1fef67b7d70caeb1c82501df1c8a49513fc5484ff9423b7a2c77fa9f8fce8f47

General

Target

04c2d385a9913d92739cc887cb191cbc_JaffaCakes118.exe
Size

20KB
MD5

04c2d385a9913d92739cc887cb191cbc
SHA1

c179c965d7029e361b09a04200b9f7be3d1c1b88
SHA256

1fef67b7d70caeb1c82501df1c8a49513fc5484ff9423b7a2c77fa9f8fce8f47
SHA512

34e9a614d102bad6dbd2865d0aba7cd401893ad0b3c8137d3066ab2bb18dda1c97384482d0e8c87533c48d6db7a725f77ec7ec4dc86a91fb5bccc6f5caf4fee2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4kR:hDXWipuE+K3/SSHgxmHZkR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2872	DEM788A.exe
2564	DEMCF8F.exe
664	DEM2607.exe
2336	DEM7BB5.exe
2144	DEMD192.exe
1752	DEM277E.exe

Loads dropped DLL 6 IoCs

pid	Process
1152	04c2d385a9913d92739cc887cb191cbc_JaffaCakes118.exe
2872	DEM788A.exe
2564	DEMCF8F.exe
664	DEM2607.exe
2336	DEM7BB5.exe
2144	DEMD192.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2872	1152	04c2d385a9913d92739cc887cb191cbc_JaffaCakes118.exe	29
PID 1152 wrote to memory of 2872	1152	04c2d385a9913d92739cc887cb191cbc_JaffaCakes118.exe	29
PID 1152 wrote to memory of 2872	1152	04c2d385a9913d92739cc887cb191cbc_JaffaCakes118.exe	29
PID 1152 wrote to memory of 2872	1152	04c2d385a9913d92739cc887cb191cbc_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2564	2872	DEM788A.exe	33
PID 2872 wrote to memory of 2564	2872	DEM788A.exe	33
PID 2872 wrote to memory of 2564	2872	DEM788A.exe	33
PID 2872 wrote to memory of 2564	2872	DEM788A.exe	33
PID 2564 wrote to memory of 664	2564	DEMCF8F.exe	35
PID 2564 wrote to memory of 664	2564	DEMCF8F.exe	35
PID 2564 wrote to memory of 664	2564	DEMCF8F.exe	35
PID 2564 wrote to memory of 664	2564	DEMCF8F.exe	35
PID 664 wrote to memory of 2336	664	DEM2607.exe	37
PID 664 wrote to memory of 2336	664	DEM2607.exe	37
PID 664 wrote to memory of 2336	664	DEM2607.exe	37
PID 664 wrote to memory of 2336	664	DEM2607.exe	37
PID 2336 wrote to memory of 2144	2336	DEM7BB5.exe	39
PID 2336 wrote to memory of 2144	2336	DEM7BB5.exe	39
PID 2336 wrote to memory of 2144	2336	DEM7BB5.exe	39
PID 2336 wrote to memory of 2144	2336	DEM7BB5.exe	39
PID 2144 wrote to memory of 1752	2144	DEMD192.exe	41
PID 2144 wrote to memory of 1752	2144	DEMD192.exe	41
PID 2144 wrote to memory of 1752	2144	DEMD192.exe	41
PID 2144 wrote to memory of 1752	2144	DEMD192.exe	41

C:\Users\Admin\AppData\Local\Temp\04c2d385a9913d92739cc887cb191cbc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04c2d385a9913d92739cc887cb191cbc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\DEM788A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM788A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\DEMCF8F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCF8F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\DEM2607.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2607.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:664
    - - C:\Users\Admin\AppData\Local\Temp\DEM7BB5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7BB5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Users\Admin\AppData\Local\Temp\DEMD192.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD192.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\DEM277E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM277E.exe"
        7⤵
        Executes dropped EXE
        
        PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2607.exe

Filesize
20KB

MD5
30b6531774d000d02f365f712dee8bbd

SHA1
57313f324956c8e2d99a8c1f8bcb1fc8d2cf6b99

SHA256
3a919f8c4c87931fd9eda5e0ae4a645baffd2c644ad0b4dd7c2c9eabd1ff18fe

SHA512
cd1dfeec623e3c63a293b9051cbe7c951696e01aed5646fb3462f8dec9e78ad6be1393bae6a98975fc0bf1a644bdab2f3c3cf305a4146b94aa5a1be9213a1dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM277E.exe

Filesize
20KB

MD5
cf10b924aa24b710a30fc8dfd9b2951d

SHA1
bdb00251105412992e0d7f097bd40dd0c02e9f03

SHA256
c01424d39da8953b672c6cd12bf8fc6f37fadf242a0477e061c9d84f88b9b89d

SHA512
7b3c43f769992a426d9b017edb1ffc759ced30872882d0d8e5b739c8ea94261374384b4a6a16bf6daf4652449c80862b09151bb0d5ea2857ecdb5e8291053c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7BB5.exe

Filesize
20KB

MD5
10054d1407bed9ff9afb4e689788622e

SHA1
4056fedda40f7387b0dbdf287181856a053dd222

SHA256
e9aac00a292a555c6fc2fd9d1b047e9739916d324004e0d621d7be9c2899f258

SHA512
45476c0699314adecfc1d6f487fceac448bc1b36bec63260aeade0a689ac13e76d1b13c1bbeaaa2cdd30d68742bbd2ed5bcbda964cc89ff698e89885a9f16e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCF8F.exe

Filesize
20KB

MD5
56e283a51aa56e0417e164ce3356b0df

SHA1
39b7a75174994b2a2bdac720acb68dd0f3ff7d7c

SHA256
b9317cbf75913128d5033ab0fdee7e607217b7de29a30de4e27bedcbd9860991

SHA512
fdc7991682dc328bf3ec64843d3fa57df50ea7207dc66ae6e29cd47e9bd20ff7f23e12ab3688f41932cd031003cdeb559ae8c293342fe8560229c48fbba2c4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD192.exe

Filesize
20KB

MD5
f91731dfa0cec37dc1c06461a519a559

SHA1
33c3f4c59fe9fbbebee6927cb5d2048140bad1b2

SHA256
99667d0e37e5c64823d779f01a647484aebee628c64bccdfebe38f67e29b770c

SHA512
e588f1679ddeadb95779f1606c4a865ff6ecc1dfc6875ee2a77b737b9e91d9077ae1b71def1da85d31fba8bf067d5c01ae3f95d0451772ac725d983a34233467

Download Submit
\Users\Admin\AppData\Local\Temp\DEM788A.exe

Filesize
20KB

MD5
4e8daeebde1e80be2ec8bbdd901a66e5

SHA1
cb89941ec7c72c5b1c450a1166c8a1d0c2093f58

SHA256
395de395d4c1e74cf099a1ab670b733356b00ba804773f8a5aef4a0a01745287

SHA512
4f6f26e5b48747eb7b28f8fb81df4d5fdc2087b94db7afaf7a063be7c2f6b706527ba520ba3d823b3332c71d0dbdf8398c844388382b8c5b1866238be47c54eb

Download Submit

Analysis

Sharing