8431c9843dffc27788aa01b2fd1434683ba606a6ab18991c2ca19476f1c8d0d7

General

Target

225226cde3b81e64c0ec82f53f16d590_JaffaCakes118.exe
Size

20KB
MD5

225226cde3b81e64c0ec82f53f16d590
SHA1

ebfc1392c8e73c14330961b9e4dda2a7ba9c4275
SHA256

8431c9843dffc27788aa01b2fd1434683ba606a6ab18991c2ca19476f1c8d0d7
SHA512

432e1fd1e421aa6f34d95c7a54bb7eef3fd4b56040d7837ccae24a21b023d96fe74523a85207620c4adca15f462d5a38459d3847d93d45aca452bd0da16827a4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4Ac:hDXWipuE+K3/SSHgxmHZAc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2672	DEM6671.exe
2464	DEMBC8B.exe
552	DEM12E5.exe
528	DEM690F.exe
1844	DEMBFE5.exe
1748	DEM15F1.exe

Loads dropped DLL 6 IoCs

pid	Process
2020	225226cde3b81e64c0ec82f53f16d590_JaffaCakes118.exe
2672	DEM6671.exe
2464	DEMBC8B.exe
552	DEM12E5.exe
528	DEM690F.exe
1844	DEMBFE5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2672	2020	225226cde3b81e64c0ec82f53f16d590_JaffaCakes118.exe	29
PID 2020 wrote to memory of 2672	2020	225226cde3b81e64c0ec82f53f16d590_JaffaCakes118.exe	29
PID 2020 wrote to memory of 2672	2020	225226cde3b81e64c0ec82f53f16d590_JaffaCakes118.exe	29
PID 2020 wrote to memory of 2672	2020	225226cde3b81e64c0ec82f53f16d590_JaffaCakes118.exe	29
PID 2672 wrote to memory of 2464	2672	DEM6671.exe	33
PID 2672 wrote to memory of 2464	2672	DEM6671.exe	33
PID 2672 wrote to memory of 2464	2672	DEM6671.exe	33
PID 2672 wrote to memory of 2464	2672	DEM6671.exe	33
PID 2464 wrote to memory of 552	2464	DEMBC8B.exe	35
PID 2464 wrote to memory of 552	2464	DEMBC8B.exe	35
PID 2464 wrote to memory of 552	2464	DEMBC8B.exe	35
PID 2464 wrote to memory of 552	2464	DEMBC8B.exe	35
PID 552 wrote to memory of 528	552	DEM12E5.exe	37
PID 552 wrote to memory of 528	552	DEM12E5.exe	37
PID 552 wrote to memory of 528	552	DEM12E5.exe	37
PID 552 wrote to memory of 528	552	DEM12E5.exe	37
PID 528 wrote to memory of 1844	528	DEM690F.exe	39
PID 528 wrote to memory of 1844	528	DEM690F.exe	39
PID 528 wrote to memory of 1844	528	DEM690F.exe	39
PID 528 wrote to memory of 1844	528	DEM690F.exe	39
PID 1844 wrote to memory of 1748	1844	DEMBFE5.exe	41
PID 1844 wrote to memory of 1748	1844	DEMBFE5.exe	41
PID 1844 wrote to memory of 1748	1844	DEMBFE5.exe	41
PID 1844 wrote to memory of 1748	1844	DEMBFE5.exe	41

C:\Users\Admin\AppData\Local\Temp\225226cde3b81e64c0ec82f53f16d590_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\225226cde3b81e64c0ec82f53f16d590_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\DEM6671.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6671.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\DEM12E5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM12E5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Users\Admin\AppData\Local\Temp\DEM690F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM690F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:528
      - C:\Users\Admin\AppData\Local\Temp\DEMBFE5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBFE5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\DEM15F1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM15F1.exe"
        7⤵
        Executes dropped EXE
        
        PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM12E5.exe

Filesize
20KB

MD5
714bacc4a9f354b1699e026c46361458

SHA1
be7cd5bc23985dea14d76e25a477a507e25970d6

SHA256
7f9e94c44413a07b8a9b2d446dea322c361da23ca4381eafeefe9b18cba89ba7

SHA512
65bf8524a408979e2ffeb0f66f99b86b27403106a6d946a781f8680c2dfd71383ead11241df5f92ac24bfae00cb419affceba676f621aeeadc4d22aacc64b406

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM15F1.exe

Filesize
20KB

MD5
19031139835f92982e99ad49f73a71cf

SHA1
e3c088ef4ad9a7b558075059adeef4288a8ad594

SHA256
8d260c94894895d181a487c5147761edef06e58ead6d6c74dbb90d960887b59c

SHA512
54c6cba144c3c53f931a42262e9776238b2929ef0385aca96fab9043d94e65e68b66193837fbdecbe61843e4438273550c2798445c98c21d304606e82eb06e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6671.exe

Filesize
20KB

MD5
38fcad8f716d418aab3367f608a41cd8

SHA1
d23f54f76e059cd6c9da5ae38c3a09ea900c2e9c

SHA256
93f4e2b9722f7084b013eed5be67c370f82e77bdc4b28e49e2101f05b7b59c4b

SHA512
9414f14c5130a4ae4903d09a3cec8229d77793f15e54975f48ffca55e4a06fe3f1968fe75d2cb8734d8cac3cadc37a0f414e98cde213dfed503ca7a5bda79914

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM690F.exe

Filesize
20KB

MD5
5f74ac546bc69217c8f966b9e7688a7c

SHA1
d53e33595b45482d5143f91075b2aff5605eaa2c

SHA256
90950b0dd596e3666267a324b997bd6b93f14f9e399938ba9b1d754da70c498b

SHA512
5b03f545c2160f8d6c521b266d3d17285e7339ba7904f1eeb49100e902ec914fc9b7dd721008faffb05618aa38d8ede71b0690b8a48ad1d7523d2dba5ea5b2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe

Filesize
20KB

MD5
221672b5a859314536794899861d7031

SHA1
fb2e70819813c12853ee779bb4cdbbe2673dcdd5

SHA256
2c6395816d28cf23bc7aab9027b9d17bdb13ff3a6dadc222f5aa21123d719fec

SHA512
b537f3903a6c99a76774d62929d24191120d0e643442edcd2cbdd1be6ceca1a29ea9ba39a66000bc034f0781f1a484943cf379bbef5758756e22aa9c23790de4

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBFE5.exe

Filesize
20KB

MD5
69e7b5d7cc1f9f39a7cd5ab99eeb08d4

SHA1
b9957683c4729d4aeefd8173731bbe90e97a2c04

SHA256
5b329b0e6588d4963382602c7c3062a37f5f183ba5ca2a53447969cc635f744c

SHA512
cb5930acdc053e533558863b0a476080ec939aa02dffcb07b7b575b97bfe03c2ef39fa11aecb43b63e5bacb664746be25166075d5ce291f384da805ba92a867f

Download Submit

Analysis

Sharing