1938427566a51a0bae87831b42282ae67a166a2c6ae81c1795a2d789bead4ef0

General

Target

1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe
Size

20KB
MD5

1fea9b86854ca0ad9659fb949161780a
SHA1

deea484161c46539ff0fab83957bcb70827a19ae
SHA256

1938427566a51a0bae87831b42282ae67a166a2c6ae81c1795a2d789bead4ef0
SHA512

8b0b273f37be02df018a8956ba2e3d4e6079c5a8c755386fa8636b558828df69673e948726d7d45c00a2c56e1562ad863800cfd9a5ea55ab31466d6424a0f8c1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L41gS:hDXWipuE+K3/SSHgxmHZ1H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2928	DEMF6C.exe
2948	DEM64BC.exe
2888	DEMBA0C.exe
2316	DEMF9A.exe
1564	DEM650A.exe
2880	DEMBA5A.exe

Loads dropped DLL 6 IoCs

pid	Process
2004	1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe
2928	DEMF6C.exe
2948	DEM64BC.exe
2888	DEMBA0C.exe
2316	DEMF9A.exe
1564	DEM650A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2928	2004	1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe	29
PID 2004 wrote to memory of 2928	2004	1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe	29
PID 2004 wrote to memory of 2928	2004	1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe	29
PID 2004 wrote to memory of 2928	2004	1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe	29
PID 2928 wrote to memory of 2948	2928	DEMF6C.exe	31
PID 2928 wrote to memory of 2948	2928	DEMF6C.exe	31
PID 2928 wrote to memory of 2948	2928	DEMF6C.exe	31
PID 2928 wrote to memory of 2948	2928	DEMF6C.exe	31
PID 2948 wrote to memory of 2888	2948	DEM64BC.exe	35
PID 2948 wrote to memory of 2888	2948	DEM64BC.exe	35
PID 2948 wrote to memory of 2888	2948	DEM64BC.exe	35
PID 2948 wrote to memory of 2888	2948	DEM64BC.exe	35
PID 2888 wrote to memory of 2316	2888	DEMBA0C.exe	37
PID 2888 wrote to memory of 2316	2888	DEMBA0C.exe	37
PID 2888 wrote to memory of 2316	2888	DEMBA0C.exe	37
PID 2888 wrote to memory of 2316	2888	DEMBA0C.exe	37
PID 2316 wrote to memory of 1564	2316	DEMF9A.exe	39
PID 2316 wrote to memory of 1564	2316	DEMF9A.exe	39
PID 2316 wrote to memory of 1564	2316	DEMF9A.exe	39
PID 2316 wrote to memory of 1564	2316	DEMF9A.exe	39
PID 1564 wrote to memory of 2880	1564	DEM650A.exe	41
PID 1564 wrote to memory of 2880	1564	DEM650A.exe	41
PID 1564 wrote to memory of 2880	1564	DEM650A.exe	41
PID 1564 wrote to memory of 2880	1564	DEM650A.exe	41

C:\Users\Admin\AppData\Local\Temp\1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\DEMF6C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF6C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\DEM64BC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM64BC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\DEMBA0C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBA0C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Users\Admin\AppData\Local\Temp\DEMF9A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF9A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Users\Admin\AppData\Local\Temp\DEM650A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM650A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\DEMBA5A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBA5A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM64BC.exe

Filesize
20KB

MD5
7ac1c796be88871f188ceb2a4032ca41

SHA1
734ff6968914528c97559c2d1055e519b4357045

SHA256
b3247520aca1c739384c2f561d73c8fbe77ce4ae8caa750167f4b252dfc538a7

SHA512
a79a3859e3a021d4b1fc9bcc2413368ccd5583fefaf48f426bb65490b88cedf9a53d7e50a43bfe08e4ea560da4c97078418381bf2cd2a09f7f3b4040b1e88450

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM650A.exe

Filesize
20KB

MD5
7b0623ecdf7ef9718323ab65caee7690

SHA1
24ecac29e37dd07b824a1a76e1595d258c48a1d9

SHA256
cc72c8855879d2efbaf8d19bd86fa45dc5fc45be7d514cb9319e4654204244b3

SHA512
a54cd58060d201e8afdcb8122a567808faea99ac4c569311699a1079871d7a598dbd062b56049203c9e55872dec1e218456f3747eaf1fa46d4674b25e3be818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBA5A.exe

Filesize
20KB

MD5
c46efcc5be6312e875b27ddf6ac0d5a2

SHA1
436b5dd6f740ab4cdfa67b1d85f7e82fa9a5d54b

SHA256
f4c3fea9ed01c214c1674c38ced5ca49196f8ad17645f63dc149f108e117b597

SHA512
23d249cfaa083e92b4372a7b7ce7094d40cf5e378ba469c14bdac5dcdee17b31e526738a443fb6ca407f0eca614fde9b77923b51a67a3b7a1e417c470797cfb7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBA0C.exe

Filesize
20KB

MD5
81babbd61216099c6805f3ad26dce1fa

SHA1
923fed5efcfbe632a2af7d6661c2144bb65bd8dc

SHA256
15df6d01d5a7fcdceafdb10392e73ff985e97a561e9fc1ce19496f3ce408a289

SHA512
28b06e48a1b5546118fb485d89fbe020f54e2e81e432be5f3ba6036c18b887b511c65eb2c2d30b5b599ac1212fbec898e9560f60bf4b04dcef21167f236d2c30

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF6C.exe

Filesize
20KB

MD5
ed26a4c18494b4733e5b167e2740380b

SHA1
17aa0ac75d646ededfc4f25857d9eac9eca76cbf

SHA256
8361e7ea48ba3535a29b29902e4bda8f28b1e305b732cb1113db93551f27afb0

SHA512
000cd4edf662e226820600c7dea7d1442994a5be5d884ab4781ec729ca647a2154d3fab8d9e03ccdf67a2cc63d03b1ca879f05e6d5f994fc1ecf7e10d76e3d5d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF9A.exe

Filesize
20KB

MD5
846211c10a6e7294e2b7bea85a4bdb34

SHA1
c5d8215cb004585aba39c504d38573df8dca426e

SHA256
a58c41f1c51bbea0b027e17c7fda1ba86578ecbdde917337a83e5048d7163bb5

SHA512
26dce07e97d860ac5ad5157542d84b075acd64f7a930878ac910cf50fa38520bb045c437456bdf9e1a611d3cabd2454ac45fbbf6520b0f5e88701f102be821ea

Download Submit

Analysis

Sharing