52628d16b46289e2e4559cde46a522c9266fa8b25a1d03d60b2ae961db907698

General

Target

25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe
Size

16KB
MD5

25eae72ceec1d1ea9941ed7ff79b91f5
SHA1

7ddf6008b00708bfb541a42f918d041c8c26eb99
SHA256

52628d16b46289e2e4559cde46a522c9266fa8b25a1d03d60b2ae961db907698
SHA512

d121e74817b568083e52246d5434542429827647f998d5b5af8b96705031130a791388f7f9de2519c2c712c9f05514b16d053458f79b772774e71fdfeada5a6c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5Jm:hDXWipuE+K3/SSHgxl5I

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2540	DEM115F.exe
2572	DEM669F.exe
1536	DEMBBD0.exe
2120	DEM1120.exe
312	DEM6642.exe
2068	DEMBB92.exe

Loads dropped DLL 6 IoCs

pid	Process
1888	25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe
2540	DEM115F.exe
2572	DEM669F.exe
1536	DEMBBD0.exe
2120	DEM1120.exe
312	DEM6642.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2540	1888	25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe	29
PID 1888 wrote to memory of 2540	1888	25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe	29
PID 1888 wrote to memory of 2540	1888	25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe	29
PID 1888 wrote to memory of 2540	1888	25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe	29
PID 2540 wrote to memory of 2572	2540	DEM115F.exe	31
PID 2540 wrote to memory of 2572	2540	DEM115F.exe	31
PID 2540 wrote to memory of 2572	2540	DEM115F.exe	31
PID 2540 wrote to memory of 2572	2540	DEM115F.exe	31
PID 2572 wrote to memory of 1536	2572	DEM669F.exe	35
PID 2572 wrote to memory of 1536	2572	DEM669F.exe	35
PID 2572 wrote to memory of 1536	2572	DEM669F.exe	35
PID 2572 wrote to memory of 1536	2572	DEM669F.exe	35
PID 1536 wrote to memory of 2120	1536	DEMBBD0.exe	37
PID 1536 wrote to memory of 2120	1536	DEMBBD0.exe	37
PID 1536 wrote to memory of 2120	1536	DEMBBD0.exe	37
PID 1536 wrote to memory of 2120	1536	DEMBBD0.exe	37
PID 2120 wrote to memory of 312	2120	DEM1120.exe	39
PID 2120 wrote to memory of 312	2120	DEM1120.exe	39
PID 2120 wrote to memory of 312	2120	DEM1120.exe	39
PID 2120 wrote to memory of 312	2120	DEM1120.exe	39
PID 312 wrote to memory of 2068	312	DEM6642.exe	41
PID 312 wrote to memory of 2068	312	DEM6642.exe	41
PID 312 wrote to memory of 2068	312	DEM6642.exe	41
PID 312 wrote to memory of 2068	312	DEM6642.exe	41

C:\Users\Admin\AppData\Local\Temp\25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\DEM115F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM115F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\DEM669F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM669F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\DEMBBD0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBBD0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Users\Admin\AppData\Local\Temp\DEM1120.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1120.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2120
      - C:\Users\Admin\AppData\Local\Temp\DEM6642.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6642.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\DEMBB92.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBB92.exe"
        7⤵
        Executes dropped EXE
        
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM669F.exe

Filesize
16KB

MD5
38dc727f1465aae50ae909ff8deacb30

SHA1
df14b285320c430a7c685601fe4344bfd061e18b

SHA256
385565d46518a256fb82005e968ddb40b9d045ff6f0c92565bc10123e740f172

SHA512
65aa76532c278978c0f083f3b523c80fb5d2caa17818e54d2590cee1740561a5d432af2437d50e55dd9ff6623a123b8e80b564add53f8ddf7adac4304491ef0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBB92.exe

Filesize
16KB

MD5
e31bafbc57bbe8055442c9938eb78bdf

SHA1
d52d3a86a230669d800e14fc0b2a90d3d64f4c84

SHA256
f871d0a2409323915c378c60e33af3f9ab96965b6bf59a2ac3dd529530941d87

SHA512
af86ae4088a8389a27200474b30f56f1a229800ebf2e1b9c82c8e55e3e7502bb1c8d11733367f67d6d814ed7fec36096bdb95507b1c48158443fc582444528ae

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1120.exe

Filesize
16KB

MD5
2873a58c441829e4c91fca94463c6f50

SHA1
7cfa2935552fe4d136302c040dcb94e132afb6ad

SHA256
bea3c06c0bfb382e5bdecdfc25d57ea6601fa74790cc0d5ea38d199db51c7ad6

SHA512
86a698dc2f8ac67b799fe5853fb344e6eca839143f4bc48471a639fc749192edf94f2f60b705fa508dccd24522435673764b534ade6b4e15e24718fa89b99e3e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM115F.exe

Filesize
16KB

MD5
5353c6f83eb9eb3a3275e3119c6a97aa

SHA1
ae1dc1d7069d60e574d6fc0414eeba3d9be612f9

SHA256
61925138ff3bdf9f9a6b44f5449245ba778963823b44ab49ffe1fdedb0f53368

SHA512
87a39e347aa60c59b54386fa415b04f7829da44cc1a69afc4371178e045c30b519047649e82e303612fba5c559275d8b3376f2701a68f8db8197976b3120e7b5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6642.exe

Filesize
16KB

MD5
b49a7ec9e6f87e867a4939fb25c61684

SHA1
16fe7c55faaf045c0196a72efcadcd2cd8f0f6e2

SHA256
d112b8d51113f208a597bff432510eeeeeb0e79a0dc11f7a936e16958f683ac2

SHA512
ab1eca447854e56ad25ec0ff532891c5bacad9905340d01a9e78d2f29dc480cc6532e3128cb064c0a427e47540ddb3ffb2a6999daae632d7d423f5d93b5c665e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBBD0.exe

Filesize
16KB

MD5
de225ecf17cc47538af618f929f11d26

SHA1
c3a890f69a01a29467949826f70d078fcd403ad6

SHA256
d256c25553694edf389d4df6ede0e7eb39ae17e6481f85f2f4d44303f26681f6

SHA512
f0c9fdaaacc870c931d0e0b6d2ba422a04f7a92b560e9b16ec6f74b670d9bae8491e5107e976e1836ec9448a459e994d6ccbdd1ed5cad9639af0b026e5bf1ca8

Download Submit

Analysis

Sharing