4151a755adf90ae22062ffd43b5709bd0cc6b0a9972d7fc49e2da680dde7f227

General

Target

14aed211d675c954891c6defbae12b06_JaffaCakes118.exe
Size

20KB
MD5

14aed211d675c954891c6defbae12b06
SHA1

75692dcc3e4ec20460d20999dd514c27fbe0f50f
SHA256

4151a755adf90ae22062ffd43b5709bd0cc6b0a9972d7fc49e2da680dde7f227
SHA512

08cb44626966e916af3596eabddc9bfc8ab6eb3f498d2ae10443d37989b8162b47db39edaed384e72c02af39e317368296a75add234b436b2fa2a3cfe533c840
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4sf:hDXWipuE+K3/SSHgxmHZsf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2640	DEM3801.exe
2484	DEM9231.exe
2512	DEME8AA.exe
2224	DEM3EB5.exe
552	DEM951E.exe
1880	DEMEB49.exe

Loads dropped DLL 6 IoCs

pid	Process
1712	14aed211d675c954891c6defbae12b06_JaffaCakes118.exe
2640	DEM3801.exe
2484	DEM9231.exe
2512	DEME8AA.exe
2224	DEM3EB5.exe
552	DEM951E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2640	1712	14aed211d675c954891c6defbae12b06_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2640	1712	14aed211d675c954891c6defbae12b06_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2640	1712	14aed211d675c954891c6defbae12b06_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2640	1712	14aed211d675c954891c6defbae12b06_JaffaCakes118.exe	29
PID 2640 wrote to memory of 2484	2640	DEM3801.exe	33
PID 2640 wrote to memory of 2484	2640	DEM3801.exe	33
PID 2640 wrote to memory of 2484	2640	DEM3801.exe	33
PID 2640 wrote to memory of 2484	2640	DEM3801.exe	33
PID 2484 wrote to memory of 2512	2484	DEM9231.exe	35
PID 2484 wrote to memory of 2512	2484	DEM9231.exe	35
PID 2484 wrote to memory of 2512	2484	DEM9231.exe	35
PID 2484 wrote to memory of 2512	2484	DEM9231.exe	35
PID 2512 wrote to memory of 2224	2512	DEME8AA.exe	37
PID 2512 wrote to memory of 2224	2512	DEME8AA.exe	37
PID 2512 wrote to memory of 2224	2512	DEME8AA.exe	37
PID 2512 wrote to memory of 2224	2512	DEME8AA.exe	37
PID 2224 wrote to memory of 552	2224	DEM3EB5.exe	39
PID 2224 wrote to memory of 552	2224	DEM3EB5.exe	39
PID 2224 wrote to memory of 552	2224	DEM3EB5.exe	39
PID 2224 wrote to memory of 552	2224	DEM3EB5.exe	39
PID 552 wrote to memory of 1880	552	DEM951E.exe	41
PID 552 wrote to memory of 1880	552	DEM951E.exe	41
PID 552 wrote to memory of 1880	552	DEM951E.exe	41
PID 552 wrote to memory of 1880	552	DEM951E.exe	41

C:\Users\Admin\AppData\Local\Temp\14aed211d675c954891c6defbae12b06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14aed211d675c954891c6defbae12b06_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\DEM3801.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3801.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\DEM9231.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9231.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\DEME8AA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME8AA.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\DEM3EB5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3EB5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Users\Admin\AppData\Local\Temp\DEM951E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM951E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\DEMEB49.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEB49.exe"
        7⤵
        Executes dropped EXE
        
        PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM9231.exe

Filesize
20KB

MD5
03bbc222c25fa0707796b1339070bd18

SHA1
ff279141e405cc81b0165b7f1cc1ed21a12137c5

SHA256
83b3035f153146c3235ee59b9ac1d7615329dfd3acd37b526a24a84c71420594

SHA512
a1cf1367033e7322c6208833ba71da4c5c8a02bda0aceb363d9123bdf37ea0b846a1ed48ac29895cb5d94184aa11c6e0b767be44b3b0e387ce003dd080b009d8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3801.exe

Filesize
20KB

MD5
5cceefed664cb6599feb66c6c59ee5c8

SHA1
787aeeda47d02bf9229c2046694c2adfbe37994b

SHA256
ae06bbaaeb2589b48b42d11418a00f09305d47c9ffc1aaa33c7b5f864cd15cf5

SHA512
9bd1a14df7b2331a626deec80bfcccf6b91c469721a9de038a3dfd0139dd60460d9442f7d1c2233befc4d38539f23b441b2754eaae04b08e72ade758d7ff09bb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3EB5.exe

Filesize
20KB

MD5
5ed6d4b7ccc895ac32800072e33e1940

SHA1
a7b5fceb761d52c1b626bed66447f0cf785608b0

SHA256
3908b88d1cb2242fecf099e05ffebbf34d138d5aadf31f5c80b56a33a76ce088

SHA512
b2d493043eb7be9fa39a88f0734209969e31c6813fa0b44606eb80abf5dfde48576ad5ca92f555ac1703a014256b0342eb276fc82bf141c3514f3e4c3dacdc3a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM951E.exe

Filesize
20KB

MD5
d2a683086beff16aa49abf05c9b188b9

SHA1
8b0255928df8f7740de22f37f6d20c2b0e0dfa9a

SHA256
caa0571988d09ff0402c0dc1d058e0931ce8b6ceb24340b91f639ac10e1bbe19

SHA512
b1d246290995212de4a582b8a14d6e8a7d012fca49a344a74be81bb06890df7519b1ad914558dff03db9fb4c1ba13d5d57e501f8ac7bf39807e83566ee6f24d4

Download Submit
\Users\Admin\AppData\Local\Temp\DEME8AA.exe

Filesize
20KB

MD5
2dbe896e9734997f31b5376c04752042

SHA1
1a978d7b55fe08cf3639cca7a7c1e9dc195a8a52

SHA256
6c7258cee665653de53cba1133dfc1f3182ea2478c74e3adf27e2e6413308066

SHA512
a908882c8f8c2f32db9d3c8096fadf0100db90ea7c502b17d1dbb5bb485d0c0603068955c55c1892bd3e94b08e858897279ddef01ee611ae6b131e981396afcb

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEB49.exe

Filesize
20KB

MD5
a745a527016b5f642f98ead25ff2a9f4

SHA1
2e0a23da1aca6021e6e25b591c413f1f4dab3cf0

SHA256
e18a3ec759784b003233aa35db64be87823538a999fb355c5e90cd71b2a9a5de

SHA512
a0fa711cdde96b352f4e9c4a073c73ef503136b1eb653b93c4aa5816f12a4b5a88e5008c379a2336d492567d14cda6d7b281ed317f9d1fb1646d14148cb36fcd

Download Submit

Analysis

Sharing