5589e4095f39ca088d125ed9d024d2313edb48f58c09b35fc3d73db8c2e3067e

General

Target

1a96b4e42148d30e7d68223ab220c2a9_JaffaCakes118.exe
Size

14KB
MD5

1a96b4e42148d30e7d68223ab220c2a9
SHA1

f16504fd42f64e423fbac55ecb7618755efca471
SHA256

5589e4095f39ca088d125ed9d024d2313edb48f58c09b35fc3d73db8c2e3067e
SHA512

c19ad1d96c33102dee389a5d30deb1999b6ddfab342e9f6cba7f5621164693744feef3aab777283ef7fd1c0ceea095e2dc069c65bfa5ccab01e692d8974dda4c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZeN:hDXWipuE+K3/SSHgx3eN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2668	DEM8D.exe
1880	DEM55FC.exe
860	DEMAB6C.exe
2388	DEM11A.exe
1056	DEM5725.exe
2272	DEMAC65.exe

Loads dropped DLL 6 IoCs

pid	Process
2204	1a96b4e42148d30e7d68223ab220c2a9_JaffaCakes118.exe
2668	DEM8D.exe
1880	DEM55FC.exe
860	DEMAB6C.exe
2388	DEM11A.exe
1056	DEM5725.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2668	2204	1a96b4e42148d30e7d68223ab220c2a9_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2668	2204	1a96b4e42148d30e7d68223ab220c2a9_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2668	2204	1a96b4e42148d30e7d68223ab220c2a9_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2668	2204	1a96b4e42148d30e7d68223ab220c2a9_JaffaCakes118.exe	29
PID 2668 wrote to memory of 1880	2668	DEM8D.exe	31
PID 2668 wrote to memory of 1880	2668	DEM8D.exe	31
PID 2668 wrote to memory of 1880	2668	DEM8D.exe	31
PID 2668 wrote to memory of 1880	2668	DEM8D.exe	31
PID 1880 wrote to memory of 860	1880	DEM55FC.exe	35
PID 1880 wrote to memory of 860	1880	DEM55FC.exe	35
PID 1880 wrote to memory of 860	1880	DEM55FC.exe	35
PID 1880 wrote to memory of 860	1880	DEM55FC.exe	35
PID 860 wrote to memory of 2388	860	DEMAB6C.exe	37
PID 860 wrote to memory of 2388	860	DEMAB6C.exe	37
PID 860 wrote to memory of 2388	860	DEMAB6C.exe	37
PID 860 wrote to memory of 2388	860	DEMAB6C.exe	37
PID 2388 wrote to memory of 1056	2388	DEM11A.exe	39
PID 2388 wrote to memory of 1056	2388	DEM11A.exe	39
PID 2388 wrote to memory of 1056	2388	DEM11A.exe	39
PID 2388 wrote to memory of 1056	2388	DEM11A.exe	39
PID 1056 wrote to memory of 2272	1056	DEM5725.exe	41
PID 1056 wrote to memory of 2272	1056	DEM5725.exe	41
PID 1056 wrote to memory of 2272	1056	DEM5725.exe	41
PID 1056 wrote to memory of 2272	1056	DEM5725.exe	41

C:\Users\Admin\AppData\Local\Temp\1a96b4e42148d30e7d68223ab220c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a96b4e42148d30e7d68223ab220c2a9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\DEM8D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\DEM55FC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM55FC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\DEMAB6C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAB6C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:860
    - - C:\Users\Admin\AppData\Local\Temp\DEM11A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM11A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Users\Admin\AppData\Local\Temp\DEM5725.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5725.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\DEMAC65.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAC65.exe"
        7⤵
        Executes dropped EXE
        
        PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM55FC.exe

Filesize
14KB

MD5
2a645fd8206df2146513a9f958cb3869

SHA1
e337f7011ef3c3cdf1baca05d9a28dda9b788a99

SHA256
540aa5f5ed557cfd8cef651fab6a23bc29ef0fb7ecd58be44d30eba757f8783e

SHA512
1d8c82309535b008d6a79ae766eeec939a7dd4f4ce3e66640bb1f28b756f98b15c0c8c30766cee1e0fd9034c3a4321de23f9167df55c9020a3cebee73208f8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAC65.exe

Filesize
14KB

MD5
802483870ce71f5e782020e601f32f7a

SHA1
b28310c94773e0adb5b2a9a53a7e8cefaaf4aebb

SHA256
df31b08958a1b2a2de5ef04056652e4a20c6ab8551aefb8be3debd2e67cc7b51

SHA512
8ce6d1822514739b23169e6ae6dc541f6fb20fcd7361ef8acb5630ef6318e0bf8fbcb42be240576b5e8157ba44d41b50689b6424d9643be32253471716625973

Download Submit
\Users\Admin\AppData\Local\Temp\DEM11A.exe

Filesize
14KB

MD5
2939716fbd2f3149bd903fa1fb1fa0f9

SHA1
d2496d80ce29d3942e8306ce1fc2c190971101f6

SHA256
86f59d1057faf4618484d797071d453c4a3f09d123f808f8670e6f4b69fbb012

SHA512
6c45deda9b72b22a2ed152ed85a092bb326fe3b3cb8298dff5ceed79e1b8cfefc75bf142fbc29747f4b23cbf673ca409596df91145c724eb8ac449f62fa7c78c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5725.exe

Filesize
14KB

MD5
7a61a6b12890da60004eefd03b02ed15

SHA1
daa1a9c0346ba04e66ac70dfe5e0ea863ff848f1

SHA256
0fffe02ba209236c61ad09e79b3b62acd6627d3ca6be9cc3ffaef8a13bd34a24

SHA512
630c5c806003266ec6069d9a8bdb732c95d434ac42fe5cfe46c13857a79f0fa01a8b35be8200f7201ebc156197bf9ac0c99e7d6c1611a1f9f517e06aac3c64bf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8D.exe

Filesize
14KB

MD5
20b0242fadd5cc96d5acb9bacef5cd7a

SHA1
455652931eb31ad48adac00a56aa98f3151b520c

SHA256
b1449065cc2a6aca497d7c520c8690c25476553c9f6fbbc071637aed395af84c

SHA512
d07fd391403032a979f504641af2d64b2d893bdea31bdd1308811e704f9b72e05ed46e76ed9ecf37d4eb69594040e52f07eef0956c1d8b2817a2dfd42e15e1d4

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAB6C.exe

Filesize
14KB

MD5
8316ae274d90c77097e57bce29e52ae3

SHA1
aa84615d25b341703de253e9938a8805685a5a0e

SHA256
efc5b0a378b5cb418448586dd97272f98ad7d0e88621ef69fab661c4fd826b77

SHA512
57c6c07f052d16d4ed79f4e24b090c46629a49e155ea3c18dff4611e9ab85641b24d0af3de8e9c8dc6094187b8966b8c36b855cc2c02b629f29e24019cb21295

Download Submit

Analysis

Sharing