d0b51997f5371af2211085b7a8a89c8ac5b0674ec1e33199005bb53226306b13

General

Target

20e3a618705f3e9eef3174043700d1b1_JaffaCakes118.exe
Size

16KB
MD5

20e3a618705f3e9eef3174043700d1b1
SHA1

715aef5241288305b2e4aefc6bbf02dd4be0936d
SHA256

d0b51997f5371af2211085b7a8a89c8ac5b0674ec1e33199005bb53226306b13
SHA512

cbff434d706882b59daf6ed0999de76f8590ed94cde10ae177d4e8f21756f2ad39c348da6eb4e577b611569f9c336be34c0b99972c4f1d307a8f0cba79c2a176
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYHzP:hDXWipuE+K3/SSHgxmHT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2576	DEM889.exe
2436	DEM5DE8.exe
2816	DEMB319.exe
1456	DEM86A.exe
1052	DEM5DBA.exe
2220	DEMB339.exe

Loads dropped DLL 6 IoCs

pid	Process
2980	20e3a618705f3e9eef3174043700d1b1_JaffaCakes118.exe
2576	DEM889.exe
2436	DEM5DE8.exe
2816	DEMB319.exe
1456	DEM86A.exe
1052	DEM5DBA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2576	2980	20e3a618705f3e9eef3174043700d1b1_JaffaCakes118.exe	29
PID 2980 wrote to memory of 2576	2980	20e3a618705f3e9eef3174043700d1b1_JaffaCakes118.exe	29
PID 2980 wrote to memory of 2576	2980	20e3a618705f3e9eef3174043700d1b1_JaffaCakes118.exe	29
PID 2980 wrote to memory of 2576	2980	20e3a618705f3e9eef3174043700d1b1_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2436	2576	DEM889.exe	31
PID 2576 wrote to memory of 2436	2576	DEM889.exe	31
PID 2576 wrote to memory of 2436	2576	DEM889.exe	31
PID 2576 wrote to memory of 2436	2576	DEM889.exe	31
PID 2436 wrote to memory of 2816	2436	DEM5DE8.exe	35
PID 2436 wrote to memory of 2816	2436	DEM5DE8.exe	35
PID 2436 wrote to memory of 2816	2436	DEM5DE8.exe	35
PID 2436 wrote to memory of 2816	2436	DEM5DE8.exe	35
PID 2816 wrote to memory of 1456	2816	DEMB319.exe	37
PID 2816 wrote to memory of 1456	2816	DEMB319.exe	37
PID 2816 wrote to memory of 1456	2816	DEMB319.exe	37
PID 2816 wrote to memory of 1456	2816	DEMB319.exe	37
PID 1456 wrote to memory of 1052	1456	DEM86A.exe	39
PID 1456 wrote to memory of 1052	1456	DEM86A.exe	39
PID 1456 wrote to memory of 1052	1456	DEM86A.exe	39
PID 1456 wrote to memory of 1052	1456	DEM86A.exe	39
PID 1052 wrote to memory of 2220	1052	DEM5DBA.exe	41
PID 1052 wrote to memory of 2220	1052	DEM5DBA.exe	41
PID 1052 wrote to memory of 2220	1052	DEM5DBA.exe	41
PID 1052 wrote to memory of 2220	1052	DEM5DBA.exe	41

C:\Users\Admin\AppData\Local\Temp\20e3a618705f3e9eef3174043700d1b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20e3a618705f3e9eef3174043700d1b1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\DEM889.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM889.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\DEM5DE8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5DE8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\DEMB319.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB319.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\DEM86A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM86A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Users\Admin\AppData\Local\Temp\DEM5DBA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5DBA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\DEMB339.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB339.exe"
        7⤵
        Executes dropped EXE
        
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5DE8.exe

Filesize
16KB

MD5
1108bcd9dd0ab4ac737f761dfbe47d56

SHA1
3984f44aa5ad8471d7d0f62f9e8a52129476614e

SHA256
6423e67425506a48b11514ed9911c50ede1b1757ac0d5ea69394f52b9cb36cc1

SHA512
cab1fa6747a0ad6ab3e1ea2c53290122a80b7681dd0b1d0f5e6b49fdf08a82a8bd907c0dd6b2de504d0c1514def7c4f27fc72034a7030245e95859879c5c3368

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM86A.exe

Filesize
16KB

MD5
3f86a8ee7c4fc8617129cd63e098d674

SHA1
42995a5f7b5eaaf5801fb69cf7e9c5cf77c1b91d

SHA256
84496101157957aabaf7f7a1916de001e081c47e360ff585603789443529bc57

SHA512
682baf1fd28a18fd6590ebec01a42e06754cef08b435a69e917d96a3ac82141fc2bdb79547bb09bac072f0b932c60db203e6b8e80a26d2a4dd25d414fea70346

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM889.exe

Filesize
16KB

MD5
5a230e35ce1b8d6fdc0baf67dfbfda47

SHA1
6655bb9407aa8d9a6172847b9c283d0038ee594c

SHA256
4511a86b790322a423a084ee68fa9aaa60ca2a03229186ee900f40f90b8f6b97

SHA512
fa34e00692455559b2ba355f5bed4ceb9696c8e5b2ed4bf67bc02df2f7ea63baad67da4af83257169fae0a81541c75e02a4fe7c386b2ce6d3c820cc8b92aa7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB319.exe

Filesize
16KB

MD5
9e5db0f4e7f0a256db26a44d9fee0788

SHA1
6ffa1eea5d7c671cff29ba4dcf292c4011b6a595

SHA256
486792ea2bf104190d03319e5c3d5c70e25b6a5ca4e7e0e166eb57af197f6c76

SHA512
5b9907f615069e3ec609c3767c38fccb318acb4ea1054a750a1d0e296c0943e919b9170df7e4d4c338c2b9041de6a37508dbe39b8bc6ef6a14dd0d284afc6786

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5DBA.exe

Filesize
16KB

MD5
d53a3311d0cab74733f7600f377d5298

SHA1
bde7b46f745c29b16664bdd319a438c2e1445f52

SHA256
090401ccd29cd1fff75a38b9617903278fcaeb43e9dce8f708cda85aa9977fc0

SHA512
8a6e5aa0777e034ea412a1e123070b4de3dde61177ce8a3031fc38a7d3a344255930db79b38ecb561673517d4ea5664ae0c95fbe18ba47f44acc5e90c0645e47

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB339.exe

Filesize
16KB

MD5
49a664a62e94f4aa53e483a606291ab3

SHA1
c9dab8762864743f066c695c62b3672def0ea616

SHA256
363d0008dffd8de8acd2232762fe640a50058d0b55117573507da8cd7475baae

SHA512
06c09ee51fa99c1b1c3b5eaf73215869793c212e0e72763c1025955573bed36afdbbee8e5795d50cfc384a648bd938d1ae5dae2e3209b9d2274141aa13426a88

Download Submit

Analysis

Sharing