4e61f2d2eb0f67671a64dd38591673444124febe0f6181d714cb2be719c051cf

General

Target

0846170ac28b312c25ee517667552ebb_JaffaCakes118.exe
Size

16KB
MD5

0846170ac28b312c25ee517667552ebb
SHA1

edbb96fdde0b642704df9994b6709ba665db3f65
SHA256

4e61f2d2eb0f67671a64dd38591673444124febe0f6181d714cb2be719c051cf
SHA512

760573223f93908ad6b0dba54ace2edb17eb2667f0b4871cbb479a1efb2878f5c630b32fc3be8d945f1aa195a87c27f5b26381fe6a8f24eaf39cab04aaffb478
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJUc+QV:hDXWipuE+K3/SSHgxyQV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3048	DEM22BD.exe
2712	DEM77DE.exe
2692	DEMCCF0.exe
1984	DEM2202.exe
268	DEM7723.exe
2128	DEMCC35.exe

Loads dropped DLL 6 IoCs

pid	Process
2952	0846170ac28b312c25ee517667552ebb_JaffaCakes118.exe
3048	DEM22BD.exe
2712	DEM77DE.exe
2692	DEMCCF0.exe
1984	DEM2202.exe
268	DEM7723.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 3048	2952	0846170ac28b312c25ee517667552ebb_JaffaCakes118.exe	29
PID 2952 wrote to memory of 3048	2952	0846170ac28b312c25ee517667552ebb_JaffaCakes118.exe	29
PID 2952 wrote to memory of 3048	2952	0846170ac28b312c25ee517667552ebb_JaffaCakes118.exe	29
PID 2952 wrote to memory of 3048	2952	0846170ac28b312c25ee517667552ebb_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2712	3048	DEM22BD.exe	33
PID 3048 wrote to memory of 2712	3048	DEM22BD.exe	33
PID 3048 wrote to memory of 2712	3048	DEM22BD.exe	33
PID 3048 wrote to memory of 2712	3048	DEM22BD.exe	33
PID 2712 wrote to memory of 2692	2712	DEM77DE.exe	35
PID 2712 wrote to memory of 2692	2712	DEM77DE.exe	35
PID 2712 wrote to memory of 2692	2712	DEM77DE.exe	35
PID 2712 wrote to memory of 2692	2712	DEM77DE.exe	35
PID 2692 wrote to memory of 1984	2692	DEMCCF0.exe	37
PID 2692 wrote to memory of 1984	2692	DEMCCF0.exe	37
PID 2692 wrote to memory of 1984	2692	DEMCCF0.exe	37
PID 2692 wrote to memory of 1984	2692	DEMCCF0.exe	37
PID 1984 wrote to memory of 268	1984	DEM2202.exe	39
PID 1984 wrote to memory of 268	1984	DEM2202.exe	39
PID 1984 wrote to memory of 268	1984	DEM2202.exe	39
PID 1984 wrote to memory of 268	1984	DEM2202.exe	39
PID 268 wrote to memory of 2128	268	DEM7723.exe	41
PID 268 wrote to memory of 2128	268	DEM7723.exe	41
PID 268 wrote to memory of 2128	268	DEM7723.exe	41
PID 268 wrote to memory of 2128	268	DEM7723.exe	41

C:\Users\Admin\AppData\Local\Temp\0846170ac28b312c25ee517667552ebb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0846170ac28b312c25ee517667552ebb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\DEM22BD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM22BD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\DEM77DE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM77DE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\DEMCCF0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCCF0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\DEM2202.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2202.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\DEM7723.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7723.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\DEMCC35.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCC35.exe"
        7⤵
        Executes dropped EXE
        
        PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2202.exe

Filesize
16KB

MD5
88789efeb93e65c0ded0c46c4fc9a775

SHA1
638137e95d50c65f573f8a890ddbb3377c0b2315

SHA256
4cc46f9d0fba2c458d6870e78e93cdb253589e63cdcb38e8d5ec7c2a6444bfb0

SHA512
9f306fdb5ccdb40373729c713d440ded7453861dc0c37166c43cedf98e16948be49e6153e721dd0e2ae5b18136eb99207de270ef79ce133b38492081a1cc1290

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM77DE.exe

Filesize
16KB

MD5
8b312f4edb589cd5031659097bd08543

SHA1
0814f788e4daf89c1651410e87d638252a2dc1ca

SHA256
5b54685ed4a3d25c35c972c5ae6347654c88b9b1631c47b1e3dccb3d3cf0e5f4

SHA512
32a1aeae326e7e70b374fc671708756f582d9b47a95e07e8d457dcaeef3cb8ae91e92f6c50eb88f47c28b5fd76a418304d24ee2561965235cc9e91ccb8a4df4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCC35.exe

Filesize
16KB

MD5
51881b495477a7317750b0dad903b27c

SHA1
4ae0491bfe9ef58a84d78189a692b4caf097c089

SHA256
13a45ef71706b381572a030ad76ab4316ed8148a9d71ac04b04f6ce8eedc40b1

SHA512
4818817ff4ea4d9030462fbd9f6f59c57b2234f8d193525a8efd2d249a09ced15141a00aecd151ae8be297d36419ea546fe8523fc1e952a723a100bf08a504c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCCF0.exe

Filesize
16KB

MD5
cb2789cf77b322a76fe08272e9f4088c

SHA1
01e5783b1804321c9ba6eec2ceb6c03a75401530

SHA256
e9dde4bd45eeeeed2ae38e4dd921ffcc4361fa4cd8b39580771013d46a181e95

SHA512
ccc0938f15780ed765c35f49f432c3788307e0f5316b8fe71fe06e11ccbe7c8913aa44512d64562914a11e2f0d4d59828227eb15074d9e2a3f23919cf27ecfa4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM22BD.exe

Filesize
16KB

MD5
68d4f97a740e8877436c1d756440519b

SHA1
1e454bbe59368d5d884ff0e861d757cc113e1e4a

SHA256
177e28dae9073d5a74166680a824c1666886590a3ab5b7da5aabe6993d9bee19

SHA512
aa37d3739f5c99a2349c635f1ee3dd8730826c8e2fac28034d0180a6e3f874ace09c9395655645b46bdd59672e5e1821f5fa6ad4d40c8e784e0b02a33bbe873b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7723.exe

Filesize
16KB

MD5
02a32a81bb170123145dbb6483f76ecb

SHA1
af30328a60b2ec253ae0515b372910fa348dcc5e

SHA256
bab528a5027cbe6b0146796765753b8c037d2822308c6d4609a8970358c487a4

SHA512
0629c61f4cb8290cbfa9807a98131fd47122f0ebdf91a01d4dae6fe816974964a3134202693e98333409e107e0ca4d5fc11a35c2cde92799fccf7bdba09b0994

Download Submit

Analysis

Sharing