ff01511f61745f2cd7a5a46a9942338811605955e4da0463a885c6088a179052

General

Target

1cb562c9394716febea19bad65da8075_JaffaCakes118.exe
Size

20KB
MD5

1cb562c9394716febea19bad65da8075
SHA1

679586aa2792d6e668e79a1e25bad1f8e9a1d6af
SHA256

ff01511f61745f2cd7a5a46a9942338811605955e4da0463a885c6088a179052
SHA512

5770b96ebfda6b988d7c1b9a0f3babb401af6c031640646633e0b754a6fe06a5705fdf246aff5f4a61b49348b78f577df5d48981fe692a9ff150edf3b392d1b1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxI:hDXWipuE+K3/SSHgxmH+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2612	DEMA3E.exe
2580	DEM5FBC.exe
1368	DEMB589.exe
2324	DEMAAB.exe
1192	DEM5FFB.exe
2136	DEMB56A.exe

Loads dropped DLL 6 IoCs

pid	Process
1964	1cb562c9394716febea19bad65da8075_JaffaCakes118.exe
2612	DEMA3E.exe
2580	DEM5FBC.exe
1368	DEMB589.exe
2324	DEMAAB.exe
1192	DEM5FFB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2612	1964	1cb562c9394716febea19bad65da8075_JaffaCakes118.exe	29
PID 1964 wrote to memory of 2612	1964	1cb562c9394716febea19bad65da8075_JaffaCakes118.exe	29
PID 1964 wrote to memory of 2612	1964	1cb562c9394716febea19bad65da8075_JaffaCakes118.exe	29
PID 1964 wrote to memory of 2612	1964	1cb562c9394716febea19bad65da8075_JaffaCakes118.exe	29
PID 2612 wrote to memory of 2580	2612	DEMA3E.exe	31
PID 2612 wrote to memory of 2580	2612	DEMA3E.exe	31
PID 2612 wrote to memory of 2580	2612	DEMA3E.exe	31
PID 2612 wrote to memory of 2580	2612	DEMA3E.exe	31
PID 2580 wrote to memory of 1368	2580	DEM5FBC.exe	35
PID 2580 wrote to memory of 1368	2580	DEM5FBC.exe	35
PID 2580 wrote to memory of 1368	2580	DEM5FBC.exe	35
PID 2580 wrote to memory of 1368	2580	DEM5FBC.exe	35
PID 1368 wrote to memory of 2324	1368	DEMB589.exe	37
PID 1368 wrote to memory of 2324	1368	DEMB589.exe	37
PID 1368 wrote to memory of 2324	1368	DEMB589.exe	37
PID 1368 wrote to memory of 2324	1368	DEMB589.exe	37
PID 2324 wrote to memory of 1192	2324	DEMAAB.exe	39
PID 2324 wrote to memory of 1192	2324	DEMAAB.exe	39
PID 2324 wrote to memory of 1192	2324	DEMAAB.exe	39
PID 2324 wrote to memory of 1192	2324	DEMAAB.exe	39
PID 1192 wrote to memory of 2136	1192	DEM5FFB.exe	41
PID 1192 wrote to memory of 2136	1192	DEM5FFB.exe	41
PID 1192 wrote to memory of 2136	1192	DEM5FFB.exe	41
PID 1192 wrote to memory of 2136	1192	DEM5FFB.exe	41

C:\Users\Admin\AppData\Local\Temp\1cb562c9394716febea19bad65da8075_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cb562c9394716febea19bad65da8075_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\DEMA3E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA3E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\DEM5FBC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5FBC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\DEMB589.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB589.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Users\Admin\AppData\Local\Temp\DEMAAB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAAB.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Users\Admin\AppData\Local\Temp\DEM5FFB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5FFB.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\DEMB56A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB56A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5FBC.exe

Filesize
20KB

MD5
a926687625b5b06def8578c98fdb0170

SHA1
b02335d7e2fa691f97ac39210da4f291ea6d5894

SHA256
9fdcaa913aa54f11452f4ed9bce482a54ad87c072555dee5775f606da7e2cbad

SHA512
3e0d0ca912f248da3abc717f613bae62cf837aa1f04dd22c03b96e306ba4d6f394982d278f66926e235ae3c464445875151dd9ef5af476441d66064f0f818b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5FFB.exe

Filesize
20KB

MD5
75bbff4f6106c3727b3f7aefd44579f6

SHA1
5b401b11f5adbddd8b50068b64055c64b5a53740

SHA256
ab074c381dc31c4a2ee1a6d89d7e44bc255ee62dc0cb7288c016840a9d0e6bee

SHA512
de3536b1af4d776f1387868214c1b04c99a9247c8410fa5abe5b56429a8a31b152f8bf34b60fb15e9ca36428337ed1933856c1e74fcd25404ba6cf95f5f23d41

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA3E.exe

Filesize
20KB

MD5
ef67ad78bc5ee5b50bb5ced6caadc35b

SHA1
96f98f5bd576382d12e8e74e5ac7f5d723afc737

SHA256
2a2efe748ba03b74d4d255d7590e293230acc8aa6538227c05bf687ea5b95a65

SHA512
3d1ae7a95ab823cfb0fe072938d0cd5702f7a0335612bfddb5d0d9f6f99534037a38a4483d1293f1f313a5104869e8b17def7fe4610168085af1f6c3e15282fd

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAAB.exe

Filesize
20KB

MD5
fac05f14f802a40b18211389ee0e1f63

SHA1
ad1ddbd864899773bd056b7251927fa7aa19b4a1

SHA256
717590d6c842a2614e2040bb0b07b0cb65916086c3511e4c5d14573413edb53a

SHA512
8c083ec54e6311951145223825b4c52f998f9561270322a4745f883ec7acbeb56b2c4a80ca6fe90f50d1c8101083b4761c9aa0faa0498c73a909076c9012c3b1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB56A.exe

Filesize
20KB

MD5
364a76f2116a2495b6a360e893b19bc1

SHA1
384f0875e3742a42e22f380458c0b94e338398a7

SHA256
2e909c1528ee7c91c974156edabaae2f4dad1f37920eaf18787534991bb8eceb

SHA512
ea1d5693f318c3ae1a4eedc5d0fce68438807d5f1b9597891da96830b2103f888dfe77e5102e6e1b018f7b0d2d3af19545bbc32efbe02fa3cf95e16a8493fe4c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB589.exe

Filesize
20KB

MD5
ca43a36cc1d965bae705ef8d4a334c59

SHA1
cf39fad7ae6590336726ef617290c881a684aa5b

SHA256
73329518c07e5cb7102e5ac7c35bdf3078c1f07ab93793f41801578d7496882d

SHA512
78f1e73dace89ed8c29ce0ca5cd83c097b9a3fa4510881ed96dc4138152d036eca57f0e6e54d0feb71fe4d8de67e7a4c0d2458469c48f62cf680e99ada425993

Download Submit

Analysis

Sharing