3a2daa10563cfb3deb74346cb1cf504c719de24de6f738301814cf27bd742509

General

Target

2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe
Size

16KB
MD5

2275d7908bf208d91ada289d859c5350
SHA1

37419f08f1288c075e3c6c763f9e052dd7229e60
SHA256

3a2daa10563cfb3deb74346cb1cf504c719de24de6f738301814cf27bd742509
SHA512

d38c6f2d4be72c97945e8459ba23cef48311e62b8ad7d186789e2e931b9fd95d6eb41eb7b0a44be907dcbfb114788cef2a7c2f2f275937e5a6df6367cd12130e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5d:hDXWipuE+K3/SSHgxmL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2656	DEM18FD.exe
2532	DEM6E4D.exe
1368	DEMC38D.exe
920	DEM18AF.exe
2696	DEM6DE0.exe
844	DEMC2E2.exe

Loads dropped DLL 6 IoCs

pid	Process
2452	2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe
2656	DEM18FD.exe
2532	DEM6E4D.exe
1368	DEMC38D.exe
920	DEM18AF.exe
2696	DEM6DE0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2656	2452	2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe	29
PID 2452 wrote to memory of 2656	2452	2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe	29
PID 2452 wrote to memory of 2656	2452	2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe	29
PID 2452 wrote to memory of 2656	2452	2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe	29
PID 2656 wrote to memory of 2532	2656	DEM18FD.exe	31
PID 2656 wrote to memory of 2532	2656	DEM18FD.exe	31
PID 2656 wrote to memory of 2532	2656	DEM18FD.exe	31
PID 2656 wrote to memory of 2532	2656	DEM18FD.exe	31
PID 2532 wrote to memory of 1368	2532	DEM6E4D.exe	35
PID 2532 wrote to memory of 1368	2532	DEM6E4D.exe	35
PID 2532 wrote to memory of 1368	2532	DEM6E4D.exe	35
PID 2532 wrote to memory of 1368	2532	DEM6E4D.exe	35
PID 1368 wrote to memory of 920	1368	DEMC38D.exe	37
PID 1368 wrote to memory of 920	1368	DEMC38D.exe	37
PID 1368 wrote to memory of 920	1368	DEMC38D.exe	37
PID 1368 wrote to memory of 920	1368	DEMC38D.exe	37
PID 920 wrote to memory of 2696	920	DEM18AF.exe	39
PID 920 wrote to memory of 2696	920	DEM18AF.exe	39
PID 920 wrote to memory of 2696	920	DEM18AF.exe	39
PID 920 wrote to memory of 2696	920	DEM18AF.exe	39
PID 2696 wrote to memory of 844	2696	DEM6DE0.exe	41
PID 2696 wrote to memory of 844	2696	DEM6DE0.exe	41
PID 2696 wrote to memory of 844	2696	DEM6DE0.exe	41
PID 2696 wrote to memory of 844	2696	DEM6DE0.exe	41

C:\Users\Admin\AppData\Local\Temp\2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\DEM18FD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM18FD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\DEM6E4D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6E4D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\DEMC38D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC38D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Users\Admin\AppData\Local\Temp\DEM18AF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM18AF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:920
      - C:\Users\Admin\AppData\Local\Temp\DEM6DE0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6DE0.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\DEMC2E2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC2E2.exe"
        7⤵
        Executes dropped EXE
        
        PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM18AF.exe

Filesize
16KB

MD5
8f2cc82cb21976dbfded75cc065872b5

SHA1
f30247a915856cc74a25bb8233e27de8b3424948

SHA256
198bad38a4545d23c777f261b75add86adb8f077a78d91ea6483e25af6a42c77

SHA512
c48d87903e126cd4e7d31d7aa9f2cd7d6d21a83974ebbf392075af737b2f5a84bb9a068b6ced94f764d9d74118292b75702b1c2b3fa177e754de1ba833669b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM18FD.exe

Filesize
16KB

MD5
ba9a9b4ac8877d6abafceb4cc36c81ae

SHA1
6ab530c3853660f9feb2933c32312f66365f50ab

SHA256
68a3c0f0401e806369c8419c4b9e067bef98fd0394a4399d9715dbe505d57341

SHA512
dd527505687960edcf2c7c638319ad5641afd8669a2c0c81fea1b68810e8b3aca8fcd9f1fc8f56c01701f3d7d9afb6b303276108f640b7223e901355ba4500c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6DE0.exe

Filesize
16KB

MD5
8a6cbb930614b8174109cc998ff3a3a6

SHA1
52a57eb3db1e4596b00fa4d3e9b0e2c199c050cd

SHA256
5c3ac2445bef3144e920f3ebf1bdb6d57bd35dcd70e04fa222aab46b182c0177

SHA512
082df285ced7925ff3f387ed3dc1a360f956d167108c12183d391b2f7ee5af37d51bf1c2a3997f4168008e23b81caa9fbdf45e0e38eb3f126938dad7269a6139

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6E4D.exe

Filesize
16KB

MD5
a2e4d8d78b09ee2c570fb25fec7e38b7

SHA1
1063eac28e731df63061d10dde2ad67d8693f5b9

SHA256
17b35217afb734b623028cba6681f8d7179d8a7bd2a2331a251426e918f708ec

SHA512
8d71d385522ad9dd4af2ba135e5e4b069801f7c90fc67c686c1c3f2442bf758b7326097a5bb0520cb878b25dc96c296d8ecea416992d89caab8a3db2436745d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC2E2.exe

Filesize
16KB

MD5
85001f2dbd91884055f3c10219973d63

SHA1
f0329aacea12ac9000a741eba496ff7be67d3edb

SHA256
9b471f1f7c5c6f76baadb28423d1e58e2502ca226a14256006015898aff32588

SHA512
e577252e164ae77cc2e8c9b73b2d1bd8ba2dab175cf7dd36820b145bef22a7c7c31db0e4c1a8571b3b5a1370ddbb13525ce5dcd4f22436edf579717551bd782f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC38D.exe

Filesize
16KB

MD5
e6f41daa54d3c9dc74232fa3787c14c1

SHA1
4b2e8c83dc710c22df10c1a3c1e601928cd952cd

SHA256
41a9d88be5a45ab7f6594537d084e3eb0f77094178d04bc27710d26daaf4981f

SHA512
2ec23b60803fa34dfe4761e24af47b0cd9bf281b6080e642b97b5fa57caef9019cb09140d355c96df0506fafdc4217f70980529e76ef46323bb2c497425e5aec

Download Submit

Analysis

Sharing