9c2b56f019317c46bc691d08421803e5ee5cc3974535005dadd3b95654233285

General

Target

14668fa1dcb66c1fa19c448fce2dda1d_JaffaCakes118.exe
Size

14KB
MD5

14668fa1dcb66c1fa19c448fce2dda1d
SHA1

88349297b433aa9839a5ec897ef8fa4eb479e081
SHA256

9c2b56f019317c46bc691d08421803e5ee5cc3974535005dadd3b95654233285
SHA512

da6c57fa05d92bc984760b255e4135a1d3eea640b806095204872d21db426e7bd2a1b8cd53eb921d34088739524dc92290e6a637ff132cc9d2f0b796467e1b33
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHujm:hDXWipuE+K3/SSHgx3NHHF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2728	DEM5235.exe
2856	DEMA831.exe
1500	DEMFF26.exe
2264	DEM5467.exe
2676	DEMA9F5.exe
2280	DEMFF94.exe

Loads dropped DLL 6 IoCs

pid	Process
2204	14668fa1dcb66c1fa19c448fce2dda1d_JaffaCakes118.exe
2728	DEM5235.exe
2856	DEMA831.exe
1500	DEMFF26.exe
2264	DEM5467.exe
2676	DEMA9F5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2728	2204	14668fa1dcb66c1fa19c448fce2dda1d_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2728	2204	14668fa1dcb66c1fa19c448fce2dda1d_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2728	2204	14668fa1dcb66c1fa19c448fce2dda1d_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2728	2204	14668fa1dcb66c1fa19c448fce2dda1d_JaffaCakes118.exe	29
PID 2728 wrote to memory of 2856	2728	DEM5235.exe	33
PID 2728 wrote to memory of 2856	2728	DEM5235.exe	33
PID 2728 wrote to memory of 2856	2728	DEM5235.exe	33
PID 2728 wrote to memory of 2856	2728	DEM5235.exe	33
PID 2856 wrote to memory of 1500	2856	DEMA831.exe	35
PID 2856 wrote to memory of 1500	2856	DEMA831.exe	35
PID 2856 wrote to memory of 1500	2856	DEMA831.exe	35
PID 2856 wrote to memory of 1500	2856	DEMA831.exe	35
PID 1500 wrote to memory of 2264	1500	DEMFF26.exe	37
PID 1500 wrote to memory of 2264	1500	DEMFF26.exe	37
PID 1500 wrote to memory of 2264	1500	DEMFF26.exe	37
PID 1500 wrote to memory of 2264	1500	DEMFF26.exe	37
PID 2264 wrote to memory of 2676	2264	DEM5467.exe	39
PID 2264 wrote to memory of 2676	2264	DEM5467.exe	39
PID 2264 wrote to memory of 2676	2264	DEM5467.exe	39
PID 2264 wrote to memory of 2676	2264	DEM5467.exe	39
PID 2676 wrote to memory of 2280	2676	DEMA9F5.exe	41
PID 2676 wrote to memory of 2280	2676	DEMA9F5.exe	41
PID 2676 wrote to memory of 2280	2676	DEMA9F5.exe	41
PID 2676 wrote to memory of 2280	2676	DEMA9F5.exe	41

C:\Users\Admin\AppData\Local\Temp\14668fa1dcb66c1fa19c448fce2dda1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14668fa1dcb66c1fa19c448fce2dda1d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\DEM5235.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5235.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\DEMA831.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA831.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\DEMFF26.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFF26.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Users\Admin\AppData\Local\Temp\DEM5467.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5467.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2264
      - C:\Users\Admin\AppData\Local\Temp\DEMA9F5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA9F5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\DEMFF94.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFF94.exe"
        7⤵
        Executes dropped EXE
        
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA831.exe

Filesize
14KB

MD5
c75c339423e99a7debfa688ae677df0e

SHA1
b389f6d0365247f747bf1d0cf772f7fe0279cb34

SHA256
e72cfcfa3e6dd4bc33e174e78e5bac7f58852b0edd67cfe9a7e922a5b9762b2a

SHA512
a209cbbd669062f507e97253094f445456ae9d8a5b73aac9a5f70a46008f3c14e465b3cc743dcf6005deb263b76cdae42ff9d55598514054c114da22d02f6787

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA9F5.exe

Filesize
14KB

MD5
0db183a010c2a4ba96b3165dac516ae3

SHA1
52d907bf0e8c2b545053bb2450aef88755d49219

SHA256
8df8152aafba75bab5c7f7c1e50d80ccecc6a4bd73158d89d11fac2624ca7323

SHA512
415e79c82cf1ee476016c19b7691955f245504c902098a24ab6fc41aa65c8d4871e0ec370ebaa2aa0930b9ad11828f1f2151af6619c39a4aaf040f42f8e9d3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFF94.exe

Filesize
14KB

MD5
080c70b799598b2860f8a29765feef92

SHA1
a573324383c802ca348c58d928b92941ae5e7974

SHA256
576c8b73e1b3c73b93127a826db3f7c664cd270de5ae319588ad9a8321f5f8e9

SHA512
67d9aca1b391f004c37297f524c479a297365c06314bdfe40cc34ea532ddc5ff05da67162e353285be713448df7f6616055e650d2fe015b9df3bc95309bd38ef

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5235.exe

Filesize
14KB

MD5
44d2a95ecfa5c3ca7bb70fe6ad9d785c

SHA1
e70424e0242d5160812c96440fb029383123b87f

SHA256
7c0703277728ec93231e816d5d788f418bd08747ffa9c60cf76dfe9b7eb2f6bc

SHA512
de28c3715226d19473e4f0527c3ef4745eb1a579434a0095a73615db4571ea29ba08b6721d399e32b115a225453a19b908e2f758e924d1e99cc56cc72f907dc9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5467.exe

Filesize
14KB

MD5
374f279d29e25ee84214f648400c4ec9

SHA1
85c5e9a47f5949c62e781d6350e57990a65007c1

SHA256
7cc6f8d1dc1897112a158243131165dcb5cfa13b2aee3b0870c48bf7fd932f54

SHA512
c8d78c810ecd8df1768a5d4bf249600b32439d472be2451d9bcc0c66e018d02c4272722e14edf01c45d8d87b469dfd265dede63555b3942ecd9f5d960391d65d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFF26.exe

Filesize
14KB

MD5
47640e8e1468075cf8f72c14a4e8d121

SHA1
fc703e256320d292cd9dbba683b213b34edde854

SHA256
2df4ad5127d2db8ba461e23a2dfbc07829387d1f7bf11efea296e84d09827ede

SHA512
6a548485f89688575aba729e88b9bc08dbe59300fd66c01491c09397c474a242844eb3d881c05d0b46070b7a821675b5c95d187e77cecd97681ffe9714affc25

Download Submit

Analysis

Sharing