d92cb5264a1281f5a095cae6c846fdbf22f6d4b91cd7a575aa2139b092cb833e

General

Target

21db749271863397b378d6326c4253f7_JaffaCakes118.exe
Size

16KB
MD5

21db749271863397b378d6326c4253f7
SHA1

c48c074b779a506f5685d9b47f57fa799da62ede
SHA256

d92cb5264a1281f5a095cae6c846fdbf22f6d4b91cd7a575aa2139b092cb833e
SHA512

338c3dd57478a46bcf43edaee5468b5d66b026faa12922d2467f2c5476c6f2839771330dc38731d9897a8cd00fe24ebfcdd7aced9ed0142b2d7b4b19b7e84779
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlK:hDXWipuE+K3/SSHgxmlK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2600	DEM13A0.exe
2488	DEM699C.exe
2832	DEMBF1B.exe
2356	DEM1555.exe
824	DEM6AF3.exe
2900	DEMC053.exe

Loads dropped DLL 6 IoCs

pid	Process
912	21db749271863397b378d6326c4253f7_JaffaCakes118.exe
2600	DEM13A0.exe
2488	DEM699C.exe
2832	DEMBF1B.exe
2356	DEM1555.exe
824	DEM6AF3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 2600	912	21db749271863397b378d6326c4253f7_JaffaCakes118.exe	29
PID 912 wrote to memory of 2600	912	21db749271863397b378d6326c4253f7_JaffaCakes118.exe	29
PID 912 wrote to memory of 2600	912	21db749271863397b378d6326c4253f7_JaffaCakes118.exe	29
PID 912 wrote to memory of 2600	912	21db749271863397b378d6326c4253f7_JaffaCakes118.exe	29
PID 2600 wrote to memory of 2488	2600	DEM13A0.exe	31
PID 2600 wrote to memory of 2488	2600	DEM13A0.exe	31
PID 2600 wrote to memory of 2488	2600	DEM13A0.exe	31
PID 2600 wrote to memory of 2488	2600	DEM13A0.exe	31
PID 2488 wrote to memory of 2832	2488	DEM699C.exe	35
PID 2488 wrote to memory of 2832	2488	DEM699C.exe	35
PID 2488 wrote to memory of 2832	2488	DEM699C.exe	35
PID 2488 wrote to memory of 2832	2488	DEM699C.exe	35
PID 2832 wrote to memory of 2356	2832	DEMBF1B.exe	37
PID 2832 wrote to memory of 2356	2832	DEMBF1B.exe	37
PID 2832 wrote to memory of 2356	2832	DEMBF1B.exe	37
PID 2832 wrote to memory of 2356	2832	DEMBF1B.exe	37
PID 2356 wrote to memory of 824	2356	DEM1555.exe	39
PID 2356 wrote to memory of 824	2356	DEM1555.exe	39
PID 2356 wrote to memory of 824	2356	DEM1555.exe	39
PID 2356 wrote to memory of 824	2356	DEM1555.exe	39
PID 824 wrote to memory of 2900	824	DEM6AF3.exe	41
PID 824 wrote to memory of 2900	824	DEM6AF3.exe	41
PID 824 wrote to memory of 2900	824	DEM6AF3.exe	41
PID 824 wrote to memory of 2900	824	DEM6AF3.exe	41

C:\Users\Admin\AppData\Local\Temp\21db749271863397b378d6326c4253f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21db749271863397b378d6326c4253f7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\DEM13A0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM13A0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\DEM699C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM699C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\DEMBF1B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBF1B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Users\Admin\AppData\Local\Temp\DEM1555.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1555.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Users\Admin\AppData\Local\Temp\DEM6AF3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6AF3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\DEMC053.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC053.exe"
        7⤵
        Executes dropped EXE
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM13A0.exe

Filesize
16KB

MD5
2b4e2a19fcaacd1c03f38acf8242e9f8

SHA1
4c90e2eff78be80eda5eddae4988cd4aece1f1e3

SHA256
317b5a1408d02ecdedf63303cbd7e844a484d81d3ea56c0d7ca2be1864986756

SHA512
efa430d6f284b8b95b03e138fe694692ad92de1575647806f42ec6954e4df893eb18c4f4a2c5dc5f32fcc40bbc6b05877ba92b7d8aecc4ecc892060e72d15fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM699C.exe

Filesize
16KB

MD5
7cde710277e7a59c58ee253cc4ef74d4

SHA1
3a8bd51dd401a8be014233be8a8f8d0dbd339c93

SHA256
06fe366482179dee5caeaa52a282dcd0e6489c4e071be74b4ed39e6ae00b7c4d

SHA512
f26650d69258cf0acd0ed886a9d6282a111b5fcd52de99b20dde1deb540b42c1a90a8e30eb9259f15ba188eb0e949434f3029c90e757a774e2e80d67563bdc6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC053.exe

Filesize
16KB

MD5
5ac35966e3e09e85526f3bb20517b741

SHA1
45f05eaca0d3542f8fcf7c86da90289a6c41eaed

SHA256
af16eaae2fb931542a13b208b1be7679ad1acecefd43ef3f02e26a17e8984d48

SHA512
b06866f70b2dae1458149fd9728c534a0dde34429795bf5f71af06ac6240e8ebef73b710702af8d4bac6007fe3c62905d397414881f52291fd0418ab41c6e4dc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1555.exe

Filesize
16KB

MD5
4b3bd4e5ad18fd77e33d97426fb92793

SHA1
765a12044ab124600412f4c677793455c0950df7

SHA256
82bd9b3a9b1cc2a4f1dcb931ca3afc698170acc28e925388755546618e20ff50

SHA512
7a889bbf1556b06105e9b441d483bed68b65bb61f0daadb03e9575d8a7292291df39f7622e3d457de4c32069d5f6e0670485a905e15088c966cc0e54003ace90

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6AF3.exe

Filesize
16KB

MD5
6e467fff7d2800b26c5e0c76382ff46b

SHA1
521ca8d599915ad2fc7383b19ee27d3eadeeac8d

SHA256
2c18344bc90078881ff66dc9daf074001360108f3b391c17c302ed788e828589

SHA512
72a5bb239190cfc0d8d06856644f1d366321b25676435016505df536c4a12ccf6dff053c815d410b6a55b1c13016888e460da566e6c041165bfe65c3ace39017

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBF1B.exe

Filesize
16KB

MD5
4418dd943df7ea8d5545740caaab3ff9

SHA1
589946813ba33d451129a26e1c10cd8ef83906df

SHA256
14ce963669830b9dc03a417359013d7c04150a76979edd6c270e0f2841da7a54

SHA512
2e04a413ddc56c4afc195f67eb3eaef117776d7d41ed0452832fd1b0e6cfb14bd12348a912d38b39429c5f137fc1e1b600721736a45752d80d851f3d7f2e4d59

Download Submit

Analysis

Sharing