e8ab1d2d054e0d1e8fd5cbc396239bef4d64548711e4b0d8b28c1e711c14b4e4

General

Target

208904e3ad5f4ac8074956b06bf39d55_JaffaCakes118.exe
Size

20KB
MD5

208904e3ad5f4ac8074956b06bf39d55
SHA1

25a59d40c8840e4857114c06991ceda35532aa3f
SHA256

e8ab1d2d054e0d1e8fd5cbc396239bef4d64548711e4b0d8b28c1e711c14b4e4
SHA512

7138bd2cd65f290df36226538198eb92891fad59900489de965eaee4810eacebdccbb974aed3275a2b941461275675e5f3386e612ecae1bb69267395433c9500
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L41B:hDXWipuE+K3/SSHgxmHZ1B

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2584	DEM2B64.exe
2452	DEM80A5.exe
2656	DEMD5F5.exe
1712	DEM2B16.exe
568	DEM8028.exe
2412	DEMD5C6.exe

Loads dropped DLL 6 IoCs

pid	Process
2188	208904e3ad5f4ac8074956b06bf39d55_JaffaCakes118.exe
2584	DEM2B64.exe
2452	DEM80A5.exe
2656	DEMD5F5.exe
1712	DEM2B16.exe
568	DEM8028.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2584	2188	208904e3ad5f4ac8074956b06bf39d55_JaffaCakes118.exe	29
PID 2188 wrote to memory of 2584	2188	208904e3ad5f4ac8074956b06bf39d55_JaffaCakes118.exe	29
PID 2188 wrote to memory of 2584	2188	208904e3ad5f4ac8074956b06bf39d55_JaffaCakes118.exe	29
PID 2188 wrote to memory of 2584	2188	208904e3ad5f4ac8074956b06bf39d55_JaffaCakes118.exe	29
PID 2584 wrote to memory of 2452	2584	DEM2B64.exe	33
PID 2584 wrote to memory of 2452	2584	DEM2B64.exe	33
PID 2584 wrote to memory of 2452	2584	DEM2B64.exe	33
PID 2584 wrote to memory of 2452	2584	DEM2B64.exe	33
PID 2452 wrote to memory of 2656	2452	DEM80A5.exe	35
PID 2452 wrote to memory of 2656	2452	DEM80A5.exe	35
PID 2452 wrote to memory of 2656	2452	DEM80A5.exe	35
PID 2452 wrote to memory of 2656	2452	DEM80A5.exe	35
PID 2656 wrote to memory of 1712	2656	DEMD5F5.exe	37
PID 2656 wrote to memory of 1712	2656	DEMD5F5.exe	37
PID 2656 wrote to memory of 1712	2656	DEMD5F5.exe	37
PID 2656 wrote to memory of 1712	2656	DEMD5F5.exe	37
PID 1712 wrote to memory of 568	1712	DEM2B16.exe	39
PID 1712 wrote to memory of 568	1712	DEM2B16.exe	39
PID 1712 wrote to memory of 568	1712	DEM2B16.exe	39
PID 1712 wrote to memory of 568	1712	DEM2B16.exe	39
PID 568 wrote to memory of 2412	568	DEM8028.exe	41
PID 568 wrote to memory of 2412	568	DEM8028.exe	41
PID 568 wrote to memory of 2412	568	DEM8028.exe	41
PID 568 wrote to memory of 2412	568	DEM8028.exe	41

C:\Users\Admin\AppData\Local\Temp\208904e3ad5f4ac8074956b06bf39d55_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\208904e3ad5f4ac8074956b06bf39d55_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\DEM2B64.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2B64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\DEMD5F5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD5F5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\DEM2B16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2B16.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\DEM8028.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8028.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\DEMD5C6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD5C6.exe"
        7⤵
        Executes dropped EXE
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2B64.exe

Filesize
20KB

MD5
5a6cec48ff3339dd12d708195fb988a8

SHA1
db709eddb62f2eea183da8ecc0fe5e6a88d7e21b

SHA256
9f5c7f7cc9e1df72ca2f6da29765050e288d519b6dec996c9f72f85c91bf6c2c

SHA512
a7586fb7a64c6913a0558429d3fff69c3d3703c0e946548b14e03f150ea2b7e716cc50a741b729c229137f0736952f2b9a3696016bd04aae76ad00bc7ffd73b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8028.exe

Filesize
20KB

MD5
ff2f25bcf548dc6bb1fa0910666aef7c

SHA1
2ed0591dbb6e1dc45dccb093850bc41b4ea91700

SHA256
3e5eaa1860ee739dc3c09f4c9d160ccb922cf10b0edde0122ac3fd56be4c7124

SHA512
ba16741d39bf9eb0b484464d8fb575391f57e09d026674788f8186221a0f45895f813393fbdf89f98dc4f3fe97199a15969f7bb25685c0997e0fff13eae4c549

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe

Filesize
20KB

MD5
01b4eb66001e7891b53eb1b056bdd65a

SHA1
60d296890123904f29e2a9d8b83998b40f207fb6

SHA256
3ea4b98c0576139f981c9d9ad1ecb8d584988d073ea1f9a20bda66e3c80861c5

SHA512
a048653099303ac1464a970bb4fbf66942a784a61c34c2ed204b5cfa60febd581d38d7b941e08d153ea7cb5a54eb7c9bace770773c550820671ae494b083f644

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2B16.exe

Filesize
20KB

MD5
8ec3bd67d58e111c63dc075f05c1620a

SHA1
67f755aca6dafbd9728a0ffe84391cdb2a3b55e5

SHA256
c8f6062048b3640fe65f5340c93bd2451b39bf1f23b943debc7f47881fd520b9

SHA512
760f0f5f0fd45844f79c8f7609570061ff40dc0603d0acf28ff63f2ef2943c29e782311ecdf19af9060e1b0532b372452205d8fa95ab97af2aa1247feb6ee171

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD5C6.exe

Filesize
20KB

MD5
7be383288b8f888f2bed178b3766f24f

SHA1
493a25fd93eb35eb86ad35dbe28db21bb408af39

SHA256
cea3dadec047841dcb416a312bfb2982bf8f2ac01ab90bcc2299b3599b20737c

SHA512
56ff80a200ce08df28167e836dc5981f6953f8d5fa89d735871eaab00d19b7ddc2b4246f791b67c066152202c5f24ca02c650edc7e307d7aceae0908867d83b1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD5F5.exe

Filesize
20KB

MD5
09dd91c369ae5becc275a1a6147b3f02

SHA1
696a20787a430854d3c5d29e79ded13055a449d1

SHA256
027c533e7b851ed6a0e7448c73eaf840be78d2b10c04c49a40f6d6f40801d08d

SHA512
dacd44574f98a10a19a6b5f2cee79a1da8301eb03e5c2f144c0aa443ee651ff824618e364909b4c4c24c120b8165850aee1a3c15480a2863ebb3d456db2e2417

Download Submit

Analysis

Sharing