f42b4f419e10cb6eb5fcac6dbeb718fc578e097840e1dcec7870c8c40c3dbeca

General

Target

19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe
Size

15KB
MD5

19b4c2c33fe685ae8d5f5d3be7d4b2a5
SHA1

a578431f8271239a44b588320ddd572bf7900899
SHA256

f42b4f419e10cb6eb5fcac6dbeb718fc578e097840e1dcec7870c8c40c3dbeca
SHA512

3f71789414eb8cfc00ac1b42710162d826128a6d9c5a4867f7078771269e0638713febf0084ab4cc9bd95cce502fc9d32bfbf5f9dea0fc342b3291e948940e63
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8unV:hDXWipuE+K3/SSHgxm8y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2592	DEM1B8C.exe
2776	DEM7159.exe
2684	DEMC6A9.exe
1224	DEM1BBB.exe
1556	DEM70EC.exe
2304	DEMC6E7.exe

Loads dropped DLL 6 IoCs

pid	Process
2864	19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe
2592	DEM1B8C.exe
2776	DEM7159.exe
2684	DEMC6A9.exe
1224	DEM1BBB.exe
1556	DEM70EC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2592	2864	19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe	29
PID 2864 wrote to memory of 2592	2864	19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe	29
PID 2864 wrote to memory of 2592	2864	19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe	29
PID 2864 wrote to memory of 2592	2864	19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe	29
PID 2592 wrote to memory of 2776	2592	DEM1B8C.exe	31
PID 2592 wrote to memory of 2776	2592	DEM1B8C.exe	31
PID 2592 wrote to memory of 2776	2592	DEM1B8C.exe	31
PID 2592 wrote to memory of 2776	2592	DEM1B8C.exe	31
PID 2776 wrote to memory of 2684	2776	DEM7159.exe	35
PID 2776 wrote to memory of 2684	2776	DEM7159.exe	35
PID 2776 wrote to memory of 2684	2776	DEM7159.exe	35
PID 2776 wrote to memory of 2684	2776	DEM7159.exe	35
PID 2684 wrote to memory of 1224	2684	DEMC6A9.exe	37
PID 2684 wrote to memory of 1224	2684	DEMC6A9.exe	37
PID 2684 wrote to memory of 1224	2684	DEMC6A9.exe	37
PID 2684 wrote to memory of 1224	2684	DEMC6A9.exe	37
PID 1224 wrote to memory of 1556	1224	DEM1BBB.exe	39
PID 1224 wrote to memory of 1556	1224	DEM1BBB.exe	39
PID 1224 wrote to memory of 1556	1224	DEM1BBB.exe	39
PID 1224 wrote to memory of 1556	1224	DEM1BBB.exe	39
PID 1556 wrote to memory of 2304	1556	DEM70EC.exe	41
PID 1556 wrote to memory of 2304	1556	DEM70EC.exe	41
PID 1556 wrote to memory of 2304	1556	DEM70EC.exe	41
PID 1556 wrote to memory of 2304	1556	DEM70EC.exe	41

C:\Users\Admin\AppData\Local\Temp\19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\DEM1B8C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1B8C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\DEM7159.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7159.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\DEMC6A9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC6A9.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Users\Admin\AppData\Local\Temp\DEM1BBB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1BBB.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Users\Admin\AppData\Local\Temp\DEM70EC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM70EC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\DEMC6E7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC6E7.exe"
        7⤵
        Executes dropped EXE
        
        PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1BBB.exe

Filesize
15KB

MD5
527e59ce2aca6de6c335ed06033882dd

SHA1
e9dd6cf7ed5c97110f76648b3540d9684ea288a7

SHA256
029a8e03a3c82d19d968b293877812748980c83c1e90d484b6c94016962a4cbb

SHA512
d4435f99b60d7fb621cd0a6c836a304799c9850db634642bf6ec90bef579166cbb03694c874eccc80fddbdc8a6cb74603b2d9018b3daee7a9fc6ad94ef40fa51

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM70EC.exe

Filesize
15KB

MD5
189fbed4b965888e2a1ee96f03f99640

SHA1
ee121c130c874e9190ee5e6f0b68e1f5df8e613e

SHA256
7514a0fac025aed87504af3a91cafcfc415d368a1894517f89fa7046f6da88c3

SHA512
48e8021775f3897afdc474589834117aca151268f3ebc9bbd7f46263f2dda46b35d28e1a3ee7cf8d22325a6ef23fe42fe520f7b57b2a5d02f0aea13d446ec610

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7159.exe

Filesize
15KB

MD5
db7e7a73ce9a0541efd2c32770cf41d1

SHA1
e61e138685e882ae2d4096d622ebb5a46699fe58

SHA256
cd34eaf08e26b16ac3567b72ed8881a8c649d11e0235f4437ffed6e143dd9b3b

SHA512
88f300158f493c76c84610529f6daad24ab64defcca9da4f417033cd9a8383ecaa4f43a1e4b4b0abb3a24f192e5f7b5a40ffa93b0636565ed0e3c1a5f7fc31b8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1B8C.exe

Filesize
15KB

MD5
d79adea26c6f5b6c38f89ed4b9a83805

SHA1
33b379b7baece71810ffd0a4306d02b5e7a14ad5

SHA256
7cfdabafc851e63f2d8080c6792716df5ffe64badcad550625ef8aeaa2f29273

SHA512
53a38380133903e0945323609ae0941b5effa04561e4a80d7ab15e17b9b879e6076b122f89cc765aa49011235566b22b16c965bff0f6ab4389b1cec2192518d9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC6A9.exe

Filesize
15KB

MD5
d9deab2c57cbf8e1f262ecfb5882f7d8

SHA1
d6f776c1dde26149d4ec0e057011158e9f1ea771

SHA256
f40292d258026901aadf27883e7d2ef59f942d015f242accfe2f032f832b083e

SHA512
0450bf76886dcf8c6dcf9231ecf31b8837a54a91909d5a87347b0914b3e8f129530862b75618f30640629bd11842855ecc374a254350edb5928269a91b28e621

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC6E7.exe

Filesize
15KB

MD5
8b6aae453783b6e8d0a8ad9aab6a65c4

SHA1
5a9d630a19629a90f1ac66889bd85e7cd2fd30e6

SHA256
8b73773a5ffa4dc37d5b1fc1d25847c340041b7b952d27f451b1164e87d9275d

SHA512
f1a10e8f22667dc900833f2b042201e24c5150d49f7fa84d85d1e5cd788079284c36d56ba522384579fcfb0b241dca99cdafd452456a32ccc03a3cc444aaa556

Download Submit

Analysis

Sharing