91d61f85e0fe1833873a5521492ff863a6f4358b158ea9cf8213b228e35f68f3

General

Target

17c571096538e9aeefd0bc41f8e2cafd_JaffaCakes118.exe
Size

15KB
MD5

17c571096538e9aeefd0bc41f8e2cafd
SHA1

84a3125c714f9f6aef5263edca1cc22a49333a54
SHA256

91d61f85e0fe1833873a5521492ff863a6f4358b158ea9cf8213b228e35f68f3
SHA512

1fb4d32f30755e8a0acfcfa6ee30daa396b2f0903f67094911096d0504cba53094dddc17a04585d14094e92c1283cb681212bbd0922a8087087248fa6c6a4e57
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYW:hDXWipuE+K3/SSHgxmW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2544	DEM82B.exe
2392	DEM5D7B.exe
2476	DEMB396.exe
1824	DEM906.exe
1160	DEM5EC3.exe
2036	DEMB4DE.exe

Loads dropped DLL 6 IoCs

pid	Process
2208	17c571096538e9aeefd0bc41f8e2cafd_JaffaCakes118.exe
2544	DEM82B.exe
2392	DEM5D7B.exe
2476	DEMB396.exe
1824	DEM906.exe
1160	DEM5EC3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2544	2208	17c571096538e9aeefd0bc41f8e2cafd_JaffaCakes118.exe	29
PID 2208 wrote to memory of 2544	2208	17c571096538e9aeefd0bc41f8e2cafd_JaffaCakes118.exe	29
PID 2208 wrote to memory of 2544	2208	17c571096538e9aeefd0bc41f8e2cafd_JaffaCakes118.exe	29
PID 2208 wrote to memory of 2544	2208	17c571096538e9aeefd0bc41f8e2cafd_JaffaCakes118.exe	29
PID 2544 wrote to memory of 2392	2544	DEM82B.exe	31
PID 2544 wrote to memory of 2392	2544	DEM82B.exe	31
PID 2544 wrote to memory of 2392	2544	DEM82B.exe	31
PID 2544 wrote to memory of 2392	2544	DEM82B.exe	31
PID 2392 wrote to memory of 2476	2392	DEM5D7B.exe	35
PID 2392 wrote to memory of 2476	2392	DEM5D7B.exe	35
PID 2392 wrote to memory of 2476	2392	DEM5D7B.exe	35
PID 2392 wrote to memory of 2476	2392	DEM5D7B.exe	35
PID 2476 wrote to memory of 1824	2476	DEMB396.exe	37
PID 2476 wrote to memory of 1824	2476	DEMB396.exe	37
PID 2476 wrote to memory of 1824	2476	DEMB396.exe	37
PID 2476 wrote to memory of 1824	2476	DEMB396.exe	37
PID 1824 wrote to memory of 1160	1824	DEM906.exe	39
PID 1824 wrote to memory of 1160	1824	DEM906.exe	39
PID 1824 wrote to memory of 1160	1824	DEM906.exe	39
PID 1824 wrote to memory of 1160	1824	DEM906.exe	39
PID 1160 wrote to memory of 2036	1160	DEM5EC3.exe	41
PID 1160 wrote to memory of 2036	1160	DEM5EC3.exe	41
PID 1160 wrote to memory of 2036	1160	DEM5EC3.exe	41
PID 1160 wrote to memory of 2036	1160	DEM5EC3.exe	41

C:\Users\Admin\AppData\Local\Temp\17c571096538e9aeefd0bc41f8e2cafd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17c571096538e9aeefd0bc41f8e2cafd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\DEM82B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM82B.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\DEM5D7B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5D7B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\DEMB396.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB396.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Users\Admin\AppData\Local\Temp\DEM906.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM906.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Users\Admin\AppData\Local\Temp\DEM5EC3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5EC3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\DEMB4DE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB4DE.exe"
        7⤵
        Executes dropped EXE
        
        PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5D7B.exe

Filesize
15KB

MD5
29f736cbc867c6abe4b179e55cd2954a

SHA1
669ad557e1610d40f690dd74632c0436be58f2df

SHA256
5c61d42e13e0df6f617b70eda0898573d6678cf71728919b92facd85a184f5aa

SHA512
1fb113f149c208156bc9b59540d452c0b9bd1f33f61b33485ca8f57af15111960663b0917691e41a948f8b44efacb553f21686ffb424986973509cdea68d2628

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5EC3.exe

Filesize
15KB

MD5
d1ae8ebca804ac5367ca6920e7870945

SHA1
12b19d8e0b57aa5e327ca87ac2382dffd9df71bb

SHA256
7bd150244dcdb30a2a15d9d0cd4825e68230ec3afe7fd9fa07039456131dd8ec

SHA512
5dd1ddea98676352f9b60fea96c7f662ab2521b9de9617e6202c8e8b44262fac80716d7909087575b2cd3cc193fc3b3915939afb153b146558fab2f2313193ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM906.exe

Filesize
15KB

MD5
d9f5f7b823c370c6c6ec9cafefbf5e47

SHA1
77581d286012e0afe62a4d6c2a46631389e000b7

SHA256
c418904644d33b486e6e66a3a9f54302c81b155d5553f681f66347f0f290507a

SHA512
a0ccaf4f92882569a1af4333c6ed4210e8e6e2408c6234570d2d2d9ff4de0b94f90568b455c21a490202a6ce34cedbf46177f2063b625baca5dd44d03cfcbf38

Download Submit
\Users\Admin\AppData\Local\Temp\DEM82B.exe

Filesize
15KB

MD5
540dc35d20db5159fd17ee50a951ced4

SHA1
a524419d568317127bc99c2df32ee2c896f43d69

SHA256
32a2e0c0bf502dfea3e7d9a8f5fd59a043ab6a8fce9192f6bd842296b965c119

SHA512
a4eccc9d6e5dda88e281618c729c5c94f08f2a1ef85654b061095c8359c2bfd235222c72566f3a844198b6508deb3fb693d5566296f5ec0fd7e9e11e013e2c2e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB396.exe

Filesize
15KB

MD5
d35611705868350e1f46f1edf4dfb052

SHA1
334603564b56ae182a3040a3f3907de592e4c226

SHA256
2c294b76bff62ae658cbe9f0c38e69ca3955be3c66b6042e0598faf96c14b814

SHA512
3a758f790904fcdd7e10a978c413d1f966f40777e89b5186074fe2248581d56d19e596502d3c017808394a832b461c3ee7c99a6c8e1d705053c471828b2f3f42

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB4DE.exe

Filesize
15KB

MD5
efca7824ef746f86e795460e5c3bf421

SHA1
14e084ab28bff1c5a690e146555b057ec4272c8b

SHA256
d41d2feb2167ed0cac544a761c5fd4447fb1d10c68a98d9a1c82c67b97489bb3

SHA512
b7400f5880cf2dd8b2789820ae88fdea7652bdcf4ba90af19895fc800ba18751e0d033faf58ed116d6e1058d6d37f822b73efb67a24596c63fa8bb495d49ffb4

Download Submit

Analysis

Sharing