d3aee4c5ebcddb31a83807d81372c50747225e2d765b4f69980584209d104437

General

Target

15656101b69dfe351f10a27cf33dd217_JaffaCakes118.exe
Size

16KB
MD5

15656101b69dfe351f10a27cf33dd217
SHA1

3a17fabb058fbee0427c0b6225107865e79f6e16
SHA256

d3aee4c5ebcddb31a83807d81372c50747225e2d765b4f69980584209d104437
SHA512

edf3a69dc9de358e8cff8549d714cd540bec4e06dbbb10124bb0853d89ebeb2fe33de70ae49643f2aee0a174334a72289c35b3f9df9ddb6edb063cb954839b59
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh2O:hDXWipuE+K3/SSHgx0O

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2576	DEM2AD8.exe
2448	DEM8076.exe
2664	DEMD5D5.exe
1712	DEM2B26.exe
780	DEM8047.exe
2412	DEMD604.exe

Loads dropped DLL 6 IoCs

pid	Process
1220	15656101b69dfe351f10a27cf33dd217_JaffaCakes118.exe
2576	DEM2AD8.exe
2448	DEM8076.exe
2664	DEMD5D5.exe
1712	DEM2B26.exe
780	DEM8047.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2576	1220	15656101b69dfe351f10a27cf33dd217_JaffaCakes118.exe	29
PID 1220 wrote to memory of 2576	1220	15656101b69dfe351f10a27cf33dd217_JaffaCakes118.exe	29
PID 1220 wrote to memory of 2576	1220	15656101b69dfe351f10a27cf33dd217_JaffaCakes118.exe	29
PID 1220 wrote to memory of 2576	1220	15656101b69dfe351f10a27cf33dd217_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2448	2576	DEM2AD8.exe	33
PID 2576 wrote to memory of 2448	2576	DEM2AD8.exe	33
PID 2576 wrote to memory of 2448	2576	DEM2AD8.exe	33
PID 2576 wrote to memory of 2448	2576	DEM2AD8.exe	33
PID 2448 wrote to memory of 2664	2448	DEM8076.exe	35
PID 2448 wrote to memory of 2664	2448	DEM8076.exe	35
PID 2448 wrote to memory of 2664	2448	DEM8076.exe	35
PID 2448 wrote to memory of 2664	2448	DEM8076.exe	35
PID 2664 wrote to memory of 1712	2664	DEMD5D5.exe	37
PID 2664 wrote to memory of 1712	2664	DEMD5D5.exe	37
PID 2664 wrote to memory of 1712	2664	DEMD5D5.exe	37
PID 2664 wrote to memory of 1712	2664	DEMD5D5.exe	37
PID 1712 wrote to memory of 780	1712	DEM2B26.exe	39
PID 1712 wrote to memory of 780	1712	DEM2B26.exe	39
PID 1712 wrote to memory of 780	1712	DEM2B26.exe	39
PID 1712 wrote to memory of 780	1712	DEM2B26.exe	39
PID 780 wrote to memory of 2412	780	DEM8047.exe	41
PID 780 wrote to memory of 2412	780	DEM8047.exe	41
PID 780 wrote to memory of 2412	780	DEM8047.exe	41
PID 780 wrote to memory of 2412	780	DEM8047.exe	41

C:\Users\Admin\AppData\Local\Temp\15656101b69dfe351f10a27cf33dd217_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15656101b69dfe351f10a27cf33dd217_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\DEM2AD8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2AD8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\DEM8076.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8076.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\DEMD5D5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD5D5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\DEM2B26.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2B26.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\DEM8047.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8047.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\DEMD604.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD604.exe"
        7⤵
        Executes dropped EXE
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8076.exe

Filesize
16KB

MD5
6cd8fc6b71d003bbf59017b56d14f6a7

SHA1
c73625fbbfdcecab592d28e828b473cbfaf9584e

SHA256
8cfdadc37f774b899cbc6ccba843537216a5dac83d5dd448478f7a7033017854

SHA512
b4dbd7374c80a648b44345ea89fb744b8265ed7353e6ceb4a70e8843100bf039d85f3fcccba16bafe8b51a8f6f72fdfa8614d686448367f775be3026fb6b3dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD5D5.exe

Filesize
16KB

MD5
2f9b2fdfc339f1b3eb438239892f4b3e

SHA1
9392f76a0be66f3ead814ad3943c250975d5ccfa

SHA256
b1095b49ff547cf0d2e36dbc1b8c1f882016914dac82e4d95290d4286fe62f79

SHA512
39725725306c8b7b33c4e4a3fdf07c97eb32675bd1b28766eb8566b99e1da7a1a59200a255b8fe626fed1112141ee4bf9353538413cbfe6957765604a3959927

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2AD8.exe

Filesize
16KB

MD5
a49b7ed969ec749d3f9d77817022a6fb

SHA1
48a6be242bb6c398f58f5b73ecc8b9108c7b996d

SHA256
284e45c3c0a2c2c819a21ad426e015053e213f632286b7a6ad98da13f31b6e81

SHA512
cfeceedf8453d9893e400f32316b8aced07fa3438d12d06377ac865e8e8d399ed627a9ed9b65368f503ca671b8d9d4535fe907218a59d3e47ff4b0f75137ce32

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2B26.exe

Filesize
16KB

MD5
81bbe9490a345413fad469b0319be21e

SHA1
1b80989f6acb357e897d78e4da122c08eb996981

SHA256
3b731f5617a76c2b97a36e8069e8d2aedac252d7ea01852456b08b8f1d77b53e

SHA512
18cbc49e8359dd81903e7b646bedfa76895d1a8c12a77a512daffa2bb765b0bb08c423e154ed583f6c293860a6deb74aa6d26b49a1d091973aa139662175dfcb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8047.exe

Filesize
16KB

MD5
15ea4f772e455b647d5717b32d3e29e5

SHA1
81958ab9bf021b2c2a4d063c10f095b5581a9ada

SHA256
715963493b805cca1a5de0e206470dbaf3d45eae2c52ac9febcb46a79a8f241e

SHA512
fec039076cdc3883a8d21733ff05fb21e1bc3a45eb983e311112b114920e3c286e9f5a44add72891998fefbf36ea883516033c5162c8bf3339da18a0d770c751

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD604.exe

Filesize
16KB

MD5
a2c821f8fcc03baf10ec73dcef36dbdd

SHA1
abe13d85d7700241f03b5a5c666d52f0bbeba5a2

SHA256
bc7fbdd9612a54d91c429b96e44a9ffd45bf12c1f01ccf6bb37c691e2097e119

SHA512
fbacf99dcbbac8a1ae2d097b68099c2697985378596dd2f294538e0a4a6a18fa30a2b76370b5aac19ff5f042b40704d4c2d2c09e4d5225bb4d30ed0755b8bd23

Download Submit

Analysis

Sharing