4344c1539bb90ce314247cfbf54060b76c1f3954821f13d72edafd66a53d8056

General

Target

0626df0bd09632d66d385758c7a3a042_JaffaCakes118.exe
Size

14KB
MD5

0626df0bd09632d66d385758c7a3a042
SHA1

07b0b59a705b967603694334eb97e7d584434e53
SHA256

4344c1539bb90ce314247cfbf54060b76c1f3954821f13d72edafd66a53d8056
SHA512

033cab1818839ff5484d1fd86fac2d6d0e5e57eb2581e8b5a09a2d513446093aca0071269bb3732372bc03f18581e1f063c0fee1f84b131799f0d696b6222693
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJ:hDXWipuE+K3/SSHgxf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2616	DEM4E8D.exe
2528	DEMA5C1.exe
2392	DEMFCC6.exe
1964	DEM538C.exe
2508	DEMAA91.exe
2844	DEM148.exe

Loads dropped DLL 6 IoCs

pid	Process
1460	0626df0bd09632d66d385758c7a3a042_JaffaCakes118.exe
2616	DEM4E8D.exe
2528	DEMA5C1.exe
2392	DEMFCC6.exe
1964	DEM538C.exe
2508	DEMAA91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2616	1460	0626df0bd09632d66d385758c7a3a042_JaffaCakes118.exe	29
PID 1460 wrote to memory of 2616	1460	0626df0bd09632d66d385758c7a3a042_JaffaCakes118.exe	29
PID 1460 wrote to memory of 2616	1460	0626df0bd09632d66d385758c7a3a042_JaffaCakes118.exe	29
PID 1460 wrote to memory of 2616	1460	0626df0bd09632d66d385758c7a3a042_JaffaCakes118.exe	29
PID 2616 wrote to memory of 2528	2616	DEM4E8D.exe	33
PID 2616 wrote to memory of 2528	2616	DEM4E8D.exe	33
PID 2616 wrote to memory of 2528	2616	DEM4E8D.exe	33
PID 2616 wrote to memory of 2528	2616	DEM4E8D.exe	33
PID 2528 wrote to memory of 2392	2528	DEMA5C1.exe	35
PID 2528 wrote to memory of 2392	2528	DEMA5C1.exe	35
PID 2528 wrote to memory of 2392	2528	DEMA5C1.exe	35
PID 2528 wrote to memory of 2392	2528	DEMA5C1.exe	35
PID 2392 wrote to memory of 1964	2392	DEMFCC6.exe	37
PID 2392 wrote to memory of 1964	2392	DEMFCC6.exe	37
PID 2392 wrote to memory of 1964	2392	DEMFCC6.exe	37
PID 2392 wrote to memory of 1964	2392	DEMFCC6.exe	37
PID 1964 wrote to memory of 2508	1964	DEM538C.exe	39
PID 1964 wrote to memory of 2508	1964	DEM538C.exe	39
PID 1964 wrote to memory of 2508	1964	DEM538C.exe	39
PID 1964 wrote to memory of 2508	1964	DEM538C.exe	39
PID 2508 wrote to memory of 2844	2508	DEMAA91.exe	41
PID 2508 wrote to memory of 2844	2508	DEMAA91.exe	41
PID 2508 wrote to memory of 2844	2508	DEMAA91.exe	41
PID 2508 wrote to memory of 2844	2508	DEMAA91.exe	41

C:\Users\Admin\AppData\Local\Temp\0626df0bd09632d66d385758c7a3a042_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0626df0bd09632d66d385758c7a3a042_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\DEM4E8D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4E8D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\DEMA5C1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA5C1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\DEMFCC6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFCC6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\DEM538C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM538C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\DEMAA91.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAA91.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\DEM148.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM148.exe"
        7⤵
        Executes dropped EXE
        
        PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA5C1.exe

Filesize
14KB

MD5
86cf1a7b5592269d7b6c60208cf02581

SHA1
15b4256fbf1934aa7e8def62bde871a29f7b2e28

SHA256
73cc6bc98f7ae50c365cd7098ca1e338f727e4e16e008a127898fc85cdf283ad

SHA512
a7752b3024c3d6a6cedd354cee53ffbdeac449c1ebf18a195e256c26a73bb956d74ab3862c63ebe65f170063890b0521ba294701581039b8690d65849987a240

Download Submit
\Users\Admin\AppData\Local\Temp\DEM148.exe

Filesize
14KB

MD5
f72f2b2be3a4ba25fd13163edc1ad994

SHA1
a805520df55e9cf657e86b284087cb762ffc71a0

SHA256
ebf43b7e55c6cfb8cfe87bf1c4f656a9b9a49df0c751205ce3261cb83dd536c7

SHA512
ea104717960e12eb5b535ed2f701d8d0a1ce053a43e4dee86a85c21b596c7d5e26c765ba2298aab84900ece1a0e7e359cccd70bfd0e40c0dbb0f492a97468cc3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4E8D.exe

Filesize
14KB

MD5
b70220049d61e3139311f7c314e6c8ae

SHA1
5e5d23d2f54250205ead5491dc95ae6efc35b5cf

SHA256
90c79785168d0be71b727c000f61f403e3980b13e99e34f400074108a0004540

SHA512
3cf0fc4170e83308a34dbf4a6275e486741ca7ef7e7465c1c448640e56f515b39b34e31199d3e68f1faae2c284df39697bcd41ad7134a8fb90bf7ab7f1197f21

Download Submit
\Users\Admin\AppData\Local\Temp\DEM538C.exe

Filesize
14KB

MD5
25eaeaa33618102caf55cf61bfd7854f

SHA1
ef5a0c5a88ed21fb5e939992202b75a97830f1d9

SHA256
a94efd40e4490809e1c9143e1fbf1a96e19c4942f5f2807cb6ba4fff833c72e2

SHA512
2fc5d33f79a3d49e61cda23609b415375ccac29da2be4e16b8087f7fb03da2b79872dd78031dcdf63af7d4d9fb281714487e8ffebe3d74e4ec78dc4939288495

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAA91.exe

Filesize
14KB

MD5
cc1e5b5c82bd49d3fe1383f48d4e97a4

SHA1
caccfa826c709f7f9a43dcf89a878347582d8a96

SHA256
bf081a03cd5488f606075ec2c1a4f63246f8900a7d2e42efe24c92f2eb931939

SHA512
9a6726bc84d2ccabbfcc6a2251c12ba73393bc8a0f8bd85f8ac97060c8e66f38e32d6a2bd62c4000d0ba595cad83ca6591aca7fed56d9f2ff15f4a14aeaceef3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFCC6.exe

Filesize
14KB

MD5
bb9664be8786863dc1530582425ea6a5

SHA1
18d2dbfa25dfb2596d371a49b13acf473f2a65cf

SHA256
42d7ab76e7fc556c7172e78eafbd4b673ffc3533faa0375808c6f66eb8d1d49f

SHA512
b633173726af22eea1387349d12b9e5450cc4d9b32333ffcb057e8e563235065365b27103fe65094ec4c11a26956cb2878009464a7c890c2b97d1c0fe9f6bcee

Download Submit

Analysis

Sharing