f6682b2ec99a5827ee0097ed91687abbc384ba28b7da332b08fc55946508cf77

General

Target

24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe
Size

16KB
MD5

24d53bf73cef563e4c063008089ee615
SHA1

f582e0803731bc9bbf6ad184b557496685f65034
SHA256

f6682b2ec99a5827ee0097ed91687abbc384ba28b7da332b08fc55946508cf77
SHA512

b209ea675a5d70a2274ccaed88b40b85ebbcea5d8ac3e414f377503db67e27c0fd99e63cb1c4407edb4a488d25545e06cf39edd3075e93e55de5c014d02073f1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlkm:hDXWipuE+K3/SSHgxmlkm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2528	DEM9B84.exe
2424	DEMF1FD.exe
956	DEM477C.exe
2672	DEM9E90.exe
2332	DEMF42E.exe
1616	DEM4A2A.exe

Loads dropped DLL 6 IoCs

pid	Process
2256	24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe
2528	DEM9B84.exe
2424	DEMF1FD.exe
956	DEM477C.exe
2672	DEM9E90.exe
2332	DEMF42E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2528	2256	24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe	31
PID 2256 wrote to memory of 2528	2256	24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe	31
PID 2256 wrote to memory of 2528	2256	24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe	31
PID 2256 wrote to memory of 2528	2256	24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe	31
PID 2528 wrote to memory of 2424	2528	DEM9B84.exe	33
PID 2528 wrote to memory of 2424	2528	DEM9B84.exe	33
PID 2528 wrote to memory of 2424	2528	DEM9B84.exe	33
PID 2528 wrote to memory of 2424	2528	DEM9B84.exe	33
PID 2424 wrote to memory of 956	2424	DEMF1FD.exe	35
PID 2424 wrote to memory of 956	2424	DEMF1FD.exe	35
PID 2424 wrote to memory of 956	2424	DEMF1FD.exe	35
PID 2424 wrote to memory of 956	2424	DEMF1FD.exe	35
PID 956 wrote to memory of 2672	956	DEM477C.exe	37
PID 956 wrote to memory of 2672	956	DEM477C.exe	37
PID 956 wrote to memory of 2672	956	DEM477C.exe	37
PID 956 wrote to memory of 2672	956	DEM477C.exe	37
PID 2672 wrote to memory of 2332	2672	DEM9E90.exe	39
PID 2672 wrote to memory of 2332	2672	DEM9E90.exe	39
PID 2672 wrote to memory of 2332	2672	DEM9E90.exe	39
PID 2672 wrote to memory of 2332	2672	DEM9E90.exe	39
PID 2332 wrote to memory of 1616	2332	DEMF42E.exe	41
PID 2332 wrote to memory of 1616	2332	DEMF42E.exe	41
PID 2332 wrote to memory of 1616	2332	DEMF42E.exe	41
PID 2332 wrote to memory of 1616	2332	DEMF42E.exe	41

C:\Users\Admin\AppData\Local\Temp\24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\DEM9B84.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9B84.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\DEMF1FD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF1FD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\DEM477C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM477C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:956
    - - C:\Users\Admin\AppData\Local\Temp\DEM9E90.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9E90.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Users\Admin\AppData\Local\Temp\DEMF42E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF42E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\DEM4A2A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4A2A.exe"
        7⤵
        Executes dropped EXE
        
        PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM9B84.exe

Filesize
16KB

MD5
789f0f702d722ce588105aff971fbd3d

SHA1
b156e7ac35fba2cfef7a1e3ff9c43ca1c58a2ccd

SHA256
b1505ecc7c35b2cc0e372fe956e8bb3a4a46252b03aeaa22480026e7655d8d07

SHA512
2368bcf7b05ca9718361700283eeb96e767bc2dce872074b23b0cdf29e5339103442b7af81b2dc7db45248ac2dac775635aa2f8c50925dea4abee5e1d52041df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF1FD.exe

Filesize
16KB

MD5
f66bac2e6c18f22d089fe0632862e49d

SHA1
7e4813d4ad9085b4651089e58d556dc15733a832

SHA256
730a2a77de89c390895be4ab078bd1925fb0be4ebbe0e63e0e4c787038cd3806

SHA512
4b9f06fe4f17269fa1e5c0e5d6bcc0c155d9c25b56684da52bc5da7902a8cd0da971a94f3036471e4c203bd39375bbac2dc8316a776999b5827f6988ee66ee62

Download Submit
\Users\Admin\AppData\Local\Temp\DEM477C.exe

Filesize
16KB

MD5
a77a863e100d115346d8427207c44e91

SHA1
7902557b6443a616005c5a90a66d2c260c25bb5a

SHA256
e0d7386451b7fb56ebdc8415c6b062fa248302f9842e86904e435c8cb6d3d96e

SHA512
02e2dc4bd6efb7bbbadbc289d221bfc3325cb348a86bfe573cf91e49e107d77ff343fe62896d0a3142c2858e213fb302aff4952b5ad1c07b8cd06638ea98e464

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4A2A.exe

Filesize
16KB

MD5
9d195a04b6fc32702dea598873c4c6dd

SHA1
ec7e8bb0ccdafb9dddd7655cca1e75810d21108a

SHA256
b697f3429b6c3c2af41b34c1c6c7ee48708e8f1cfa8405c4c79c890aae9e19fd

SHA512
904f0e2996bf7fd138bd83ba6210fe4c4029fe70aac2386d0e686c4d5a496f0e3710607b3103f4e3943c8283be8e6f9fa33f1b3520fa51ce31b0c81c3bef9bad

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9E90.exe

Filesize
16KB

MD5
cb2f00fd790142013a1cffbdccd64e86

SHA1
806f9702e7358b69d7361f7a51bda3c1738a2ce7

SHA256
082ccb795ef218d5131f9f97f2397ff460931092cb587d39db88bcb3a6274a84

SHA512
503dc7f6297700b1aa072028e8bd946e9978daeaa6f689a2cfcbcb60c7338c60760ac6322d0fdc699f754246bd72e1315a88e7e770ea40aec28dde0cc3d09f0d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF42E.exe

Filesize
16KB

MD5
a6cb2a0322b41f3cccb2bab59ae8e2ae

SHA1
be0c37fdd47b6f611154f9079a68f60505f176f7

SHA256
c834a3e2dfedb2ae429249640331a51bc239a44d04a829d771cb8d5d8611ee83

SHA512
fe5e999822210e9504d6635b0809c95bbc1b81bb5a894a61395c9e7e04a08a1deddea9a6eb5e80004baa8a6c296e591b4e4ccd94b353edd3e0ebc01ac5527395

Download Submit

Analysis

Sharing