ec8cd1967a5a50cd6930a516d77dbe40fa8c0324550d2e8838b02d6d0bf3994d

General

Target

13bf03822363f33495128c4b919327fd_JaffaCakes118.exe
Size

15KB
MD5

13bf03822363f33495128c4b919327fd
SHA1

a35abf96f1a965b9b790ffbd8b9dc4ce06428a55
SHA256

ec8cd1967a5a50cd6930a516d77dbe40fa8c0324550d2e8838b02d6d0bf3994d
SHA512

7c91a57b8d1a935c3d090cc5a80050e1f4f4803c8595ee5efac315bfe1c2ae2f54414c80763db289acc7fa7252563d2fb42d0ed9fd6b4cfeba7f4ab94949b7c5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4l+LQ:hDXWipuE+K3/SSHgxmo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2664	DEM4D17.exe
2948	DEMA41C.exe
852	DEMFB8E.exe
1900	DEM52D1.exe
1484	DEMA9E6.exe
2092	DEM11A.exe

Loads dropped DLL 6 IoCs

pid	Process
2352	13bf03822363f33495128c4b919327fd_JaffaCakes118.exe
2664	DEM4D17.exe
2948	DEMA41C.exe
852	DEMFB8E.exe
1900	DEM52D1.exe
1484	DEMA9E6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2664	2352	13bf03822363f33495128c4b919327fd_JaffaCakes118.exe	29
PID 2352 wrote to memory of 2664	2352	13bf03822363f33495128c4b919327fd_JaffaCakes118.exe	29
PID 2352 wrote to memory of 2664	2352	13bf03822363f33495128c4b919327fd_JaffaCakes118.exe	29
PID 2352 wrote to memory of 2664	2352	13bf03822363f33495128c4b919327fd_JaffaCakes118.exe	29
PID 2664 wrote to memory of 2948	2664	DEM4D17.exe	33
PID 2664 wrote to memory of 2948	2664	DEM4D17.exe	33
PID 2664 wrote to memory of 2948	2664	DEM4D17.exe	33
PID 2664 wrote to memory of 2948	2664	DEM4D17.exe	33
PID 2948 wrote to memory of 852	2948	DEMA41C.exe	35
PID 2948 wrote to memory of 852	2948	DEMA41C.exe	35
PID 2948 wrote to memory of 852	2948	DEMA41C.exe	35
PID 2948 wrote to memory of 852	2948	DEMA41C.exe	35
PID 852 wrote to memory of 1900	852	DEMFB8E.exe	37
PID 852 wrote to memory of 1900	852	DEMFB8E.exe	37
PID 852 wrote to memory of 1900	852	DEMFB8E.exe	37
PID 852 wrote to memory of 1900	852	DEMFB8E.exe	37
PID 1900 wrote to memory of 1484	1900	DEM52D1.exe	39
PID 1900 wrote to memory of 1484	1900	DEM52D1.exe	39
PID 1900 wrote to memory of 1484	1900	DEM52D1.exe	39
PID 1900 wrote to memory of 1484	1900	DEM52D1.exe	39
PID 1484 wrote to memory of 2092	1484	DEMA9E6.exe	41
PID 1484 wrote to memory of 2092	1484	DEMA9E6.exe	41
PID 1484 wrote to memory of 2092	1484	DEMA9E6.exe	41
PID 1484 wrote to memory of 2092	1484	DEMA9E6.exe	41

C:\Users\Admin\AppData\Local\Temp\13bf03822363f33495128c4b919327fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13bf03822363f33495128c4b919327fd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\DEM4D17.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4D17.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\DEMA41C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA41C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\DEMFB8E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFB8E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Users\Admin\AppData\Local\Temp\DEM52D1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM52D1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Users\Admin\AppData\Local\Temp\DEMA9E6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA9E6.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\DEM11A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM11A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA41C.exe

Filesize
15KB

MD5
22ebf98cc0a1b1b4ff95341e97be2e0e

SHA1
fce64d987bc28321135e412ff650c21b38aeab48

SHA256
6b258f9818a72edda271344b60cad9311a9070d221a7b6062b91ea08f2d5eb13

SHA512
3b45639278a5757ec611f45974ce0aa4d899030d0ab62d2ab2e4d2676de6095e5fe3cf6222ed3f17520f6e2b9d42c3724ab2aea64fc2fdcc65f9b502b5dea12b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM11A.exe

Filesize
15KB

MD5
7ebe77398f075c446070ccd54b938c24

SHA1
0a398e198f20054f333c328584d608960f5e984f

SHA256
806f047092b053ba25d1db6c10b2a9c4f378bdf285ae71357a37b574b59df94e

SHA512
edfc992693021c5a3dd424eb319979e5e3aa644e3f5b6b190c7e7fd24070ebebb0e906a27a03c475d15409a89a8e3a3b3a0f200d433e8f528d3f086a759c3c4b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4D17.exe

Filesize
15KB

MD5
bdc4ddc8ecfef564f0daabe9c640ad26

SHA1
a99eba65aec4473532be07fda5d6abb8d8bddc7b

SHA256
927d31ede8583eca986c289649bb72f612170120cbf7dcedc78a78464739eec3

SHA512
f01c781193fce64b182bf4ac518d2f8dfcbb53b708c5a24976a4cae78c0f2f9e670b7c3b92ce794ef68cc7d3d46fb193a4a8a9ff6671b7802df3b692df52bb20

Download Submit
\Users\Admin\AppData\Local\Temp\DEM52D1.exe

Filesize
15KB

MD5
f1d0d4b19c2cdf4840877f55e637ba55

SHA1
a7c332692dacd49a23cd5beb713209dd8b8d7225

SHA256
6b6ca021938a8f900ceb93611a20801ccc9fc3412b163dd0df2692d31b5d1f42

SHA512
2a077c49d261d024ec6c96129991b75a97564845b546ba4bba0abbfe30a48a33029139df55c6f61ed3d7b0cdf375eeeb7c6afe8b90eb99f404bdd1a744419fcc

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA9E6.exe

Filesize
15KB

MD5
1457158c485b06186c7376118c8c51fe

SHA1
3d57b18123a7db569aa3f6b39070c53e0ccfe412

SHA256
0292ffdcb2ac280af53a11fcb9a8e0a191ded34545ca217f950c9317e30ccfe9

SHA512
606d19d22cd7e948cbbb30bb307a0ef792b90f540c80b200bbc2e8a2522940a77d837c931227d1526def557722872874a483249f7015d753b20c142c4814b738

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFB8E.exe

Filesize
15KB

MD5
dc938277ccd00c65ce58604348ba877a

SHA1
4710251f3f7f4b42596b48e0ff8f358b7d36c6d8

SHA256
9d8039597860c5d1dc43066ed549b4a3c3c5c6b819a5281aa5eb02787616edf8

SHA512
f1f6b71cf94b894b9e3600299cb43fe6467b86791f5540849639f2903d4666b2b322061bc169cea8c93acbdee52a3edc4460a950911e55b0d90a4d17d58b89f2

Download Submit

Analysis

Sharing