80533f2d176d0a6f491db401cce599da8023cc6d090057c68c37833ad6633281

General

Target

229f32dc010f7b7fe10ef1186377e426_JaffaCakes118.exe
Size

14KB
MD5

229f32dc010f7b7fe10ef1186377e426
SHA1

1642df8fec6ce6c194e5fdded137f3a32575faed
SHA256

80533f2d176d0a6f491db401cce599da8023cc6d090057c68c37833ad6633281
SHA512

6a5923296ff911769419eba82e42cc66181d3b96f897ace850285bdb6b2a26734447ccca440ac8572b67d760675713f01aa00313080f1c9151104316cc35b076
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlId:hDXWipuE+K3/SSHgxmlId

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1796	DEM11FB.exe
2576	DEM676A.exe
2100	DEMBCBA.exe
2816	DEM122A.exe
3032	DEM6789.exe
1332	DEMBCF9.exe

Loads dropped DLL 6 IoCs

pid	Process
1512	229f32dc010f7b7fe10ef1186377e426_JaffaCakes118.exe
1796	DEM11FB.exe
2576	DEM676A.exe
2100	DEMBCBA.exe
2816	DEM122A.exe
3032	DEM6789.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1796	1512	229f32dc010f7b7fe10ef1186377e426_JaffaCakes118.exe	29
PID 1512 wrote to memory of 1796	1512	229f32dc010f7b7fe10ef1186377e426_JaffaCakes118.exe	29
PID 1512 wrote to memory of 1796	1512	229f32dc010f7b7fe10ef1186377e426_JaffaCakes118.exe	29
PID 1512 wrote to memory of 1796	1512	229f32dc010f7b7fe10ef1186377e426_JaffaCakes118.exe	29
PID 1796 wrote to memory of 2576	1796	DEM11FB.exe	31
PID 1796 wrote to memory of 2576	1796	DEM11FB.exe	31
PID 1796 wrote to memory of 2576	1796	DEM11FB.exe	31
PID 1796 wrote to memory of 2576	1796	DEM11FB.exe	31
PID 2576 wrote to memory of 2100	2576	DEM676A.exe	35
PID 2576 wrote to memory of 2100	2576	DEM676A.exe	35
PID 2576 wrote to memory of 2100	2576	DEM676A.exe	35
PID 2576 wrote to memory of 2100	2576	DEM676A.exe	35
PID 2100 wrote to memory of 2816	2100	DEMBCBA.exe	37
PID 2100 wrote to memory of 2816	2100	DEMBCBA.exe	37
PID 2100 wrote to memory of 2816	2100	DEMBCBA.exe	37
PID 2100 wrote to memory of 2816	2100	DEMBCBA.exe	37
PID 2816 wrote to memory of 3032	2816	DEM122A.exe	39
PID 2816 wrote to memory of 3032	2816	DEM122A.exe	39
PID 2816 wrote to memory of 3032	2816	DEM122A.exe	39
PID 2816 wrote to memory of 3032	2816	DEM122A.exe	39
PID 3032 wrote to memory of 1332	3032	DEM6789.exe	41
PID 3032 wrote to memory of 1332	3032	DEM6789.exe	41
PID 3032 wrote to memory of 1332	3032	DEM6789.exe	41
PID 3032 wrote to memory of 1332	3032	DEM6789.exe	41

C:\Users\Admin\AppData\Local\Temp\229f32dc010f7b7fe10ef1186377e426_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\229f32dc010f7b7fe10ef1186377e426_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\DEM11FB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM11FB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\DEM676A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM676A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\DEMBCBA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBCBA.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Users\Admin\AppData\Local\Temp\DEM122A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM122A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Users\Admin\AppData\Local\Temp\DEM6789.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6789.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\DEMBCF9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBCF9.exe"
        7⤵
        Executes dropped EXE
        
        PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM676A.exe

Filesize
15KB

MD5
25ae8a318eaea0dc6652d2c0ba4fd6b2

SHA1
d4d522c4130fa6ec19fd2c6cc6ac2b6f1df1e8f8

SHA256
5a1d01be779e17efeea7e2a266e787853d3f0c2df4840337e579e07e20719ec2

SHA512
3863ecc008761f95ba01d2f5e88cb3bf1d960109260736199c18dfcf2cc86971ca3b2181416f9f6cf5019b0032d216c7535baa848fd4e5823a368e443edb479d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM11FB.exe

Filesize
15KB

MD5
31cf7a566b2fb0a05a332aa63afab155

SHA1
53c7c87958a9ac65609c7ee61bcd5d6726758b14

SHA256
965d04477bcbf90c1b422af1632dd695a281643eed0fbed0a741fef192ffa728

SHA512
468b0200f55c0b8a20dc70cdbdbcebeea0eb58eca80f7a49cee1e9e6d16716883179cb06c782afdf5327b195acbca41cdf921f321b09bf452741be563dcdbab7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM122A.exe

Filesize
15KB

MD5
afc235886f645e33be0d376a2858913e

SHA1
051be7b9c4c3f4d4d07149b920bf03bdbf62428a

SHA256
e7ba09af3a9e3a26a35bf184f89b847ba6f6db48f985ef57e7482b4e40e942ec

SHA512
b7d141df4f4b34f510bd95bde296ba829b4d439804887a546e77f418ac457c9aea57605b9b2172b92613a404dd4113ead538389d546123937692910b118d088e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6789.exe

Filesize
15KB

MD5
c331d0fd926022ebfd12c0df1e8827e2

SHA1
6b12fc0e2add8d3009e453fefeb4ff12d6073b99

SHA256
f576b632f4fd6c0bb6f347b1866b3f21618a3e5019693bc6319bab98b855cb1f

SHA512
2413c1f57db89c4309ef91b663add7cb2b3cfcf636f196e4ea8c2fa430e551d72965b7ad45f62803da0ff070ef99b3bb8d0310838b2ff34d0da89a452dd5cf21

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBCBA.exe

Filesize
15KB

MD5
22151ca5bbe0ca955d5bb84f44134d79

SHA1
1e6367aaeeeaf0b1da4545610322c23700be848e

SHA256
949b6b4ecd03adee82ff91b3046d2fe5cc23d7bda02d48d60323453f559175e1

SHA512
2f030d499e3018d19a0bcb93e3f770edd1984a01e24a1d525d6e2b991501225faa1787aa25c2394e2ce9f85eb485fad356925728a276727980e88569d80adb5b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBCF9.exe

Filesize
15KB

MD5
f283fd97e832c122b6911756b8f96db6

SHA1
a3150bab32733e806dc1ebff1797cf044193efe3

SHA256
e02d70342ba4e2bc707bb10a5c66e783b5118e14549c5b41297b4e35fbf284ec

SHA512
26502f2ee7b6626753d97a6b34bfc9437de59ffdd0f9622a24945ffcf925615f60f8a25f04aab5cbdc301d4a312216795425813f1434090c5e80e0b088e11792

Download Submit

Analysis

Sharing