d55dfacefb8a8d91bbf77343e0a259b44af0f1f20fc1afc56be4e73a1eefedae

General

Target

17176e9c5dd5ba68020950d2bed9b46c_JaffaCakes118.exe
Size

14KB
MD5

17176e9c5dd5ba68020950d2bed9b46c
SHA1

5c3ddc1694dfa0ddade781b204048cea94defeac
SHA256

d55dfacefb8a8d91bbf77343e0a259b44af0f1f20fc1afc56be4e73a1eefedae
SHA512

1a54e85d618ae42b4c28cdfe97d8b1a37f76c2ea3250def9146ebec768c1cc00b3f8ccaac4408c93529a991f522b7bd7e650a51c83fd3886cb0d389e6578fe3c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh5TW:hDXWipuE+K3/SSHgxvW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2904	DEM4D46.exe
2976	DEMA44B.exe
2456	DEMFA56.exe
1652	DEM50CE.exe
2772	DEMA747.exe
1736	DEMFE2D.exe

Loads dropped DLL 6 IoCs

pid	Process
812	17176e9c5dd5ba68020950d2bed9b46c_JaffaCakes118.exe
2904	DEM4D46.exe
2976	DEMA44B.exe
2456	DEMFA56.exe
1652	DEM50CE.exe
2772	DEMA747.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 2904	812	17176e9c5dd5ba68020950d2bed9b46c_JaffaCakes118.exe	29
PID 812 wrote to memory of 2904	812	17176e9c5dd5ba68020950d2bed9b46c_JaffaCakes118.exe	29
PID 812 wrote to memory of 2904	812	17176e9c5dd5ba68020950d2bed9b46c_JaffaCakes118.exe	29
PID 812 wrote to memory of 2904	812	17176e9c5dd5ba68020950d2bed9b46c_JaffaCakes118.exe	29
PID 2904 wrote to memory of 2976	2904	DEM4D46.exe	33
PID 2904 wrote to memory of 2976	2904	DEM4D46.exe	33
PID 2904 wrote to memory of 2976	2904	DEM4D46.exe	33
PID 2904 wrote to memory of 2976	2904	DEM4D46.exe	33
PID 2976 wrote to memory of 2456	2976	DEMA44B.exe	35
PID 2976 wrote to memory of 2456	2976	DEMA44B.exe	35
PID 2976 wrote to memory of 2456	2976	DEMA44B.exe	35
PID 2976 wrote to memory of 2456	2976	DEMA44B.exe	35
PID 2456 wrote to memory of 1652	2456	DEMFA56.exe	37
PID 2456 wrote to memory of 1652	2456	DEMFA56.exe	37
PID 2456 wrote to memory of 1652	2456	DEMFA56.exe	37
PID 2456 wrote to memory of 1652	2456	DEMFA56.exe	37
PID 1652 wrote to memory of 2772	1652	DEM50CE.exe	39
PID 1652 wrote to memory of 2772	1652	DEM50CE.exe	39
PID 1652 wrote to memory of 2772	1652	DEM50CE.exe	39
PID 1652 wrote to memory of 2772	1652	DEM50CE.exe	39
PID 2772 wrote to memory of 1736	2772	DEMA747.exe	41
PID 2772 wrote to memory of 1736	2772	DEMA747.exe	41
PID 2772 wrote to memory of 1736	2772	DEMA747.exe	41
PID 2772 wrote to memory of 1736	2772	DEMA747.exe	41

C:\Users\Admin\AppData\Local\Temp\17176e9c5dd5ba68020950d2bed9b46c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17176e9c5dd5ba68020950d2bed9b46c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812
- C:\Users\Admin\AppData\Local\Temp\DEM4D46.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4D46.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\DEMA44B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA44B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\DEMFA56.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFA56.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Users\Admin\AppData\Local\Temp\DEM50CE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM50CE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Users\Admin\AppData\Local\Temp\DEMA747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA747.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\DEMFE2D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFE2D.exe"
        7⤵
        Executes dropped EXE
        
        PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA44B.exe

Filesize
14KB

MD5
41bbd166fa223bb83cadcb8947c05bf7

SHA1
09b8c1bc4ea91791514dc433abc2d8cda5eb87ba

SHA256
1c0e9aa1ceddd116036596a4163a0250f1300a91cb18b93f47f4109088273dcb

SHA512
e1d68b33015cc56a5e18fd7cf4b737ba2fe6d5b5fe03fb6eeb8cc29ec4dcad49d15755e389085790a5620dadff273a544a1610a3d78ed4c82b3255757fe92e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA747.exe

Filesize
14KB

MD5
3af268649b4f4f341d86dcdf1c51abaa

SHA1
ebadc3f60a1df1c1df3ab2c11221f91734dab80f

SHA256
ce57a92edca66d7ec2a5307952b0e9ab68b7957d0cf3196e684d5499d0068f78

SHA512
555b5c183a3dac2f05de37b8e49ffbfe938f08d7e673d6d02e168cc6db00f591a341601127315f79e688be7abdd1499f7da1baea31367e627fa3aee8ec98f85c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4D46.exe

Filesize
14KB

MD5
0b64f6d6372f4548b5f3a28279f53c7e

SHA1
e64cba69dff5145c5f256298ce5f67b3c728ea91

SHA256
91aee375360479d97f19288570e05913dd5d79651b02b69b0948f5aa342e89cf

SHA512
f8d0270d6c0ee4d3405912b2a60e22dbe2218df84b433f814ee421a94207c30f00336d3d40eb6cd07bb417244e75968121521396a661a397c101a2c802959e06

Download Submit
\Users\Admin\AppData\Local\Temp\DEM50CE.exe

Filesize
14KB

MD5
0b5eaab517945f3c44c4240a6d258708

SHA1
008f5f9570a9b74e78a314529d19651e151e3dac

SHA256
efa87de6cd199cace07f861b8dcb7d253001cfe49f7d2137ec4ddbe78a4b23af

SHA512
e4d2aaf3d8f8ad5872b96e62fcb6bd62cc67c375610903dbd5979c41d62e0457a3f06ee2fe1fe81003806d0606b014de540e7335ecaf4da95148f838d48cf00e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFA56.exe

Filesize
14KB

MD5
c5610b450f8b76d1789eedcf6b88b3e3

SHA1
0848f0f4d41ff118094183e97db33d119bbd91e9

SHA256
e8e71b47ea7e6c73f43dc1c64424a3c5bdbe9ab6dd4a57a68f6046d24ad3da6e

SHA512
c13059e1f390684f3dff80ff7f2f9910cc029cfbb59414185f8857d77696cc2b08035733483a65599ea338a0041f9c682a01fa4b799502ee68043d4a6ca2d212

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFE2D.exe

Filesize
14KB

MD5
7fbf2378eab9bc619087949a60d5c993

SHA1
f965447e042305ec8c521ffb3ed935262d41706d

SHA256
5c6d41f02689b9f46840dda3901dbd1bcc0bd3823beda76872f93f8e1167f77a

SHA512
9121a5e68586390945a141c5f93b89ec6a1f78d739110c7ca8a96443c5a13e1448bc08f0564f3b505e66ca9fa54dd96a70779a534c924e06bf98bfa12dc572b6

Download Submit

Analysis

Sharing