df925a665353ec76c444187087f793c4feac14e920b9f84fc125ab2a750e53a0

General

Target

1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe
Size

16KB
MD5

1d60d1382af76bc9f89568d97784a2a7
SHA1

5c31dc975f6664ff03d39934aeada5103a549449
SHA256

df925a665353ec76c444187087f793c4feac14e920b9f84fc125ab2a750e53a0
SHA512

86df541f4db153ae5e4c45bccb7ed422d263ac5cb1453bad026507311fda8ea29e8284d17e4874800f6c4cc6ef9e45284f057f243a9dd9e03cca1ca93e66d4ac
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhD8ZO:hDXWipuE+K3/SSHgxt6O

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2564	DEM22BD.exe
2700	DEM787A.exe
2592	DEMCD9B.exe
272	DEM22AD.exe
1952	DEM77BF.exe
1916	DEMCCF0.exe

Loads dropped DLL 6 IoCs

pid	Process
1624	1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe
2564	DEM22BD.exe
2700	DEM787A.exe
2592	DEMCD9B.exe
272	DEM22AD.exe
1952	DEM77BF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2564	1624	1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe	29
PID 1624 wrote to memory of 2564	1624	1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe	29
PID 1624 wrote to memory of 2564	1624	1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe	29
PID 1624 wrote to memory of 2564	1624	1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe	29
PID 2564 wrote to memory of 2700	2564	DEM22BD.exe	31
PID 2564 wrote to memory of 2700	2564	DEM22BD.exe	31
PID 2564 wrote to memory of 2700	2564	DEM22BD.exe	31
PID 2564 wrote to memory of 2700	2564	DEM22BD.exe	31
PID 2700 wrote to memory of 2592	2700	DEM787A.exe	35
PID 2700 wrote to memory of 2592	2700	DEM787A.exe	35
PID 2700 wrote to memory of 2592	2700	DEM787A.exe	35
PID 2700 wrote to memory of 2592	2700	DEM787A.exe	35
PID 2592 wrote to memory of 272	2592	DEMCD9B.exe	37
PID 2592 wrote to memory of 272	2592	DEMCD9B.exe	37
PID 2592 wrote to memory of 272	2592	DEMCD9B.exe	37
PID 2592 wrote to memory of 272	2592	DEMCD9B.exe	37
PID 272 wrote to memory of 1952	272	DEM22AD.exe	39
PID 272 wrote to memory of 1952	272	DEM22AD.exe	39
PID 272 wrote to memory of 1952	272	DEM22AD.exe	39
PID 272 wrote to memory of 1952	272	DEM22AD.exe	39
PID 1952 wrote to memory of 1916	1952	DEM77BF.exe	41
PID 1952 wrote to memory of 1916	1952	DEM77BF.exe	41
PID 1952 wrote to memory of 1916	1952	DEM77BF.exe	41
PID 1952 wrote to memory of 1916	1952	DEM77BF.exe	41

C:\Users\Admin\AppData\Local\Temp\1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\DEM22BD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM22BD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\DEM787A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM787A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\DEMCD9B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCD9B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\DEM22AD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM22AD.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:272
      - C:\Users\Admin\AppData\Local\Temp\DEM77BF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM77BF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\DEMCCF0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCCF0.exe"
        7⤵
        Executes dropped EXE
        
        PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM787A.exe

Filesize
16KB

MD5
03ac6536138e1ff5ac5cdb9eb325f19e

SHA1
83841a76d381bab27ea18ad0a8b626e5a810dce1

SHA256
a3abfe0acf91656b039a2c8f8887143780dc593c0c8a055abf473427acdd29d6

SHA512
5de2a4248e97cf38d66fd3e4bee27f146cc68ec781949a3edfc73cb892221645a26becce11d1ca7078debbc6d6a019f68d369102ae8ca99e46d3394017253778

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCCF0.exe

Filesize
16KB

MD5
5659d31fbbcc35c0539265fba7f47a98

SHA1
e5608f49ac501b49fa1e1133940024b690fc428f

SHA256
0fde73210c80569e385ef8047ef46ef44f711a1e5740c47315b7b6ceaaed2d97

SHA512
709462b1c157c30632e3aaa06bf2ecbe1fa5ed802ab4d1ad36b453e70e1b4aedec56c80439bfaf42137d0954bdf27db47b304431ef1de66a63c8031be4e1d4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCD9B.exe

Filesize
16KB

MD5
fe6970fd8287c444cdaf738393c8662d

SHA1
b133e579047e515e83203001d83f0bcd1a98867a

SHA256
fd6d92a37389ca836213a514b208d550a34687021e61c00109d9efe7f0d0a1b2

SHA512
690f7971902e8be3adf3a5b50c8878349d9da7e7e4c6bd4421cb354d2991a27264c11a4b44f09541698b29ed3981b9e73a88db5ae3f91d3f755c93c22492a493

Download Submit
\Users\Admin\AppData\Local\Temp\DEM22AD.exe

Filesize
16KB

MD5
f9b3f41e2e30b1e20692d8edf1a64f11

SHA1
b7255448c7265459d1f0a2f510155ea6ae9feda9

SHA256
b8791fcd7ef4553885684c5093f28624dcc19f3eae807d1c87858435f14d6e27

SHA512
ef8a2e96e092b81b77a8b6e131235b8a8304c32eb285906f77a7f784c305fb0e1e5de0b8ce8ef2b924118c65b21eb0bbe712122272437092e1456447d05e6745

Download Submit
\Users\Admin\AppData\Local\Temp\DEM22BD.exe

Filesize
16KB

MD5
f635aca4f20b8bb7e58e45044c0b3b76

SHA1
30151c8231c77bf6c29798c2e18421720492a097

SHA256
f7a3faad228e9a9f446ba1cab132f1c076aa74618929d547126487b4bd5a9466

SHA512
da9ec21031bc9374e698aff16e3ea249ebc03420e9df088697039d35a75c07a539fb6a7860e49e2e43780717487ac11c6239ed8637591a4d3b804e25d3294d13

Download Submit
\Users\Admin\AppData\Local\Temp\DEM77BF.exe

Filesize
16KB

MD5
44842296cfb243ae1011ed3fdb29b304

SHA1
ee84d565f56ec99d1077a625f65e9e3baa52dc6d

SHA256
a91bad0f2147701db6710e30d66176904537e6e83fd7cbdf570b73575782d95e

SHA512
e6c26adcdf842c34ed0864239052c94067aed7394ba5ec6c5ff97cb31c4bcaf5157c2e6404068960762295fc56579639ac994c5efb99fd1e0a9f498760d34958

Download Submit

Analysis

Sharing