aed76d687e846172c5880c18c3a7d839534839582ee6f7bc8c24ab4ab713c5c7

General

Target

1e068e2f2e9f47c97f0d525e068af993_JaffaCakes118.exe
Size

15KB
MD5

1e068e2f2e9f47c97f0d525e068af993
SHA1

963203337909761e6bd4995aef7d747140a32416
SHA256

aed76d687e846172c5880c18c3a7d839534839582ee6f7bc8c24ab4ab713c5c7
SHA512

00439cf037e5cbf9be1f3b801008278c36e5fba7219dce360b64b2cb58316340a68ad70b710ff192dbba244d397e9e12fff00680d2c3e1e210e77c2884377a9d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhkRwjL:hDXWipuE+K3/SSHgxDjL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3004	DEM30A2.exe
2424	DEM864F.exe
2724	DEMDBAF.exe
312	DEM317C.exe
1632	DEM8749.exe
1760	DEMDD06.exe

Loads dropped DLL 6 IoCs

pid	Process
2676	1e068e2f2e9f47c97f0d525e068af993_JaffaCakes118.exe
3004	DEM30A2.exe
2424	DEM864F.exe
2724	DEMDBAF.exe
312	DEM317C.exe
1632	DEM8749.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 3004	2676	1e068e2f2e9f47c97f0d525e068af993_JaffaCakes118.exe	29
PID 2676 wrote to memory of 3004	2676	1e068e2f2e9f47c97f0d525e068af993_JaffaCakes118.exe	29
PID 2676 wrote to memory of 3004	2676	1e068e2f2e9f47c97f0d525e068af993_JaffaCakes118.exe	29
PID 2676 wrote to memory of 3004	2676	1e068e2f2e9f47c97f0d525e068af993_JaffaCakes118.exe	29
PID 3004 wrote to memory of 2424	3004	DEM30A2.exe	33
PID 3004 wrote to memory of 2424	3004	DEM30A2.exe	33
PID 3004 wrote to memory of 2424	3004	DEM30A2.exe	33
PID 3004 wrote to memory of 2424	3004	DEM30A2.exe	33
PID 2424 wrote to memory of 2724	2424	DEM864F.exe	35
PID 2424 wrote to memory of 2724	2424	DEM864F.exe	35
PID 2424 wrote to memory of 2724	2424	DEM864F.exe	35
PID 2424 wrote to memory of 2724	2424	DEM864F.exe	35
PID 2724 wrote to memory of 312	2724	DEMDBAF.exe	37
PID 2724 wrote to memory of 312	2724	DEMDBAF.exe	37
PID 2724 wrote to memory of 312	2724	DEMDBAF.exe	37
PID 2724 wrote to memory of 312	2724	DEMDBAF.exe	37
PID 312 wrote to memory of 1632	312	DEM317C.exe	39
PID 312 wrote to memory of 1632	312	DEM317C.exe	39
PID 312 wrote to memory of 1632	312	DEM317C.exe	39
PID 312 wrote to memory of 1632	312	DEM317C.exe	39
PID 1632 wrote to memory of 1760	1632	DEM8749.exe	41
PID 1632 wrote to memory of 1760	1632	DEM8749.exe	41
PID 1632 wrote to memory of 1760	1632	DEM8749.exe	41
PID 1632 wrote to memory of 1760	1632	DEM8749.exe	41

C:\Users\Admin\AppData\Local\Temp\1e068e2f2e9f47c97f0d525e068af993_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e068e2f2e9f47c97f0d525e068af993_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\DEM30A2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM30A2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\DEM864F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM864F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\DEMDBAF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDBAF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\DEM317C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM317C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:312
      - C:\Users\Admin\AppData\Local\Temp\DEM8749.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8749.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\DEMDD06.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDD06.exe"
        7⤵
        Executes dropped EXE
        
        PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM864F.exe

Filesize
15KB

MD5
3e5a40cb03ed98ea2b242eb2c21e176b

SHA1
bce9d2946665640fa36a62b513543b96004e2a53

SHA256
65fd61f5ac2ac97a06cdb40e713051bd2d54373ab28ab6fdfa70bfebcc99c17d

SHA512
29dcef6c6be67fc6afda7537dff16a43a4902fb318cdc68706f4d8a566e96ff580b4d0bd428bbc5f788d31e4676d8895aca20d1d3188129d39ac53d8acef6104

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8749.exe

Filesize
15KB

MD5
b9200471623f1c7463e1003f7401c6d6

SHA1
24ee58fc09e7e88e10d41e41876c25b5c0885a02

SHA256
83a3d5e0571245a7cdb106775c3cb1ac2cbdae94173a4bb7dbc5a3a36de495a1

SHA512
ccaabc61dbd072e63c8879650bdba7b511779b40a7c357d6855a751b6bf7eb587937fa548f7c17e5bdf1461217a6d499bdc2718bfb94587004d9510e0c531eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDD06.exe

Filesize
15KB

MD5
0286bdaef49cb70f734e3a9c39b6daed

SHA1
cec83d92ac8a966f6f8539748222974a427551c9

SHA256
7d466f3510f1ae31587b468ba98e9c3edb1d7ff4559616d9ae63c1e695314089

SHA512
1cea83dc8d994be72ab3977c793a55e93eadd29bdf116d31e810226f072fc16b6d6fc046e9d9a0ba66def33ef203e1be002954e9c1462cc51456db1e4c60da45

Download Submit
\Users\Admin\AppData\Local\Temp\DEM30A2.exe

Filesize
15KB

MD5
3fe16c85983feda0bcd2c65f8634fc38

SHA1
2845b7b519edc5f1bd3cb3459a8d8b740e857afd

SHA256
9e96ec7889b53dc904ab16ecd82e629fc2833e678193f84f29e512c87e56d14d

SHA512
b4fd8b015aa390f75864ad40f6b4bd79a7128857eee836e6c43ebfc23f10dc1e09fda61cdb20207e66743347879374449ef465e9334db3d6183277059bceb800

Download Submit
\Users\Admin\AppData\Local\Temp\DEM317C.exe

Filesize
15KB

MD5
4a1e6e2cebb0f4cabcfdbf36439ce059

SHA1
e89c380229c8c30e6cf6cb4c028f317034101903

SHA256
41cc1c4e35281d1e8eedfa982a092b24e7232565c607adc3aac64e8f16fecf37

SHA512
7d130a8baf84886d1aa5b554e5e4486a5478ae341980de3cc3b38ff629fc7915583d7c4cc535a13e7e87921500a199f374e19b016f38f0bdbf1cb3b0acc97577

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDBAF.exe

Filesize
15KB

MD5
cabd425f312e49277c80edd3b955a9db

SHA1
97e23338edbf80ca916a050b716a1f2c673fa8db

SHA256
edad5ddc204f1cbc195b4bc43264c68f7b5d5a87b8d5ae5f50d53d959f1ecdd6

SHA512
e856722e83bd33a45631f8d9cf9e7a53201c0a70edf068ca1d4cc3163596b75f73990ae0242889b0c0e5659370ce1934c55f2bc1040bde51caeec7e156cd52de

Download Submit

Analysis

Sharing