32c1bef8e982f91e5a91ba6cad8603148e5d6d2308e14cfc7eae2798dee47dde

General

Target

2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe
Size

15KB
MD5

2594a18b5f5379cf2af07c2071c50b5f
SHA1

24cc16ab3c325f4fbf0598855b39c3bafae932d2
SHA256

32c1bef8e982f91e5a91ba6cad8603148e5d6d2308e14cfc7eae2798dee47dde
SHA512

52d85feb78d8eb84b44549b629ef01c8987d27e61096085112dad6acf61db285cf65b18201da33e3219dcb8df306de07bf6b410ef19d003c0a11d54473a1bd03
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4l+Lv:hDXWipuE+K3/SSHgxmH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2080	DEM879.exe
1928	DEM5DD9.exe
2864	DEMB319.exe
2720	DEM86A.exe
1720	DEM5DAA.exe
2312	DEMB377.exe

Loads dropped DLL 6 IoCs

pid	Process
1752	2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe
2080	DEM879.exe
1928	DEM5DD9.exe
2864	DEMB319.exe
2720	DEM86A.exe
1720	DEM5DAA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2080	1752	2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe	29
PID 1752 wrote to memory of 2080	1752	2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe	29
PID 1752 wrote to memory of 2080	1752	2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe	29
PID 1752 wrote to memory of 2080	1752	2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe	29
PID 2080 wrote to memory of 1928	2080	DEM879.exe	31
PID 2080 wrote to memory of 1928	2080	DEM879.exe	31
PID 2080 wrote to memory of 1928	2080	DEM879.exe	31
PID 2080 wrote to memory of 1928	2080	DEM879.exe	31
PID 1928 wrote to memory of 2864	1928	DEM5DD9.exe	35
PID 1928 wrote to memory of 2864	1928	DEM5DD9.exe	35
PID 1928 wrote to memory of 2864	1928	DEM5DD9.exe	35
PID 1928 wrote to memory of 2864	1928	DEM5DD9.exe	35
PID 2864 wrote to memory of 2720	2864	DEMB319.exe	37
PID 2864 wrote to memory of 2720	2864	DEMB319.exe	37
PID 2864 wrote to memory of 2720	2864	DEMB319.exe	37
PID 2864 wrote to memory of 2720	2864	DEMB319.exe	37
PID 2720 wrote to memory of 1720	2720	DEM86A.exe	39
PID 2720 wrote to memory of 1720	2720	DEM86A.exe	39
PID 2720 wrote to memory of 1720	2720	DEM86A.exe	39
PID 2720 wrote to memory of 1720	2720	DEM86A.exe	39
PID 1720 wrote to memory of 2312	1720	DEM5DAA.exe	41
PID 1720 wrote to memory of 2312	1720	DEM5DAA.exe	41
PID 1720 wrote to memory of 2312	1720	DEM5DAA.exe	41
PID 1720 wrote to memory of 2312	1720	DEM5DAA.exe	41

C:\Users\Admin\AppData\Local\Temp\2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\DEM879.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM879.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\DEM5DD9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5DD9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\DEMB319.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB319.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\DEM86A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM86A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Users\Admin\AppData\Local\Temp\DEM5DAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5DAA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\DEMB377.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB377.exe"
        7⤵
        Executes dropped EXE
        
        PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5DD9.exe

Filesize
15KB

MD5
608070d84845f2ca22a0035ae444b0f9

SHA1
baba5206a0275bd35cafd99ae63ff35aba696845

SHA256
287a62b7a0a432df3171b581e72708332ef9d8d23938e936b557114afeef754b

SHA512
41af2c0ea42435eff4867f1cb37c0c52ff3f1a73b648195b09df90f6c04112d72754b3bafc4740ba7ca346afa3960b5cbbbd01ceedcd415c83b396dd7b8c0dca

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5DAA.exe

Filesize
15KB

MD5
9fcd50291d7768c745d341a8679da7d3

SHA1
cd82bf47172c40bf2f55a1d8d69b532268980181

SHA256
9c269e962cbfbd0f34a475708755f7d36ffc816e2f71030918e5fd1db5dc55a4

SHA512
9b631b5179b4bbc058cd0c3c2ebcbd548179f3bd473521d7924828251e32237bdf9c98880aab63928429f0f666d778a280b448917fcf54d50eda001be80cbdd4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM86A.exe

Filesize
15KB

MD5
e88c6dbe6ef81fe86ebf886755a84a72

SHA1
a6c19899699ecfe7ef722e03c1087a2f0b169dbe

SHA256
2f1f2888fa231b1bd2e2f4a76852059021b1550502e7ab2215f22d641ae36db8

SHA512
721e6a4c888e5302e5438f2151edc0456c6910f3d06e62708c889b455a2499d6bb56728347b3bf9db45e083bd4825f07ccca26f4d95a7a288bf6d216431ab9d7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM879.exe

Filesize
15KB

MD5
7f67278ffd23cb3ee36f9f7ee4e4b23f

SHA1
5c40e2e8ab7bcfa123b39b766412f61462f6da67

SHA256
8d582694ee6c1cb13779a19b29643f7183f24f2a1083bdcac42b4c1b73d2726b

SHA512
21b4481ada6ec7eea2203b23795968a4fb03a79dcaa5183c3c8e7eb1b82698ccc0b7d2878296d7c284038964367bb52e2c0520967ad33158fc617f45a88268dd

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB319.exe

Filesize
15KB

MD5
5ce1a218660f5542a96986e1e586fe65

SHA1
93b2753038c3d6e13e5520ac1439f838a7434553

SHA256
3b3a2108a9d30c5ebf831fd677447b1243ecf8126c7132beefb7a2cb9dbdb0fb

SHA512
bfda4afb6f346a3d0564d7f110b9b5718969ff10c519ab77376b12935e30c3eaf64e7c712664371cd00b12fb9aebfb6c575cdd8961c11247ab19f98b7298522f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB377.exe

Filesize
15KB

MD5
6378ee8a2f37c5777f323a77664289f4

SHA1
e4a65d7330a796aaa73a4689d23da59b5ea226da

SHA256
c2d3c8da34f9d009d8b039e6f4e317ba6baf596a783c4445e371c31033e70e78

SHA512
eb925bf44e0b055342f60376274c73b9d5756db924f2fd9a04b6a34d5aa36abc51437277a2f6b4850654f228cd23aa2e77e208aec9588f6bb848797da1c6e1cf

Download Submit

Analysis

Sharing