c33cccfbd90e2062621ff695fb13cb49766b5dbaff56b76ed43aa2a29c2c9b1a

General

Target

2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe
Size

16KB
MD5

2271c8cf26f650a3ec2d4429c7a22b96
SHA1

4c96803fcc7a9d6aaeadd27f67a1611cb597d386
SHA256

c33cccfbd90e2062621ff695fb13cb49766b5dbaff56b76ed43aa2a29c2c9b1a
SHA512

0a57c08423c54deb315bba7efeeafd84f53ebee3f835fe68366ae5bd360f3afb0917154a222f4c8c654b2a12cac1395d48023ec0e1a82d780480dff463110140
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRzF:hDXWipuE+K3/SSHgx3F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2652	DEM2B83.exe
1520	DEM8150.exe
2804	DEMD6FE.exe
1860	DEM2C8C.exe
2748	DEM81FC.exe
1100	DEMD74C.exe

Loads dropped DLL 6 IoCs

pid	Process
1928	2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe
2652	DEM2B83.exe
1520	DEM8150.exe
2804	DEMD6FE.exe
1860	DEM2C8C.exe
2748	DEM81FC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2652	1928	2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe	29
PID 1928 wrote to memory of 2652	1928	2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe	29
PID 1928 wrote to memory of 2652	1928	2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe	29
PID 1928 wrote to memory of 2652	1928	2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe	29
PID 2652 wrote to memory of 1520	2652	DEM2B83.exe	33
PID 2652 wrote to memory of 1520	2652	DEM2B83.exe	33
PID 2652 wrote to memory of 1520	2652	DEM2B83.exe	33
PID 2652 wrote to memory of 1520	2652	DEM2B83.exe	33
PID 1520 wrote to memory of 2804	1520	DEM8150.exe	35
PID 1520 wrote to memory of 2804	1520	DEM8150.exe	35
PID 1520 wrote to memory of 2804	1520	DEM8150.exe	35
PID 1520 wrote to memory of 2804	1520	DEM8150.exe	35
PID 2804 wrote to memory of 1860	2804	DEMD6FE.exe	37
PID 2804 wrote to memory of 1860	2804	DEMD6FE.exe	37
PID 2804 wrote to memory of 1860	2804	DEMD6FE.exe	37
PID 2804 wrote to memory of 1860	2804	DEMD6FE.exe	37
PID 1860 wrote to memory of 2748	1860	DEM2C8C.exe	39
PID 1860 wrote to memory of 2748	1860	DEM2C8C.exe	39
PID 1860 wrote to memory of 2748	1860	DEM2C8C.exe	39
PID 1860 wrote to memory of 2748	1860	DEM2C8C.exe	39
PID 2748 wrote to memory of 1100	2748	DEM81FC.exe	41
PID 2748 wrote to memory of 1100	2748	DEM81FC.exe	41
PID 2748 wrote to memory of 1100	2748	DEM81FC.exe	41
PID 2748 wrote to memory of 1100	2748	DEM81FC.exe	41

C:\Users\Admin\AppData\Local\Temp\2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\DEM2B83.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2B83.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\DEM8150.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8150.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\DEMD6FE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD6FE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Users\Admin\AppData\Local\Temp\DEM2C8C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2C8C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Users\Admin\AppData\Local\Temp\DEM81FC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM81FC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\DEMD74C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD74C.exe"
        7⤵
        Executes dropped EXE
        
        PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8150.exe

Filesize
16KB

MD5
1f4cb99076b4f61124dad6f6927f16d3

SHA1
9b0447961be312afa7c39c3f9e26a698e50486c6

SHA256
debeff8fd55ce90cf95557bb721902a467ed24d806abd97cb8967b7465ce5c86

SHA512
b45bffa62a6a4cadb9736ece71dc5e025ed80c564ac300e67436b529e13dc78a16a28fb885164e49b834a7b899debe546e33da63387f72950cc44b7203c35cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM81FC.exe

Filesize
16KB

MD5
60b86ba1478955270de647309847cb9c

SHA1
c1f01e8adb25cb77962685781cde23bbf0a19744

SHA256
ef3b522b5aa6d7def4ea80819a1e5dfee8c5fb4dde6c1a934947cc36dae3b9cd

SHA512
d9352d7d151105b68d91c29dc339c3457ee207988541f6af222cbfe5d9bebbf2c4f71e7c85cca2800b79ea151fd88b4a47b149c21bb2e459f3f6801fc204e59d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2B83.exe

Filesize
16KB

MD5
3979bf3f4e2e2ed4f6c67350136e43c4

SHA1
db0046bb2029208573cc3d0968ef593d3b0c5d65

SHA256
46f9a224ffb53b1eb303558ce55561fb57307f7396c68dcf39d7d03d1fb3b56a

SHA512
b2553df1976797e6247a2c5f05c60f14cb4a006a4b57245207b1801e909adda734154aca712fe1ffc70391c2a147bbc965cdcc51c4f39383fa02416b7dacbf5d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2C8C.exe

Filesize
16KB

MD5
18f42b4c927c3c60ad7629a901d620c5

SHA1
7c6c7155ddd47005561d0390671f69322b34bdf6

SHA256
6df2e995836237bf58561967e7fdc0bb56d5bd3355c67a4c19663b1c4d31733e

SHA512
c3bd1ba1564194c06b8c2ea59d7114f851a40e9aecc36a5c4d77766536da905188aec9de4d3d09eed31b552508c537e6ac4d70990807b6c46ce2dd9413b4ac27

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD6FE.exe

Filesize
16KB

MD5
0a6fca5ed73f41bdcc913fd905199d00

SHA1
bd2265346cbc5b2d90c083f90feb00a16584b250

SHA256
25a04119b3a30bccab6f042c249b340119da1dfda8c6b61576fdef06aec71ca3

SHA512
60f327d3ad25d968cb0e14947145abbc2ceca42c86f4538ac0feec581555861898484281d09335b35433ee543356544fa4e061f5e7bc57ece74e943b52341575

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD74C.exe

Filesize
16KB

MD5
b02909110bd3b37c05b3b5c19227faf1

SHA1
b1100c5c2d9fd4ac13385695f7cb84f91b96c65c

SHA256
74e606d9ba24ac07244f2e2855db36cbe2d955de787abcb7bd60d4f2443f20ee

SHA512
908e1980e50f9401ea48e12f0c5f58b6224bc9da54f9d07698bfd9a13a2a781a3ca9d55ffe070548445c768f5725614c88efe576f867a6525ece29b629c0da4d

Download Submit

Analysis

Sharing