26c40d8c8cc49cb7e02d499bc2f56db9fcb306d4a0000f70ebb965ac39b9983b

General

Target

17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe
Size

14KB
MD5

17db07e7cbcc9e18cffcb8e7d7980700
SHA1

4e4e85dbe6b3db5911eb6428e35e73652e34f0df
SHA256

26c40d8c8cc49cb7e02d499bc2f56db9fcb306d4a0000f70ebb965ac39b9983b
SHA512

615ac4927d0a516e00f071a6e8e1fc103144f34a721a2bf487fe64319e03e7c80751c198016a2d0d5c07ec5e74508cde18f9542c1edbb292068854bb85d2de65
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYRAI:hDXWipuE+K3/SSHgxmj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2260	DEM1.exe
2564	DEM563B.exe
1520	DEMAB9B.exe
2508	DEMFA.exe
1892	DEM56F6.exe
2244	DEMAC56.exe

Loads dropped DLL 6 IoCs

pid	Process
2064	17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe
2260	DEM1.exe
2564	DEM563B.exe
1520	DEMAB9B.exe
2508	DEMFA.exe
1892	DEM56F6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2260	2064	17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2260	2064	17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2260	2064	17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2260	2064	17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe	29
PID 2260 wrote to memory of 2564	2260	DEM1.exe	31
PID 2260 wrote to memory of 2564	2260	DEM1.exe	31
PID 2260 wrote to memory of 2564	2260	DEM1.exe	31
PID 2260 wrote to memory of 2564	2260	DEM1.exe	31
PID 2564 wrote to memory of 1520	2564	DEM563B.exe	35
PID 2564 wrote to memory of 1520	2564	DEM563B.exe	35
PID 2564 wrote to memory of 1520	2564	DEM563B.exe	35
PID 2564 wrote to memory of 1520	2564	DEM563B.exe	35
PID 1520 wrote to memory of 2508	1520	DEMAB9B.exe	37
PID 1520 wrote to memory of 2508	1520	DEMAB9B.exe	37
PID 1520 wrote to memory of 2508	1520	DEMAB9B.exe	37
PID 1520 wrote to memory of 2508	1520	DEMAB9B.exe	37
PID 2508 wrote to memory of 1892	2508	DEMFA.exe	39
PID 2508 wrote to memory of 1892	2508	DEMFA.exe	39
PID 2508 wrote to memory of 1892	2508	DEMFA.exe	39
PID 2508 wrote to memory of 1892	2508	DEMFA.exe	39
PID 1892 wrote to memory of 2244	1892	DEM56F6.exe	41
PID 1892 wrote to memory of 2244	1892	DEM56F6.exe	41
PID 1892 wrote to memory of 2244	1892	DEM56F6.exe	41
PID 1892 wrote to memory of 2244	1892	DEM56F6.exe	41

C:\Users\Admin\AppData\Local\Temp\17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\DEM1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\DEM563B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM563B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\DEMAB9B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAB9B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\DEMFA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFA.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Users\Admin\AppData\Local\Temp\DEM56F6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM56F6.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\DEMAC56.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAC56.exe"
        7⤵
        Executes dropped EXE
        
        PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM563B.exe

Filesize
15KB

MD5
a1c9e872a8da467f1edbae2d411f32c5

SHA1
5f2acd81c17aaeba55edefa87d64ff3460927fae

SHA256
f8f8f720aa8795ad564705ada2008bb09ac4304822e8fcc6af436f2cd1892f8b

SHA512
42fccc74f1382370757dfe09aaadc71eb47b521a697a07f858944e0e6447da8dc0b9423c728eaa30c7c99c88410eb232794831eb3b4872f878853d617c272090

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM56F6.exe

Filesize
15KB

MD5
9dfd4d0cc027e0e02a539b7561e78f70

SHA1
1d33e3842d3a356f44796e4c39528794a24ad800

SHA256
9c4bf8c1380e2b9ddd69fc3a00b6e02f3165734d5a06a81cda440d860d088416

SHA512
6f9509faaded69ca1f190eefb7b45fa18e33c41be3d4ab9579556697873930a42250f54f09f1becef717436015a2a2f4f8306d2842bc5131d47d599419258303

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1.exe

Filesize
14KB

MD5
eb42b224ed9426fb351547f803defa5e

SHA1
5592a411e4ea2b7bf3ffda4fc7cd8f5f9ff091d5

SHA256
710a2595856223a21d3cc138896457572dc331fd2ad8eaadec0c994b8bec0ea7

SHA512
0b3aae3da5563688cc4aade3944e52d68965857494b951ef81bb5b7cae5471ccac16f0ff5306201f077ccefbda369dbb94cd3b64280665d4617b0b84b3511f40

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAB9B.exe

Filesize
15KB

MD5
84fa01194d816e7b64ca24e368aad389

SHA1
20f07f7f1c44275d9d9859ab27bd812aaf4d04e8

SHA256
51ea0acb2ab766dc27aa7012f6ab68e85a95be42409df0dfd10910f346041be5

SHA512
2aa5b64efd29b86fd859ea23c0a90f5efca9226ca98b701e0a4bc0cf2940c15ca4e3061095104884f5898344b32b9ec188f5fefcd1120a95069720d519ba6d25

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAC56.exe

Filesize
15KB

MD5
d03deee30039973e3d3a346dba62599f

SHA1
22abaaf0df961c37f28b4aaef9f5ae8b223a1914

SHA256
61c4fffea67fe20154371eb5eda9befb25101623c8eba89c89981662f0f26861

SHA512
6286c608b7861b4255f088c13f69ea006fc3e6ba4c62eb53d22e985d17a6e93bf5e3b3c76533c8bcd7c9b15a3750fff071739403d9a9369f6adddd1b06922157

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFA.exe

Filesize
15KB

MD5
95e3607feaea889fbdf0733022457a8c

SHA1
45d8b014f5921fcb5993be7d04e1c6d8676db5d5

SHA256
743d965373401b23c35464a491ab3f8879f6180e9ae6566322d4e7eabf43b036

SHA512
d56b1004c1bd495ddb6d352682f7922796cfbd765f3a51831cceb972bf315e918d8ed98f0318c05b582c5b2a8cd284b93737589009bb41ce919b44b1b4992320

Download Submit

Analysis

Sharing