1193547d3340b7ceef433b720dd96d2ea4b493030a9494626472f3a8958dfee6

General

Target

1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe
Size

15KB
MD5

1691b284f4f743299f55fb45a1430800
SHA1

4ff517a23e180ee9f7e3bd4052258f956ca7e2ca
SHA256

1193547d3340b7ceef433b720dd96d2ea4b493030a9494626472f3a8958dfee6
SHA512

75e0879d77e09cdcd086a0b9a0af2e6f692f402074eeb0893d428f3a6a2bbeccc0df16dac0ca533b8eda3b27ad6172f1665b2c4adaa8d3ede5d70a77893f2c37
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvcPay8K:hDXWipuE+K3/SSHgxmkClK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2588	DEM1EC7.exe
2852	DEM7530.exe
2996	DEMCA8F.exe
1188	DEM207C.exe
2952	DEM75DB.exe
2420	DEMCB5A.exe

Loads dropped DLL 6 IoCs

pid	Process
2756	1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe
2588	DEM1EC7.exe
2852	DEM7530.exe
2996	DEMCA8F.exe
1188	DEM207C.exe
2952	DEM75DB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2588	2756	1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe	29
PID 2756 wrote to memory of 2588	2756	1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe	29
PID 2756 wrote to memory of 2588	2756	1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe	29
PID 2756 wrote to memory of 2588	2756	1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe	29
PID 2588 wrote to memory of 2852	2588	DEM1EC7.exe	31
PID 2588 wrote to memory of 2852	2588	DEM1EC7.exe	31
PID 2588 wrote to memory of 2852	2588	DEM1EC7.exe	31
PID 2588 wrote to memory of 2852	2588	DEM1EC7.exe	31
PID 2852 wrote to memory of 2996	2852	DEM7530.exe	35
PID 2852 wrote to memory of 2996	2852	DEM7530.exe	35
PID 2852 wrote to memory of 2996	2852	DEM7530.exe	35
PID 2852 wrote to memory of 2996	2852	DEM7530.exe	35
PID 2996 wrote to memory of 1188	2996	DEMCA8F.exe	37
PID 2996 wrote to memory of 1188	2996	DEMCA8F.exe	37
PID 2996 wrote to memory of 1188	2996	DEMCA8F.exe	37
PID 2996 wrote to memory of 1188	2996	DEMCA8F.exe	37
PID 1188 wrote to memory of 2952	1188	DEM207C.exe	39
PID 1188 wrote to memory of 2952	1188	DEM207C.exe	39
PID 1188 wrote to memory of 2952	1188	DEM207C.exe	39
PID 1188 wrote to memory of 2952	1188	DEM207C.exe	39
PID 2952 wrote to memory of 2420	2952	DEM75DB.exe	41
PID 2952 wrote to memory of 2420	2952	DEM75DB.exe	41
PID 2952 wrote to memory of 2420	2952	DEM75DB.exe	41
PID 2952 wrote to memory of 2420	2952	DEM75DB.exe	41

C:\Users\Admin\AppData\Local\Temp\1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\DEM1EC7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1EC7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\DEM7530.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7530.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\DEMCA8F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCA8F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\DEM207C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM207C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1188
      - C:\Users\Admin\AppData\Local\Temp\DEM75DB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM75DB.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\DEMCB5A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCB5A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7530.exe

Filesize
15KB

MD5
d5095793fc1fd8ebbc510b5e306aa04e

SHA1
0ae6f35c0860e74fba481934ac2ad532b5996131

SHA256
3d38d31e86c9afa52dbb24fc4fa1e86994a048fe5e3ff0e88bb2272361d31936

SHA512
ecb5cd8da1c002520e21041f7bca985e69a1ae9360eb74d13537fe5171ac2d872c6e1290537902d648ccfe0475729db19e492a2f4eeab68902e851a832236910

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCA8F.exe

Filesize
15KB

MD5
1ec3711a462bf88fe3987b59c78edd14

SHA1
55d1e88bcfeea4f3982a3eac86cd88990ffaff41

SHA256
a8a9b34baed94e676e96cfc3bb7519fc2b82f4b76e9210e90d40b145f4d922e1

SHA512
cd53865c2f53516f6715870204ea8066358f44484ebad3361fba336207e7de125830e776db5d422ef162ed5e7f53965166f05aa19e594a4c8283cf9ce12c4af8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1EC7.exe

Filesize
15KB

MD5
3a1e0911983ca4800432f36acfedcd9e

SHA1
ef3f35881c5022aeceeabcb5f3c4e2e74de70728

SHA256
83785af52c89e3e8a66f003bb21e33b160d1cd01a17df2f6b5a711574e68ce6c

SHA512
0d668cd17b21d2f963d51be5e1c710ab19d2dfe5a0d4dbaf39ce62020154790fdd45b554b32315def1666ce51b7ca9d1838bdab5fb564f46071750a9cdb6a84d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM207C.exe

Filesize
15KB

MD5
3bff7726afab2f27642407dfa97d34e4

SHA1
f28594ff3a7f2e9d085ab915b713ea9f64481902

SHA256
904133038aaf3ce7a9a93315beb4d53f285a779b80b5fa0d72cfd9a6dc466f01

SHA512
6233bf34ba015825bbd51337682ede8f946d60b93cf6ce3e3cb7d9a0946ff0347bf3211952dee33b77548e145295365983e6304ce753d09abe3fb41dbc5a85bb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM75DB.exe

Filesize
15KB

MD5
74c7bee1deccc663cb4bf61212cc9c96

SHA1
3063bd143feedcdf5e415f313920826e2d728f0a

SHA256
fe9f19c9bed49bc6abe533ec245b97dc9d7b7e2f6a94b3bdee7712ba1929271e

SHA512
b53a486ea49a8fe59a5c464498305355d60684570e617a111e98063b97d257bb62eb792d8e5f8412e65d6a093d8083e842c6f0afcda4b54b045db1ed793b4130

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCB5A.exe

Filesize
15KB

MD5
386917305e44277c9089717757a4a24b

SHA1
498737112143e0de9fb6474623f6f3c5a9fe7e2b

SHA256
f2a578e7036da301d41af651d1f23303a82b473db461670cd0ceceaf264fbce4

SHA512
06c5f6177c0b93c0629f78443fb07fb0a33f24d862b717eb456c9f34adcbeb195a43dfb54a069397c9e95f075072bf5820d17fd4de536f212be7b3e21003d7f1

Download Submit

Analysis

Sharing