9e374b415799b74f1d741213949949bcaa53b48cf47b201186f4348f299b7d5c

General

Target

2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe
Size

15KB
MD5

2270c74260b1ad51174ac62ea8ebdbbd
SHA1

261fd4a22bbcf8537f1bae2b9999d7afca6063da
SHA256

9e374b415799b74f1d741213949949bcaa53b48cf47b201186f4348f299b7d5c
SHA512

d32e4900b32b72805fffb8313e286c9664e594e0d7e6b61112457a7256d5cc143e934d22cfb762961d9f5f8bde156902d816c12393120563da97047ed086d43e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYluhfn:hDXWipuE+K3/SSHgxmluZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2284	DEM424E.exe
2488	DEM99A1.exe
2764	DEMF019.exe
1552	DEM4569.exe
1468	DEM9AC9.exe
1760	DEMF0C5.exe

Loads dropped DLL 6 IoCs

pid	Process
2332	2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe
2284	DEM424E.exe
2488	DEM99A1.exe
2764	DEMF019.exe
1552	DEM4569.exe
1468	DEM9AC9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2284	2332	2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe	29
PID 2332 wrote to memory of 2284	2332	2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe	29
PID 2332 wrote to memory of 2284	2332	2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe	29
PID 2332 wrote to memory of 2284	2332	2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe	29
PID 2284 wrote to memory of 2488	2284	DEM424E.exe	33
PID 2284 wrote to memory of 2488	2284	DEM424E.exe	33
PID 2284 wrote to memory of 2488	2284	DEM424E.exe	33
PID 2284 wrote to memory of 2488	2284	DEM424E.exe	33
PID 2488 wrote to memory of 2764	2488	DEM99A1.exe	35
PID 2488 wrote to memory of 2764	2488	DEM99A1.exe	35
PID 2488 wrote to memory of 2764	2488	DEM99A1.exe	35
PID 2488 wrote to memory of 2764	2488	DEM99A1.exe	35
PID 2764 wrote to memory of 1552	2764	DEMF019.exe	37
PID 2764 wrote to memory of 1552	2764	DEMF019.exe	37
PID 2764 wrote to memory of 1552	2764	DEMF019.exe	37
PID 2764 wrote to memory of 1552	2764	DEMF019.exe	37
PID 1552 wrote to memory of 1468	1552	DEM4569.exe	39
PID 1552 wrote to memory of 1468	1552	DEM4569.exe	39
PID 1552 wrote to memory of 1468	1552	DEM4569.exe	39
PID 1552 wrote to memory of 1468	1552	DEM4569.exe	39
PID 1468 wrote to memory of 1760	1468	DEM9AC9.exe	41
PID 1468 wrote to memory of 1760	1468	DEM9AC9.exe	41
PID 1468 wrote to memory of 1760	1468	DEM9AC9.exe	41
PID 1468 wrote to memory of 1760	1468	DEM9AC9.exe	41

C:\Users\Admin\AppData\Local\Temp\2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\DEM424E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM424E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\DEM99A1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM99A1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\DEMF019.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF019.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\DEM4569.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4569.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Users\Admin\AppData\Local\Temp\DEM9AC9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9AC9.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\DEMF0C5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF0C5.exe"
        7⤵
        Executes dropped EXE
        
        PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM99A1.exe

Filesize
15KB

MD5
499cc52c2746ab42423be99b58e0b4bb

SHA1
02eede2e238d1172d7269c3cd17412144c5c4d41

SHA256
3ffdb858cdce93ac70da13c7c2c98635373f48fea1d4b089b93dcbdb389db0e1

SHA512
c75aa65c12e721f7f5dffd0cbffdb2466711628da351e0426535b62f2eb64711563ba4c6842d7788cd660f6da61450ec920bf2309f90e0b7cc3e9b943380aa88

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF019.exe

Filesize
15KB

MD5
f870083ca5f951b347743953ba04bfe4

SHA1
6837d8b8e7659636c6b984bb2ec4fdf388a11d20

SHA256
ca777e7cfe96b0afe09564d82e6e73d8cad6dd116e6e7cbfc86fa4fe98620cea

SHA512
807529e9214f7e3cde64187ce6904d8e3edb0ae346b7512846bfbad70d2a410849a695a8143128a52614af989a38d17063dcd8277f42ed2dd8c9064fcc3a83c4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM424E.exe

Filesize
15KB

MD5
aa859b89f5e01ff4509ced56fe27258c

SHA1
906c433fd47f4224eb7e60181c8cda5fbba9c111

SHA256
6dde7c6c929e14d0829dccfa578b1afb5b24a1327e7b6c7ef0e5a9b98010e4c4

SHA512
b78661d10b294ff9c1b59cec6e9ac26c518da2f42ddfe0d01193f9987ebecd8b5cd8e752afd5a82b439466cd756e73801c6591e0d3551db7327cd5a51f31170c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4569.exe

Filesize
15KB

MD5
175a74983b9121bbdfd0e6b5527cf696

SHA1
7a7a03110fc108321f5edeb901f4f1180526856f

SHA256
76c2e72e5de0b7fd098b2f81ce26e15715deb327f08cb2bd12673c65a146a957

SHA512
af3789feaab60223aeaa6364e9321e5f094e2d68f773b57af52a242d335cdf8034632b427d3b9bd7cee721017192b2def7d2e8b73085df923ad944a9958bce0b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9AC9.exe

Filesize
15KB

MD5
4b0a90f4780e040752557ffb4c78cd6c

SHA1
3dc648104f4b5273e3ff5e591266eacf5225c309

SHA256
3b8dc9f6cacd0221beacbf8de34d865933eef454bd521767b70a3440cddcdb04

SHA512
22a430a2c2af79bae15be3f649d748dc87c67b021fec9092bc8ccb362efe6398c760b6341d3007d9738970febe97c8d34b8af01d8ad16579019ba4e7f1da258c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF0C5.exe

Filesize
15KB

MD5
072c4858773353603b8afb97b91f438f

SHA1
364d781e80ea9723484732159fb3b4da2858dcf1

SHA256
dcfd939172e3aced217ba45f7f873d3846461a6614421a5d117c5d27d4da1d69

SHA512
00bf4cfcb66fb2dc083b22f71697c983b92bfccd5297f23d336adf7d2fb7b4e545d47cf3130ea122a89309bd786cb173e674bf86149fbc7f7f1ad87a711cb4e0

Download Submit

Analysis

Sharing