af4e2f360b9e602b41112793b6dcd75e419e3f29a8760e37c407929c482b14c5

General

Target

24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe
Size

16KB
MD5

24ec973b499b410e4e4694c0ab436e18
SHA1

14ac81da47dced90fd8427ad586f70b24c13f78d
SHA256

af4e2f360b9e602b41112793b6dcd75e419e3f29a8760e37c407929c482b14c5
SHA512

b0e30ffb65dacfe90103fa7156820f75237d9db3b39f9b41c276d799ac7e47bdbb25b643c9175219e90398ca2394018eacb4e74cb68c38beea9b54f498d46f87
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh2M:hDXWipuE+K3/SSHgx0M

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2456	DEM6632.exe
2416	DEMBD66.exe
2664	DEM13DE.exe
1968	DEM69F9.exe
1216	DEMC1C9.exe
2528	DEM1822.exe

Loads dropped DLL 6 IoCs

pid	Process
2164	24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe
2456	DEM6632.exe
2416	DEMBD66.exe
2664	DEM13DE.exe
1968	DEM69F9.exe
1216	DEMC1C9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2456	2164	24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe	29
PID 2164 wrote to memory of 2456	2164	24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe	29
PID 2164 wrote to memory of 2456	2164	24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe	29
PID 2164 wrote to memory of 2456	2164	24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe	29
PID 2456 wrote to memory of 2416	2456	DEM6632.exe	33
PID 2456 wrote to memory of 2416	2456	DEM6632.exe	33
PID 2456 wrote to memory of 2416	2456	DEM6632.exe	33
PID 2456 wrote to memory of 2416	2456	DEM6632.exe	33
PID 2416 wrote to memory of 2664	2416	DEMBD66.exe	35
PID 2416 wrote to memory of 2664	2416	DEMBD66.exe	35
PID 2416 wrote to memory of 2664	2416	DEMBD66.exe	35
PID 2416 wrote to memory of 2664	2416	DEMBD66.exe	35
PID 2664 wrote to memory of 1968	2664	DEM13DE.exe	37
PID 2664 wrote to memory of 1968	2664	DEM13DE.exe	37
PID 2664 wrote to memory of 1968	2664	DEM13DE.exe	37
PID 2664 wrote to memory of 1968	2664	DEM13DE.exe	37
PID 1968 wrote to memory of 1216	1968	DEM69F9.exe	39
PID 1968 wrote to memory of 1216	1968	DEM69F9.exe	39
PID 1968 wrote to memory of 1216	1968	DEM69F9.exe	39
PID 1968 wrote to memory of 1216	1968	DEM69F9.exe	39
PID 1216 wrote to memory of 2528	1216	DEMC1C9.exe	41
PID 1216 wrote to memory of 2528	1216	DEMC1C9.exe	41
PID 1216 wrote to memory of 2528	1216	DEMC1C9.exe	41
PID 1216 wrote to memory of 2528	1216	DEMC1C9.exe	41

C:\Users\Admin\AppData\Local\Temp\24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\DEM6632.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6632.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\DEMBD66.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBD66.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\DEM13DE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM13DE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\DEM69F9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM69F9.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\DEMC1C9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC1C9.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\DEM1822.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1822.exe"
        7⤵
        Executes dropped EXE
        
        PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMBD66.exe

Filesize
16KB

MD5
e91b1dd49527197bd7f423c7df4b5cfd

SHA1
d1e4eb2cfb87e92e6c196b93a3f24e5a82f7d8b0

SHA256
813136ae3fcabb430dbf2dcd11a1d68c90f3f5c9f5fc76fdd038d11b5cfb6405

SHA512
0cba29714fb22be34ed21d0dfdb9eef9d04828b4a88120b7a7f1aa673b46e1e58c85af00aab1bf5444bb8d69c4c736c6bf2708047a3b8c20c431333d5dfa8065

Download Submit
\Users\Admin\AppData\Local\Temp\DEM13DE.exe

Filesize
16KB

MD5
2902546a9c1a1fdddd93121db9432686

SHA1
a8bbaf46fc2d84ef7a5529e84079881c6b1882d4

SHA256
c8638aae674283650032d18e0969416ed53c36a753ee3a3a46729e6ccba1d930

SHA512
485dc0d2aa84c2982d5ba7f272eb15a206efb30abf16caded794ed1aa1f42166128cc925915ac31c827352ce9933caa6ad5dcdfceec7a65f8e8d28a1c201f358

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1822.exe

Filesize
16KB

MD5
f44aa1fba5f5ee410022f13885c1164e

SHA1
47b70c95eccb54bac758b5ff40075d1fa1dcb809

SHA256
92e4f1e735d576ad85e174d7fe28bff2a4ce882be15c63b8793895653a816987

SHA512
6befc3445e5ff2b96394297722e4277fb5c1024fa8a85b6ec33246ec1aa6943431e0dfb14f523cb0f9521f61c4f238c86817702a6c4da09493309e95bedefe79

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6632.exe

Filesize
16KB

MD5
1034ec32500c734c5897ee3c8c0b3720

SHA1
7ed6faf4b0483f35827aa59e4c55bacc0e91d20b

SHA256
263aa53f7cf9725b2a547df6b780773ef55b7b271345c2ea530b699a5054f75a

SHA512
85c1e703132cb35692aef53dd44f5fecf68b7b183414f2f3b9d7ba012a095fb92b62591b0e75863e9fa80547463c083dea6ca44f26dcb96049f60de74158e5ec

Download Submit
\Users\Admin\AppData\Local\Temp\DEM69F9.exe

Filesize
16KB

MD5
0dbe18ac268f0dd7905c1fe45c32f3dc

SHA1
75e1cc8ed14852c2889e895b02c110a019a4964d

SHA256
8e86416b9696f837215b156592b0e3fbf71cce02c187684d46374b8ccca6974c

SHA512
71d509908699478fc6fde86467136adbc3bf4069a439b1450c044cb3cec7ba04eeecf66a80415f4a8d65333c53f88e6b5cd07951efa3e43cde3bd6d6ef274b1e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC1C9.exe

Filesize
16KB

MD5
53c5d13741d94e3aa04be9122b6ca448

SHA1
85a3f8531d9c8c2927a030f6524b3388f18aa551

SHA256
21d5ce3d86f722434ac770d23bb558d0d4f7acdd66db6a9e90feb1ae2278fc10

SHA512
fde3f00a1e607cc771e3aa32c40ec14de6273a253966bbb5b74e13f734295b76a332a469ec43d45cfa3204c8399975fe7c93d3a40c8985c215e7fc1de319491b

Download Submit

Analysis

Sharing