8be92dfd9142a2b8f231d02a30e73b84aafc6d2af5e14ee46938e419af974de7

General

Target

1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe
Size

14KB
MD5

1d9e8a7c76d5ecbb3875fdda6023f6a8
SHA1

fdaab4c9a6c42b484b18b4a98aa1dd5a1a29cf0c
SHA256

8be92dfd9142a2b8f231d02a30e73b84aafc6d2af5e14ee46938e419af974de7
SHA512

00d24cc5d67be88b9c3a6ca99065f1edb5a0949cde49cae2ecf333b87a1b9c82716686b2e7010c17783610b7ca7da0ad5a767d96f488bb628212681a138bc5f7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhh79X:hDXWipuE+K3/SSHgxzl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2584	DEMC31.exe
2544	DEM6181.exe
2720	DEMB6E1.exe
1652	DEMC40.exe
2892	DEM6182.exe
2176	DEMB6D1.exe

Loads dropped DLL 6 IoCs

pid	Process
2276	1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe
2584	DEMC31.exe
2544	DEM6181.exe
2720	DEMB6E1.exe
1652	DEMC40.exe
2892	DEM6182.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2584	2276	1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2584	2276	1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2584	2276	1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2584	2276	1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe	29
PID 2584 wrote to memory of 2544	2584	DEMC31.exe	31
PID 2584 wrote to memory of 2544	2584	DEMC31.exe	31
PID 2584 wrote to memory of 2544	2584	DEMC31.exe	31
PID 2584 wrote to memory of 2544	2584	DEMC31.exe	31
PID 2544 wrote to memory of 2720	2544	DEM6181.exe	35
PID 2544 wrote to memory of 2720	2544	DEM6181.exe	35
PID 2544 wrote to memory of 2720	2544	DEM6181.exe	35
PID 2544 wrote to memory of 2720	2544	DEM6181.exe	35
PID 2720 wrote to memory of 1652	2720	DEMB6E1.exe	37
PID 2720 wrote to memory of 1652	2720	DEMB6E1.exe	37
PID 2720 wrote to memory of 1652	2720	DEMB6E1.exe	37
PID 2720 wrote to memory of 1652	2720	DEMB6E1.exe	37
PID 1652 wrote to memory of 2892	1652	DEMC40.exe	39
PID 1652 wrote to memory of 2892	1652	DEMC40.exe	39
PID 1652 wrote to memory of 2892	1652	DEMC40.exe	39
PID 1652 wrote to memory of 2892	1652	DEMC40.exe	39
PID 2892 wrote to memory of 2176	2892	DEM6182.exe	41
PID 2892 wrote to memory of 2176	2892	DEM6182.exe	41
PID 2892 wrote to memory of 2176	2892	DEM6182.exe	41
PID 2892 wrote to memory of 2176	2892	DEM6182.exe	41

C:\Users\Admin\AppData\Local\Temp\1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\DEMC31.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC31.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\DEM6181.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6181.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\DEMB6E1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB6E1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\DEMC40.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC40.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Users\Admin\AppData\Local\Temp\DEM6182.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6182.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\DEMB6D1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB6D1.exe"
        7⤵
        Executes dropped EXE
        
        PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6181.exe

Filesize
14KB

MD5
4a40e1f652cf97f52a2a856f2ac72e08

SHA1
8b9338cc975826c6f6dc9e52d6ddcfe2ea176783

SHA256
77676e1e34811ff69dcd36c413179dd5315e24190f3b69ddb4394c534807c47f

SHA512
649db02905890426d9c6f0a1690a95d3113033e34e0f7300bf4bfbf50310f4807293b53ad39e797abfca46ee9645b6797a6654c3e7a1b4c42ef946c0dc3aee0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB6E1.exe

Filesize
14KB

MD5
70dbebc818e55f8c57b98ea575911367

SHA1
1ed0d0fa37b47face3141dfcf643847d806375e5

SHA256
ac04123f2402467ff34c7fa654df3d07835e70f79a1a8917c0125aa7eb234b98

SHA512
bdf1689fc3a534ac67c1c73f2a053be81ba40fd99a51e9e056db238d1ecfe928c81b9ae52d6885a19ad2cd595c019f1dde33c4fca381e0d86622fbb4422b9a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC40.exe

Filesize
14KB

MD5
a660e098d7df4274c9afdd5544c3a2ec

SHA1
19a486c96f62cf3350441ee9dd1facace0c02a01

SHA256
f49073c568a195ce46b689c13da6f3d286f7b0d1b1f03baab5b15009a16a61ec

SHA512
c626caedfea0095670132cf1428ba886fab916c8eceec3f54b6ff63d55422ecfa3786de707d14300787d98fe8e6b5546410c2cf87722c51f4f1f734d350c795f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6182.exe

Filesize
14KB

MD5
d6520e170c41d4d35865f12e131e0b58

SHA1
5bf28e0279bddb6b561fc63e66e52100011232a6

SHA256
eb3b440babe611c306afba64cf88c55749022f33bb9d076402d0fce112e74a0f

SHA512
40153d8d0c2a598b7326f61bcf6b0ac71527ddfe59209d64d207a4ef66d80338d15c979ddfbe12a2d4f355e5f7771e16251630fec4315b1fee67c8bbe1f191ff

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB6D1.exe

Filesize
14KB

MD5
9df9577a55c606cd002a4f7e3ab39ad5

SHA1
527b95743582e6d6043d6379f324e6491657c649

SHA256
481809cfad66a5e54fe9b2ca9507cbd31d70b481aa1c9cb7b33121c3d94d4ec9

SHA512
82ad18bc57d9dea4de1769918326f0af1deadcff0b571611117b7ccc1986ae12e3ee1b9bf34270438354879a4c9f558b5dd115066d7f6c3d7522c96a274e33de

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC31.exe

Filesize
14KB

MD5
ca461f1fe30bdfe21c3dd87397ecdf70

SHA1
9417ace96ec21b955cb5ea8d6c4ae9a7f97f793d

SHA256
a59d0cff99fb5a6f8d645289101ec67087b16eca64c0304fe8526404061e8a95

SHA512
3fcda5300fcc63ede71cc24c0bc32b644c32f24ff25c8fca8eb9c58e2842a3b4716ce88952bcf493dda63620609c0ea55958262d1bf9bfec3dd691de280c533a

Download Submit

Analysis

Sharing