d3cf89dbe93384ddef21fc72473e468caf3516bb13fe1709d016da747c0928b3

General

Target

0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe
Size

15KB
MD5

0daee50240f2be6f8f336d17371c4cdb
SHA1

2936b10498b4d2c3cb83e11642108eda1f1b65e5
SHA256

d3cf89dbe93384ddef21fc72473e468caf3516bb13fe1709d016da747c0928b3
SHA512

d4c425a030cce70f9eadf7d393149e7660e8fa7ae005eb29b9c845b08c09fa02e60af19fa753f7fda699d8af33656306b513c2d752051445635821cd6d212ac2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh6q:hDXWipuE+K3/SSHgxmyh6q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2560	DEM77AF.exe
2000	DEMCE57.exe
2072	DEM2462.exe
1680	DEM85A4.exe
1876	DEMDC99.exe
1280	DEM365C.exe

Loads dropped DLL 6 IoCs

pid	Process
2920	0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe
2560	DEM77AF.exe
2000	DEMCE57.exe
2072	DEM2462.exe
1680	DEM85A4.exe
1876	DEMDC99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2560	2920	0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe	29
PID 2920 wrote to memory of 2560	2920	0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe	29
PID 2920 wrote to memory of 2560	2920	0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe	29
PID 2920 wrote to memory of 2560	2920	0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe	29
PID 2560 wrote to memory of 2000	2560	DEM77AF.exe	33
PID 2560 wrote to memory of 2000	2560	DEM77AF.exe	33
PID 2560 wrote to memory of 2000	2560	DEM77AF.exe	33
PID 2560 wrote to memory of 2000	2560	DEM77AF.exe	33
PID 2000 wrote to memory of 2072	2000	DEMCE57.exe	35
PID 2000 wrote to memory of 2072	2000	DEMCE57.exe	35
PID 2000 wrote to memory of 2072	2000	DEMCE57.exe	35
PID 2000 wrote to memory of 2072	2000	DEMCE57.exe	35
PID 2072 wrote to memory of 1680	2072	DEM2462.exe	37
PID 2072 wrote to memory of 1680	2072	DEM2462.exe	37
PID 2072 wrote to memory of 1680	2072	DEM2462.exe	37
PID 2072 wrote to memory of 1680	2072	DEM2462.exe	37
PID 1680 wrote to memory of 1876	1680	DEM85A4.exe	39
PID 1680 wrote to memory of 1876	1680	DEM85A4.exe	39
PID 1680 wrote to memory of 1876	1680	DEM85A4.exe	39
PID 1680 wrote to memory of 1876	1680	DEM85A4.exe	39
PID 1876 wrote to memory of 1280	1876	DEMDC99.exe	41
PID 1876 wrote to memory of 1280	1876	DEMDC99.exe	41
PID 1876 wrote to memory of 1280	1876	DEMDC99.exe	41
PID 1876 wrote to memory of 1280	1876	DEMDC99.exe	41

C:\Users\Admin\AppData\Local\Temp\0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\DEM77AF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM77AF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\DEM2462.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2462.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Users\Admin\AppData\Local\Temp\DEM85A4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM85A4.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Users\Admin\AppData\Local\Temp\DEMDC99.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDC99.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\DEM365C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM365C.exe"
        7⤵
        Executes dropped EXE
        
        PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe

Filesize
15KB

MD5
1dc28a9700178c9ae287f455f7c3d01a

SHA1
a1179329e80e8aff8ffb6c3560cb9b0e7523a725

SHA256
d5c6dacdf5e885973c3f93d7b0c9544384ea0464f2a9bf4d0df392cd2971ac5a

SHA512
c2f5420819f7c06489860d4f155ce8a53957f558e4b6e3f1c1e906c0b19a911ade465b28f3a028ef1679612d495d92e7a8f174a641d6d58f9152f504d4bb8be8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2462.exe

Filesize
15KB

MD5
b77ccf1c5062417119cd730bf611fc3a

SHA1
f13cdafc4e9c0c1a9173c2aec361b535bcf4b30b

SHA256
fb5f2cd59072c13cf3c143e628d4dd70219ddfc05ffa36edff03ecbdeb09d55d

SHA512
3d60eff47e802bfe2ae27b23cfee1f45a7b95f32bf22fbcece60182e8e558e67761033c69dd06328a15c6362d91869a320aa385b718d447782ebe44a010603fc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM365C.exe

Filesize
15KB

MD5
aeb63ca8e051ecc4bdaf47faf795d67c

SHA1
d05072812d86e27080a5f34d636bb4a3f54ecc0c

SHA256
682fb763981d5bb9903c04cb0cc77e3c91bcfa9e86739c1541e82a8024449978

SHA512
feeace4ab9191b8b1dcda4d0f41a335c64bcf5be914b372fdd09760db5fc09988fe1d02ac1d2fe8ffb975a170dae41ff7eab369bbcd07cab90cb704c7c5dd791

Download Submit
\Users\Admin\AppData\Local\Temp\DEM77AF.exe

Filesize
15KB

MD5
5ccc4b74489e454f2c5a0ad1394dcba8

SHA1
38744d05abb3ca92c0af61b57d00759b2e41fc35

SHA256
95c12e83063ccb0f8369d421a99127bba986cd1464cd3fccae900868c2ce51a4

SHA512
219c5efaddada172315a0b06f4d8a3ddbf6d811486d966bffb52a737cd3dc22066b844852de80299ba4df043c7183402d10237e7024f57df668172921d172784

Download Submit
\Users\Admin\AppData\Local\Temp\DEM85A4.exe

Filesize
15KB

MD5
ae55a81c9dddd69e223a14d6151a6fd7

SHA1
4ac5215aaabdcdba35e32bfe5523108b3bda32ff

SHA256
437fc726cb02d07607088c759fced599ba34cacd968295fb267d3c5510bb1c7c

SHA512
c5c4dc7fd6e87ff381c2b0518b1c09e73f1af9661924bed621eb65a4916bdd662ec5c818693f4edd83b4ed52f726c6aa2bde02889dec888aeed918bbfb0e02c3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDC99.exe

Filesize
15KB

MD5
21bc7f88cc1bb2b9cc0742ec0846e0f9

SHA1
719c23560e92dbea5b485e4a87d8b9744b8fb13f

SHA256
01b624d069f3021bad6fc5d18686a74d06489be67a67d424b1814d108824b575

SHA512
66c549cdceeac8e257795b9ccba25962540ab847c5c72bf8f87c56dd207513e437d8f0b55a8c9a5df0945e4d461418f3fa75aef420d5676c9397151f7a8ff4f1

Download Submit

Analysis

Sharing