77756d8673f5d531c219f369e3954bb2302daf5f53bea49bf1125fe2baa3ece7

General

Target

1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe
Size

15KB
MD5

1718b8db4272c116d9feb3d713d7f97d
SHA1

fa42b37092efb003200aa397e6caea34530f38aa
SHA256

77756d8673f5d531c219f369e3954bb2302daf5f53bea49bf1125fe2baa3ece7
SHA512

67727d9dceae5eeb0e7b8c1a2a9155467a3a578887c4559a52af498bcc9ccbbdb8827100042e25751ddcd4de501d3843d5f3e7124213c6e2891ca76b50c7d5b5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvAzG:hDXWipuE+K3/SSHgxm4q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3020	DEMA737.exe
2388	DEMFE3C.exe
2392	DEM5486.exe
944	DEMAB8B.exe
1644	DEM232.exe
1332	DEM5928.exe

Loads dropped DLL 6 IoCs

pid	Process
1412	1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe
3020	DEMA737.exe
2388	DEMFE3C.exe
2392	DEM5486.exe
944	DEMAB8B.exe
1644	DEM232.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 3020	1412	1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe	31
PID 1412 wrote to memory of 3020	1412	1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe	31
PID 1412 wrote to memory of 3020	1412	1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe	31
PID 1412 wrote to memory of 3020	1412	1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe	31
PID 3020 wrote to memory of 2388	3020	DEMA737.exe	33
PID 3020 wrote to memory of 2388	3020	DEMA737.exe	33
PID 3020 wrote to memory of 2388	3020	DEMA737.exe	33
PID 3020 wrote to memory of 2388	3020	DEMA737.exe	33
PID 2388 wrote to memory of 2392	2388	DEMFE3C.exe	35
PID 2388 wrote to memory of 2392	2388	DEMFE3C.exe	35
PID 2388 wrote to memory of 2392	2388	DEMFE3C.exe	35
PID 2388 wrote to memory of 2392	2388	DEMFE3C.exe	35
PID 2392 wrote to memory of 944	2392	DEM5486.exe	37
PID 2392 wrote to memory of 944	2392	DEM5486.exe	37
PID 2392 wrote to memory of 944	2392	DEM5486.exe	37
PID 2392 wrote to memory of 944	2392	DEM5486.exe	37
PID 944 wrote to memory of 1644	944	DEMAB8B.exe	39
PID 944 wrote to memory of 1644	944	DEMAB8B.exe	39
PID 944 wrote to memory of 1644	944	DEMAB8B.exe	39
PID 944 wrote to memory of 1644	944	DEMAB8B.exe	39
PID 1644 wrote to memory of 1332	1644	DEM232.exe	41
PID 1644 wrote to memory of 1332	1644	DEM232.exe	41
PID 1644 wrote to memory of 1332	1644	DEM232.exe	41
PID 1644 wrote to memory of 1332	1644	DEM232.exe	41

C:\Users\Admin\AppData\Local\Temp\1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\DEMA737.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA737.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\DEMFE3C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFE3C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\DEM5486.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5486.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\DEMAB8B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAB8B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:944
      - C:\Users\Admin\AppData\Local\Temp\DEM232.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM232.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\DEM5928.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5928.exe"
        7⤵
        Executes dropped EXE
        
        PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMFE3C.exe

Filesize
15KB

MD5
2918cecd5324f087b2eb359c4bbaa4c2

SHA1
c477c2c25b8c552ac71aef340a94e41edbadd84e

SHA256
60963bff8fb3c3f61d9169c35d8ba1b0be0733205c9f0af6d9c7386f54b40cb6

SHA512
16fe312d6a13d73dce23c97d84137ffe64e58ee84020a8a52c6081ca60099e2eb69b6be2db9e59606f0c3954107134d8e31e5c89c9778b927caa54231a8ed953

Download Submit
\Users\Admin\AppData\Local\Temp\DEM232.exe

Filesize
15KB

MD5
7d64a1b34c1df47670c13c1c70444de8

SHA1
407ab36fd213c62c1e91c078d77f388a718578f1

SHA256
2ebe9acd7e748c4c1f60f2900b03c35584509415efe800829a05bb1fc1acbd21

SHA512
adadf5cd929df7f31916eecef99d6e0d94938f12a16d4aa3e76bc39e9f2c3d01111d8bd035e31f6e4fd344c690488e751b726313255134373130174038893c03

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5486.exe

Filesize
15KB

MD5
3f59d0c676976b4a21d86a50ab567420

SHA1
472b2ad0cab778cf5b40a2cb1ea278ec661e65bc

SHA256
d92eb872d13f6afadd233896c9a347f9f94d16476fb7c5f97490188a69a740a9

SHA512
3b48a72e7109520551961d1944fb1de27d9c98062dabb4db185d773955863a5dba7f8e5461491afb61f378f2b8eb7d683b7ff9fa2162b2053d79cf4490586442

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5928.exe

Filesize
15KB

MD5
aa3e0bdcc02207c6acc1ebab7a738139

SHA1
e98c492be10a7e6cb7076f3825519fcf7ccbfc0c

SHA256
e74a6eda325824742a02c4620b9c670fa9c79510503ccd7a43339be4c409573c

SHA512
9d92d2c04e8f49fd54541627ad6fbc1eb924a11c48261202402fefb2327da798076e652bc8375f1808477adca90653b4e16fad097e81b76a693d6fd39a35e263

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA737.exe

Filesize
15KB

MD5
faeab2926ad61dfebed8380c9dcf6578

SHA1
c0c36761aec7390b25e8d6d83322a999eebf02ca

SHA256
a782e25bd11c3e873c659ccdec8c88f23b0256b911db65640a72f97a153e81f8

SHA512
191f67b33f6b5f6ec7d8ef4735f0755a35a97de42f195ef00ac228a55761828808a6e92e9e8672384d349e87b966457bc0cdeeb766997e577d7da41ddea2b879

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAB8B.exe

Filesize
15KB

MD5
1e2056f7b12341c8d6b2412fca8ddb87

SHA1
2ceb4326eec6120651d15119249325aa74730332

SHA256
0cd5684e262dc433f8414ead5232c0fa02261d8817133a4e3fedb786f5cc8299

SHA512
39a592423000020d36ab46871f4d2bdb4544dba47c86ebc20663e7f8aaa7e69ebf09faaea6cd2bc06f37fc3bb7de3089195920ff8fb2e4de172dac94b126408c

Download Submit

Analysis

Sharing