de90273a28065640030b309e95f72a8ba3453bc6d0d272b201e80a4642c27

SHA512
3bb5dfdc8c4e98c5a765d61919b58490111d76c197b364a2bf9a4703c3757c78f10f8d2df28aeab2ef4ef51b369b9e4c78a0586f14f6efe3ce69bb3f4404d3f9

Download Submit

Analysis

Sharing