a88483ab2b42564aab0cb2c1c9696253bafc7df097cba15d0df89190dae08e7f

General

Target

24876532782eead71b2ebc8d0748eab7_JaffaCakes118.exe
Size

15KB
MD5

24876532782eead71b2ebc8d0748eab7
SHA1

f92b21d98df964afc3e958f6ba7e6064689bf617
SHA256

a88483ab2b42564aab0cb2c1c9696253bafc7df097cba15d0df89190dae08e7f
SHA512

0f010985fa166ffe1d6a10ae0858410e0d69f45db0551ff5f4fa70230d9c1d2852e04a5e2f290419d11ee33a982ab8f0a27fd07bd6b02e1911f54624e6c2ea6a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0pjW2UWXef:hDXWipuE+K3/SSHgx49WdWXef

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2776	DEM4E20.exe
3056	DEMA3ED.exe
1316	DEMF91E.exe
2696	DEM4F68.exe
1108	DEMA4A8.exe
1824	DEMFA94.exe

Loads dropped DLL 6 IoCs

pid	Process
1760	24876532782eead71b2ebc8d0748eab7_JaffaCakes118.exe
2776	DEM4E20.exe
3056	DEMA3ED.exe
1316	DEMF91E.exe
2696	DEM4F68.exe
1108	DEMA4A8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2776	1760	24876532782eead71b2ebc8d0748eab7_JaffaCakes118.exe	29
PID 1760 wrote to memory of 2776	1760	24876532782eead71b2ebc8d0748eab7_JaffaCakes118.exe	29
PID 1760 wrote to memory of 2776	1760	24876532782eead71b2ebc8d0748eab7_JaffaCakes118.exe	29
PID 1760 wrote to memory of 2776	1760	24876532782eead71b2ebc8d0748eab7_JaffaCakes118.exe	29
PID 2776 wrote to memory of 3056	2776	DEM4E20.exe	33
PID 2776 wrote to memory of 3056	2776	DEM4E20.exe	33
PID 2776 wrote to memory of 3056	2776	DEM4E20.exe	33
PID 2776 wrote to memory of 3056	2776	DEM4E20.exe	33
PID 3056 wrote to memory of 1316	3056	DEMA3ED.exe	35
PID 3056 wrote to memory of 1316	3056	DEMA3ED.exe	35
PID 3056 wrote to memory of 1316	3056	DEMA3ED.exe	35
PID 3056 wrote to memory of 1316	3056	DEMA3ED.exe	35
PID 1316 wrote to memory of 2696	1316	DEMF91E.exe	37
PID 1316 wrote to memory of 2696	1316	DEMF91E.exe	37
PID 1316 wrote to memory of 2696	1316	DEMF91E.exe	37
PID 1316 wrote to memory of 2696	1316	DEMF91E.exe	37
PID 2696 wrote to memory of 1108	2696	DEM4F68.exe	39
PID 2696 wrote to memory of 1108	2696	DEM4F68.exe	39
PID 2696 wrote to memory of 1108	2696	DEM4F68.exe	39
PID 2696 wrote to memory of 1108	2696	DEM4F68.exe	39
PID 1108 wrote to memory of 1824	1108	DEMA4A8.exe	41
PID 1108 wrote to memory of 1824	1108	DEMA4A8.exe	41
PID 1108 wrote to memory of 1824	1108	DEMA4A8.exe	41
PID 1108 wrote to memory of 1824	1108	DEMA4A8.exe	41

C:\Users\Admin\AppData\Local\Temp\24876532782eead71b2ebc8d0748eab7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24876532782eead71b2ebc8d0748eab7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\DEM4E20.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4E20.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\DEMA3ED.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA3ED.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\DEMF91E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF91E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Users\Admin\AppData\Local\Temp\DEM4F68.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4F68.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Users\Admin\AppData\Local\Temp\DEMA4A8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA4A8.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\DEMFA94.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFA94.exe"
        7⤵
        Executes dropped EXE
        
        PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4E20.exe

Filesize
15KB

MD5
d9cb22c157dfd64b190774519c94163b

SHA1
f83d27ba2dd6d0bbff58a98145914ba00c4ec68a

SHA256
4e4da044d1469d729e4e7a974e7ea46f5f4e51530f5db9f37ee054678267aed2

SHA512
f592b7e997141bc8f070ba519626c767446e1e8dd90bd8a020efa7bcff8be848c1964ef92a6bc38565bf8a9d50f7e88e1857334862d16a42bc9e7a6d7ceef309

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA3ED.exe

Filesize
15KB

MD5
1e4390b4a08d12bbbf999887bbbf67ff

SHA1
7845d24b26cd9574cb11ad25af56d636c88915d0

SHA256
3c41e18a8f2431b8077c7f5ee876a06da289409b612a0e87a0b6b96b2f2dc14a

SHA512
2a86f02b0a8f3e22d104a5a1620a038652487ceeda034983bd1f9b0d23cd5cdd077c4c66a08df4a6aa674d983877c417be21d49837a7f75657ccedaa013bcc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF91E.exe

Filesize
15KB

MD5
2c18cd26ce722f65601055c3a07d223d

SHA1
d904b583fec5e7f4b3433f39846100d568cb8370

SHA256
20df50cab1d6e9d2e8d60d8c8a0c2ded24c42d736bb4f62ac73f20d1e683435a

SHA512
2ae441b75de0860bc1e61cb066ab0f352765f788fa0acd74990ce4889765e01815ed999a0770b625b0aeb11a687507c273aabcf9b709dadca28c1ff4f69056df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFA94.exe

Filesize
15KB

MD5
3317f7ca6b4d7cff38026e20f03da19d

SHA1
d3c6d7384dff62383f7e3968fc0a05da2a27d475

SHA256
657627326ec3c95a8df01737ae897ede02dc5ebc77862732a74d1a25f93acf72

SHA512
5de4897ad198816d4806805af6641a4b5b5277352c235810cc6b11d17451f419628b5df41eabab447da4ba4aa8141bdbdf3fbe1040d2388e6b750624534ca5d0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4F68.exe

Filesize
15KB

MD5
a6d802a686dcc7bdd2f753e647b5e77d

SHA1
c151a77a6828ab404777184e063620e4e2bd118d

SHA256
976f8ec15793ad1e03f6f0154bfe5aa20fc431d1f0ffc58d82e2a1cb3b4463b4

SHA512
bdf7722ff80a34693f59c6b5c881c478c0a3f181ffacf6264ec7cbe3801d546a693354acd0b4b6a6075445c670348e46e13ac9c08d70615c31d0dba877f88ef0

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA4A8.exe

Filesize
15KB

MD5
a5713006b9df2fb47773186fb3ee488e

SHA1
75c253caee54adad287710dd9bebc4136d08d0e2

SHA256
ed4e1df7a1a62ad0b96cb25c7cbe53566f8c0c78fefdf7ddc8f9b509ec88e7ca

SHA512
1c218fd935d72e10fcd92604a4b547fcf9c8e9e9ebf4c24fbbe70a106d5b4d80ad229700129f54c43b1521232d92bd3c42c5f2980ed29ed10034c4b5c73e89b7

Download Submit

Analysis

Sharing