2e3e38fb28abd9c0feba878f3021f6a045bdd855eabfacf1eee3c3788b6fbe71

General

Target

1f7cf0fae6da981e46f5029451e9b66a_JaffaCakes118.exe
Size

20KB
MD5

1f7cf0fae6da981e46f5029451e9b66a
SHA1

871396454f11f4ca8cd750c54f77678bb9ca3fee
SHA256

2e3e38fb28abd9c0feba878f3021f6a045bdd855eabfacf1eee3c3788b6fbe71
SHA512

28bad460406eca52092782d8ce9a777ccae55cb5d81a117c5169e3ec6571fb7e891cd865a8ea30ae7d65bd45139df648cdd27fa7ee875d47e13baf38dc856f11
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PSRy:hDXWipuE+K3/SSHgxmHZPSRy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1940	DEM5206.exe
2380	DEMAD5F.exe
2664	DEM38A.exe
1368	DEM5A02.exe
916	DEMAFFE.exe
1804	DEM55E.exe

Loads dropped DLL 6 IoCs

pid	Process
1976	1f7cf0fae6da981e46f5029451e9b66a_JaffaCakes118.exe
1940	DEM5206.exe
2380	DEMAD5F.exe
2664	DEM38A.exe
1368	DEM5A02.exe
916	DEMAFFE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1940	1976	1f7cf0fae6da981e46f5029451e9b66a_JaffaCakes118.exe	29
PID 1976 wrote to memory of 1940	1976	1f7cf0fae6da981e46f5029451e9b66a_JaffaCakes118.exe	29
PID 1976 wrote to memory of 1940	1976	1f7cf0fae6da981e46f5029451e9b66a_JaffaCakes118.exe	29
PID 1976 wrote to memory of 1940	1976	1f7cf0fae6da981e46f5029451e9b66a_JaffaCakes118.exe	29
PID 1940 wrote to memory of 2380	1940	DEM5206.exe	33
PID 1940 wrote to memory of 2380	1940	DEM5206.exe	33
PID 1940 wrote to memory of 2380	1940	DEM5206.exe	33
PID 1940 wrote to memory of 2380	1940	DEM5206.exe	33
PID 2380 wrote to memory of 2664	2380	DEMAD5F.exe	35
PID 2380 wrote to memory of 2664	2380	DEMAD5F.exe	35
PID 2380 wrote to memory of 2664	2380	DEMAD5F.exe	35
PID 2380 wrote to memory of 2664	2380	DEMAD5F.exe	35
PID 2664 wrote to memory of 1368	2664	DEM38A.exe	37
PID 2664 wrote to memory of 1368	2664	DEM38A.exe	37
PID 2664 wrote to memory of 1368	2664	DEM38A.exe	37
PID 2664 wrote to memory of 1368	2664	DEM38A.exe	37
PID 1368 wrote to memory of 916	1368	DEM5A02.exe	39
PID 1368 wrote to memory of 916	1368	DEM5A02.exe	39
PID 1368 wrote to memory of 916	1368	DEM5A02.exe	39
PID 1368 wrote to memory of 916	1368	DEM5A02.exe	39
PID 916 wrote to memory of 1804	916	DEMAFFE.exe	41
PID 916 wrote to memory of 1804	916	DEMAFFE.exe	41
PID 916 wrote to memory of 1804	916	DEMAFFE.exe	41
PID 916 wrote to memory of 1804	916	DEMAFFE.exe	41

C:\Users\Admin\AppData\Local\Temp\1f7cf0fae6da981e46f5029451e9b66a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f7cf0fae6da981e46f5029451e9b66a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\DEM5206.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5206.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\DEMAD5F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAD5F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\DEM38A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM38A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\DEM5A02.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5A02.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Users\Admin\AppData\Local\Temp\DEMAFFE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAFFE.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\DEM55E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM55E.exe"
        7⤵
        Executes dropped EXE
        
        PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5206.exe

Filesize
20KB

MD5
a513c93437e604a19324c6eeeec9690e

SHA1
003ea010988205d0a4c89d960740eeb4f92bf9c5

SHA256
874305e3d0a5aefd2db62ef9353d9e60ef08d7e1a9161a761e3f90b2ec044a40

SHA512
b6117b987779a767c6dd040ca2f7b7375cebad27f7e45500dfc3ecb2be77d7eb5d7e8cfee842a4d9103a1e051794ca190bae5b6919462681d3e51ef25e2a1adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5A02.exe

Filesize
20KB

MD5
2ef1a6d16894fbda00f85c12d922bf55

SHA1
7aec3784c2bcbdce6591ec5854d144bd2a5cc7c3

SHA256
3c4c89801e9f412e2cbefeddccc060537c079428c898704ded2c6e27595df66d

SHA512
56eb48449315f7cbd1409faff2d18a6c7bf3d430dff7628d9ee39c5965ebfa7a7257307148a62e9b3e0cc6dc62f6a8cd3655c08af69717978ca9995555bcf74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAD5F.exe

Filesize
20KB

MD5
87ff3896fc301138a9b9ddce111f169e

SHA1
ff22fd2de533ca4caaa9b65979dc3e22e17aae83

SHA256
684898624ff1e789c75257f75f46925b2aabf3c8ebe46b6d4fb7d4942d8c2cb9

SHA512
da21a9190b19e68b3571120718d4a786b6da2a9e6aebaaf6265685346d81bba5bfcda362a65f387f5cdc47971a1d5ae62c467a6beca2b73e0dbf0f3ccbf66c3a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM38A.exe

Filesize
20KB

MD5
7ae920b34aa872cc930c5cd1418d8d95

SHA1
4e22fc049baea624cdc39b30d28b3459123b0cb4

SHA256
16d832b38c0facab7495eb6f7480951b63153e2f8abff77c719a0a70b12cb747

SHA512
e0a4e446b90ed02a597b3c3193e0d7f0be9da73e893f63b341a2efe19047f021307810e89808ee6c62084ec85da1998702766dc4cb5f4f53d9fd2ac7abdda5a3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM55E.exe

Filesize
20KB

MD5
bc2c11278318960f6ab81074837b6410

SHA1
a334c0e50c49f8afdba031da407fb2542b4a7036

SHA256
d5ce42748cf2ad8fc38c7aac1cee04a04fb236c392821825fdb7e1fddc84981a

SHA512
d569702ce5c7ce36eaa42da49569f7cb7a0f4939bdc6a3a09a3e26fbc2d2f585a462efc59bf5b161ae4087b9ea9acbbbd5704ccfd4b22108008def5fa19ef4ec

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAFFE.exe

Filesize
20KB

MD5
20a65d09726a77a8961608d1710d26af

SHA1
7880ce472751eee270f0fe0799e13f79d9973e66

SHA256
b31ff62638d47a49a2cae12c9a3085931cafd3986933e9686a52753bd7b16ec8

SHA512
bfd6704532d7d953d6fe21095cdbf6096d6c9b0361049de6ecc8b51ff8494b578d39d5b6a1d76d1048decac04b81bdc00fa8f8d1387f5c2d8341fd85a1448610

Download Submit

Analysis

Sharing