43a37d65260cc4c09c238e40a320147b336572a22a5838b4ee754df20c19bc43

General

Target

07633919b26187d28e305657cbb9326c_JaffaCakes118.exe
Size

15KB
MD5

07633919b26187d28e305657cbb9326c
SHA1

a609e1c4348ffd9fd4926fb0335b98f7526cc963
SHA256

43a37d65260cc4c09c238e40a320147b336572a22a5838b4ee754df20c19bc43
SHA512

38f74b57da98d813d8e0c90a6d957cb169dfc287c3a9a0de0624638146a0d776f7e691f9777c7a1e37d15652c27d1c6c073421304920e4da29cd379e1373e9cd
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnwF:hDXWipuE+K3/SSHgx/wF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2512	DEM72C0.exe
2872	DEMD4FB.exe
2704	DEM2AA9.exe
1240	DEM8018.exe
1856	DEMD549.exe
2108	DEM2AB8.exe

Loads dropped DLL 6 IoCs

pid	Process
1636	07633919b26187d28e305657cbb9326c_JaffaCakes118.exe
2512	DEM72C0.exe
2872	DEMD4FB.exe
2704	DEM2AA9.exe
1240	DEM8018.exe
1856	DEMD549.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2512	1636	07633919b26187d28e305657cbb9326c_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2512	1636	07633919b26187d28e305657cbb9326c_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2512	1636	07633919b26187d28e305657cbb9326c_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2512	1636	07633919b26187d28e305657cbb9326c_JaffaCakes118.exe	29
PID 2512 wrote to memory of 2872	2512	DEM72C0.exe	33
PID 2512 wrote to memory of 2872	2512	DEM72C0.exe	33
PID 2512 wrote to memory of 2872	2512	DEM72C0.exe	33
PID 2512 wrote to memory of 2872	2512	DEM72C0.exe	33
PID 2872 wrote to memory of 2704	2872	DEMD4FB.exe	35
PID 2872 wrote to memory of 2704	2872	DEMD4FB.exe	35
PID 2872 wrote to memory of 2704	2872	DEMD4FB.exe	35
PID 2872 wrote to memory of 2704	2872	DEMD4FB.exe	35
PID 2704 wrote to memory of 1240	2704	DEM2AA9.exe	37
PID 2704 wrote to memory of 1240	2704	DEM2AA9.exe	37
PID 2704 wrote to memory of 1240	2704	DEM2AA9.exe	37
PID 2704 wrote to memory of 1240	2704	DEM2AA9.exe	37
PID 1240 wrote to memory of 1856	1240	DEM8018.exe	39
PID 1240 wrote to memory of 1856	1240	DEM8018.exe	39
PID 1240 wrote to memory of 1856	1240	DEM8018.exe	39
PID 1240 wrote to memory of 1856	1240	DEM8018.exe	39
PID 1856 wrote to memory of 2108	1856	DEMD549.exe	41
PID 1856 wrote to memory of 2108	1856	DEMD549.exe	41
PID 1856 wrote to memory of 2108	1856	DEMD549.exe	41
PID 1856 wrote to memory of 2108	1856	DEMD549.exe	41

C:\Users\Admin\AppData\Local\Temp\07633919b26187d28e305657cbb9326c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07633919b26187d28e305657cbb9326c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\DEM72C0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM72C0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\DEMD4FB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD4FB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\DEM2AA9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2AA9.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\DEM8018.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8018.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\Users\Admin\AppData\Local\Temp\DEMD549.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD549.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\DEM2AB8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2AB8.exe"
        7⤵
        Executes dropped EXE
        
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2AA9.exe

Filesize
15KB

MD5
a4795a7bd8db2aac5f4394a7c97c59a1

SHA1
f549136980b41f530079ed26315ac6ca2d4b31f7

SHA256
1d4320e52e93663b4199100d817240523df101383e4021bbeeb8c90ced02d5a0

SHA512
2e06204b3487655ee1b51bdd93a76eca4972afda18d1b59978e2616b35f2e77d26a96872be39861ee9827186df7a99fe06fece07c55bfabf16cf1e691c93fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD4FB.exe

Filesize
15KB

MD5
af46265d390c42fb20f75bf578fc6966

SHA1
549861ae8fbb837e72372b7de28e693909f128a5

SHA256
3cd43cd6e40a9444e99b7d61f6ddd8408ff77b19b3b72428406d807070424147

SHA512
687a4f810a7c538d3fa4a920ffa1d4f2b6dac8b4eed903bb8b41c8c426459d403c7ffc52ffc886203e78e8e287591d976546d86ebf8b3d75576abef2c3cf300c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2AB8.exe

Filesize
15KB

MD5
80277f1d55f92295e4e9bef4441b1929

SHA1
eb4fed44f69dd88a06ee75951690512008b26c77

SHA256
3fc16e142110e7a76b3a0eb55e15e8cf0f08582bf40423efbc0ef0825513c9f6

SHA512
f48bf5dcfc9d5e8f4a21a797c8dd7b121955d29e9947a60f1c5df7e6c74a0a3797c052935d64a25ac6b1e528705ca48ffc4faa241dad94b1851ecea8a061d5ed

Download Submit
\Users\Admin\AppData\Local\Temp\DEM72C0.exe

Filesize
15KB

MD5
17413547309b1de97985cf1ca404947a

SHA1
1fdcfd1bc658cba8b8930b024435af33bc0b44a0

SHA256
44fc98a1c3c889bdb835f81bb9092753bcb038ddd41d0df1c1f2db5d42bb7544

SHA512
62d648cdff22536ff3a7a50735faf96c29950e68b7958da8524522fdea6c9cec52426b7788fd3595c7eeeceef31713ed8b86019af35885376f32f20866d9b463

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8018.exe

Filesize
15KB

MD5
416cbcc421ef3051f78570cd6f269a96

SHA1
72391cda51ba2d55c4a16d7a4a0983fa7cc8e10d

SHA256
5c999dec949e8799ec566d6e508e88038cead19984e54d31c7124535d020b77d

SHA512
0f17c20654bac1f96b41d5fb7aea08bbecb8dd7defee33e1fa260918f332f4ae9530711974490bf3644040de2419c7964e11f50d1d4d10c9c79669bb1e8a4162

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD549.exe

Filesize
15KB

MD5
bde608943a920a35a8a2693293ecc026

SHA1
f3e25cafcc5b5082e0f31550edd5c459f8e793e3

SHA256
fdaa1d2f3fef0b9e6c577ed080a916890b1d4ba82d3dd6c6e839020d9e98dfe9

SHA512
8442782d67d7f0c72f4125596b67866d1379918baca957aadde469fce292456fbd0eaa3322f38cb9c83282164c47427f40566b66d4dc9b66547aa41d206642c8

Download Submit

Analysis

Sharing