4e7ab1709f3a8920a2a77ce0c5fc71260933739fc291a6987c73abe344f9f068

General

Target

1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe
Size

16KB
MD5

1c0fa321e025a2d26d01f650ff76356a
SHA1

11539afb6962036483f0fc097cb9d6f00f13781c
SHA256

4e7ab1709f3a8920a2a77ce0c5fc71260933739fc291a6987c73abe344f9f068
SHA512

352b1853c9bec5d4250de4270b2dfdf7784050e755f8b1d730f957f52cd1cdbe7a2e66c32eba7cbfd7ca6f6c89b3fe9fdfa7506cbb1d4528c2b1d20e226fa075
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlk:hDXWipuE+K3/SSHgxmlk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2668	DEM41F0.exe
2528	DEM9849.exe
2820	DEMED9A.exe
940	DEM4366.exe
2808	DEM9933.exe
1844	DEMEEE1.exe

Loads dropped DLL 6 IoCs

pid	Process
1276	1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe
2668	DEM41F0.exe
2528	DEM9849.exe
2820	DEMED9A.exe
940	DEM4366.exe
2808	DEM9933.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 2668	1276	1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe	29
PID 1276 wrote to memory of 2668	1276	1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe	29
PID 1276 wrote to memory of 2668	1276	1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe	29
PID 1276 wrote to memory of 2668	1276	1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe	29
PID 2668 wrote to memory of 2528	2668	DEM41F0.exe	33
PID 2668 wrote to memory of 2528	2668	DEM41F0.exe	33
PID 2668 wrote to memory of 2528	2668	DEM41F0.exe	33
PID 2668 wrote to memory of 2528	2668	DEM41F0.exe	33
PID 2528 wrote to memory of 2820	2528	DEM9849.exe	35
PID 2528 wrote to memory of 2820	2528	DEM9849.exe	35
PID 2528 wrote to memory of 2820	2528	DEM9849.exe	35
PID 2528 wrote to memory of 2820	2528	DEM9849.exe	35
PID 2820 wrote to memory of 940	2820	DEMED9A.exe	37
PID 2820 wrote to memory of 940	2820	DEMED9A.exe	37
PID 2820 wrote to memory of 940	2820	DEMED9A.exe	37
PID 2820 wrote to memory of 940	2820	DEMED9A.exe	37
PID 940 wrote to memory of 2808	940	DEM4366.exe	39
PID 940 wrote to memory of 2808	940	DEM4366.exe	39
PID 940 wrote to memory of 2808	940	DEM4366.exe	39
PID 940 wrote to memory of 2808	940	DEM4366.exe	39
PID 2808 wrote to memory of 1844	2808	DEM9933.exe	41
PID 2808 wrote to memory of 1844	2808	DEM9933.exe	41
PID 2808 wrote to memory of 1844	2808	DEM9933.exe	41
PID 2808 wrote to memory of 1844	2808	DEM9933.exe	41

C:\Users\Admin\AppData\Local\Temp\1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\DEM41F0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM41F0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\DEM9849.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9849.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\DEMED9A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMED9A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\DEM4366.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4366.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Users\Admin\AppData\Local\Temp\DEM9933.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9933.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\DEMEEE1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEEE1.exe"
        7⤵
        Executes dropped EXE
        
        PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4366.exe

Filesize
16KB

MD5
27d6dd19638b5b5b57d6d4a3f51b7098

SHA1
8fb4ec77a5b4d8a86b21021e5f2286522102e05a

SHA256
c8dc6ab67f22ca38614b9c67c3fc58e224e9560f500a429874f29bc1d11b0f22

SHA512
668b1522252af0ce34e0093a69f4fc0faeefad7e39f7df0b3b15b8b95c4652a7b8ef1948ffeda11b64d62a024477cf0d90322ec19f8aaf89974acb6e97b18261

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9849.exe

Filesize
16KB

MD5
55e22c7853bf9b2fde0caf84ec32798a

SHA1
29b092587c31aa3d8970a90280da99ae7989e669

SHA256
c481d5ca349d10cef372f5082194fd210a507006310740dd3eaf924dd9a2e846

SHA512
3ac65eae5e4305b870640962e1f0b9b4f1fef3cca965e204efa41b2b97946efd96ec2d5cefc25d6ec8ec7d8c302badbc51b7cfb67fae5e45d10b10b5fe3028c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9933.exe

Filesize
16KB

MD5
1bbabca68c3affb9f250cc4d7cacecc0

SHA1
87fec7005cad5a48cca42aed0c78c12b603bdb5a

SHA256
60e64e6ef65985a4c85ab3192834970f427e581971dbf7fb577583faa36031a3

SHA512
f390083ead8526e9d0fa5f6f39a7f7854f5ca17aac69d9e6a2684fe37dd46fef3aac1a6c006ad2de96634289953827c983594960aff62bb7dc3d8cf53caa85ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMED9A.exe

Filesize
16KB

MD5
1521ecf7fe705977d50ebb19275f178c

SHA1
e5b09545ca8ec62d967063f0e8b4f045327e826b

SHA256
3b8d1fe0b1d50529cc90c60481238b4067924e4c77e11058538479079442f026

SHA512
ff6b4210a11c27313a1f5c82044c9e2b09ad6c32e4eec7a8c28797e1e3f63276b53d439ced41d6b151b222103378f44056e429130f91e4e36056d9d5f6bbe8d8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM41F0.exe

Filesize
16KB

MD5
9aa5ebe579d1877c1bb2dd8d9289f036

SHA1
ddbd6d0505072a16c3d53345b8e40fad45eeee6c

SHA256
55cf15573a2f690055f3335ec78439b5252d785765c000f04bca287580ce5e24

SHA512
d6f25983f3e03d3d536bf28de91e8d27fcad35db171ca62f6af7828cf8393076597f1f7009b3205cf2d6a03dfd572fc0b1df12af4957bbb752ce9465f2c21ad9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEEE1.exe

Filesize
16KB

MD5
65b559d5a4881f21909daa7e0daab28a

SHA1
c87b56f2c21e1085115394532f3b10171ebfedda

SHA256
fe5209671b5881af2c2f1469b10561eefffee5ef25edb790ce4384e567cea926

SHA512
bf3001d83f7a584b714b55aaa29276c27502a56791ad476fa4a6eca6714f912daa06c962c871391d8d2c864874f3645e1071499edd612c23d25afddd8e449053

Download Submit

Analysis

Sharing