e23d001b519832bb7d6f543c6c3b4cd5e3b55a1b087ebcd8155a4c01b8557027

General

Target

2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe
Size

16KB
MD5

2232a64613b4796ddc75bc7da924ab50
SHA1

f5e84da7d5fb753be7c6108f060bb4ee81b02b0a
SHA256

e23d001b519832bb7d6f543c6c3b4cd5e3b55a1b087ebcd8155a4c01b8557027
SHA512

7a579fc2a98ee6ec0f4451c5b5a0755a50f62a99f0f8950b77040e327d0a544dd04a29dc03ad4f13b8f7a061a68fccf639d439e71087b985dd1d28b4180fcf1f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0Ftv:hDXWipuE+K3/SSHgxm0Lv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2648	DEM149A.exe
2596	DEM6A09.exe
2812	DEMBF97.exe
2000	DEM14F7.exe
1668	DEM6A47.exe
2092	DEMC005.exe

Loads dropped DLL 6 IoCs

pid	Process
2324	2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe
2648	DEM149A.exe
2596	DEM6A09.exe
2812	DEMBF97.exe
2000	DEM14F7.exe
1668	DEM6A47.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2648	2324	2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe	29
PID 2324 wrote to memory of 2648	2324	2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe	29
PID 2324 wrote to memory of 2648	2324	2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe	29
PID 2324 wrote to memory of 2648	2324	2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe	29
PID 2648 wrote to memory of 2596	2648	DEM149A.exe	31
PID 2648 wrote to memory of 2596	2648	DEM149A.exe	31
PID 2648 wrote to memory of 2596	2648	DEM149A.exe	31
PID 2648 wrote to memory of 2596	2648	DEM149A.exe	31
PID 2596 wrote to memory of 2812	2596	DEM6A09.exe	35
PID 2596 wrote to memory of 2812	2596	DEM6A09.exe	35
PID 2596 wrote to memory of 2812	2596	DEM6A09.exe	35
PID 2596 wrote to memory of 2812	2596	DEM6A09.exe	35
PID 2812 wrote to memory of 2000	2812	DEMBF97.exe	37
PID 2812 wrote to memory of 2000	2812	DEMBF97.exe	37
PID 2812 wrote to memory of 2000	2812	DEMBF97.exe	37
PID 2812 wrote to memory of 2000	2812	DEMBF97.exe	37
PID 2000 wrote to memory of 1668	2000	DEM14F7.exe	39
PID 2000 wrote to memory of 1668	2000	DEM14F7.exe	39
PID 2000 wrote to memory of 1668	2000	DEM14F7.exe	39
PID 2000 wrote to memory of 1668	2000	DEM14F7.exe	39
PID 1668 wrote to memory of 2092	1668	DEM6A47.exe	41
PID 1668 wrote to memory of 2092	1668	DEM6A47.exe	41
PID 1668 wrote to memory of 2092	1668	DEM6A47.exe	41
PID 1668 wrote to memory of 2092	1668	DEM6A47.exe	41

C:\Users\Admin\AppData\Local\Temp\2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\DEM149A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM149A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\DEM6A09.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6A09.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\DEMBF97.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBF97.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\DEM14F7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM14F7.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\Users\Admin\AppData\Local\Temp\DEM6A47.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6A47.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\DEMC005.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC005.exe"
        7⤵
        Executes dropped EXE
        
        PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM14F7.exe

Filesize
16KB

MD5
e28006e2a8bdf08cd03c5d4e678de001

SHA1
de66d8f34f15c83bd363dff3b48e29b54a0efc87

SHA256
98844664b5c0fc2dfdeb8dba6bee2ecb64d51f20308b0cd582ce10081cde0607

SHA512
7eb4f10e001c7a5ec1d921ef05c7ece4565ff5381a839b9e7b0e2434dbc798da97b3a42dd7980c901d01211dfafd55ad944a46a778269498106ae401974062ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6A09.exe

Filesize
16KB

MD5
e7896affda7a0b1db1a31f7fbd41e549

SHA1
adaba398477d1c4abe17a66721e40000a23b3a19

SHA256
73d176c63b5759d6978c3efa2abc184f00ac797461ca97c7a330f8116de19675

SHA512
c6a91e05cd36f5e86442010bcd5e6b6a295fdef1e0fd41027f08e63369a8074ff1c0d398ccebe4a34955a382da6c11abe02aa9f5159a716adf060d8e3d74ba98

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC005.exe

Filesize
16KB

MD5
710f8af92b6f7a3d06810e2965b8d43b

SHA1
4c1a473ec2619a874799c62be96d23aafbc3d342

SHA256
f931e0f91442d632ad1ab374f39feba1b1b4c8f53e2b8e2750302f2286cb7771

SHA512
e88bc020ed67d5968183ffc57480b2ca97ed2a94f712bc2b0bf8c6b177e901d6cce85835ed60ca2e943a29f07920973982b8de691ed6fa709358580cb9d3647d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM149A.exe

Filesize
16KB

MD5
39c810d53fc28778f92011c2ff240e0c

SHA1
c3e76d92ceda73c84aa0533d4d227e8a3fb92555

SHA256
da975d686b5f50e1b4f5ae3fd82a3e451ceb83c5468cc5dd62584316ead13c1f

SHA512
562cf1979cee60374b5ea2144849c40f5ef8a98b1ee68a665c63c1222ac8423ba3b03f3629e0799e05caa46691fd95dcc8cea39819d72aec4dd89d0f01e6467f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6A47.exe

Filesize
16KB

MD5
8113de639a9a9b77d650f4738a25862b

SHA1
528d268fd302a08c6552edfa07840307faa7f233

SHA256
3c9c45543c5a4818ef5bde32594cac602f748d106105164416c1e4675589979b

SHA512
e9cc79546e3935be89e2d8fb551bf8fd5af2ac63f41c2f927c870e9f66048982b913836ae2e9fb13a1fd36e1032aab11e64f0b0a52b30acab3150c9bfb279b08

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBF97.exe

Filesize
16KB

MD5
cb7ba86b2c3b67415091a3cac2a320af

SHA1
2fbd2368a73aabb21acb6b4eb2c8fac05a0470fe

SHA256
ff9f94e8ea8ad2456fa3c3bcbed8e0115e5f7b13d15cdcb1804e0a10973690fb

SHA512
2ef752f0bae75a178255f9f4cb59cbe8c86cd076b6f7a4f52ca5f71459392f133b724f478c3491d2d8efde765d3fb238e3de4dc2260f718899dfbfc1838761bc

Download Submit

Analysis

Sharing