7793c8a9991a96ae8c3ba0d7b4b134c43cafee0c10e19f6071e75066e8f233fe

General

Target

25b795100998c1eb114b6720705c786b_JaffaCakes118.exe
Size

14KB
MD5

25b795100998c1eb114b6720705c786b
SHA1

a91cebd25055d047e5946b7ed8588ef648588b48
SHA256

7793c8a9991a96ae8c3ba0d7b4b134c43cafee0c10e19f6071e75066e8f233fe
SHA512

d8e3649ecc76f1e21ad31460a1e6e8cb6b7751aea991533c3f22c448f84fc3252568575ca28bc4919b059dde0cb35277123a8e36775840d72c60f1f06c61461f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHuw:hDXWipuE+K3/SSHgx3NHHD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2888	DEM7DA8.exe
2172	DEMD45F.exe
340	DEM29CE.exe
312	DEM8057.exe
1916	DEMD6FE.exe
1520	DEM2DA5.exe

Loads dropped DLL 6 IoCs

pid	Process
1632	25b795100998c1eb114b6720705c786b_JaffaCakes118.exe
2888	DEM7DA8.exe
2172	DEMD45F.exe
340	DEM29CE.exe
312	DEM8057.exe
1916	DEMD6FE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2888	1632	25b795100998c1eb114b6720705c786b_JaffaCakes118.exe	30
PID 1632 wrote to memory of 2888	1632	25b795100998c1eb114b6720705c786b_JaffaCakes118.exe	30
PID 1632 wrote to memory of 2888	1632	25b795100998c1eb114b6720705c786b_JaffaCakes118.exe	30
PID 1632 wrote to memory of 2888	1632	25b795100998c1eb114b6720705c786b_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2172	2888	DEM7DA8.exe	33
PID 2888 wrote to memory of 2172	2888	DEM7DA8.exe	33
PID 2888 wrote to memory of 2172	2888	DEM7DA8.exe	33
PID 2888 wrote to memory of 2172	2888	DEM7DA8.exe	33
PID 2172 wrote to memory of 340	2172	DEMD45F.exe	35
PID 2172 wrote to memory of 340	2172	DEMD45F.exe	35
PID 2172 wrote to memory of 340	2172	DEMD45F.exe	35
PID 2172 wrote to memory of 340	2172	DEMD45F.exe	35
PID 340 wrote to memory of 312	340	DEM29CE.exe	37
PID 340 wrote to memory of 312	340	DEM29CE.exe	37
PID 340 wrote to memory of 312	340	DEM29CE.exe	37
PID 340 wrote to memory of 312	340	DEM29CE.exe	37
PID 312 wrote to memory of 1916	312	DEM8057.exe	39
PID 312 wrote to memory of 1916	312	DEM8057.exe	39
PID 312 wrote to memory of 1916	312	DEM8057.exe	39
PID 312 wrote to memory of 1916	312	DEM8057.exe	39
PID 1916 wrote to memory of 1520	1916	DEMD6FE.exe	41
PID 1916 wrote to memory of 1520	1916	DEMD6FE.exe	41
PID 1916 wrote to memory of 1520	1916	DEMD6FE.exe	41
PID 1916 wrote to memory of 1520	1916	DEMD6FE.exe	41

C:\Users\Admin\AppData\Local\Temp\25b795100998c1eb114b6720705c786b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25b795100998c1eb114b6720705c786b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\DEM7DA8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7DA8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\DEMD45F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD45F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\DEM29CE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM29CE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Users\Admin\AppData\Local\Temp\DEM8057.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8057.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:312
      - C:\Users\Admin\AppData\Local\Temp\DEMD6FE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD6FE.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\DEM2DA5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2DA5.exe"
        7⤵
        Executes dropped EXE
        
        PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8057.exe

Filesize
14KB

MD5
a299bfa33a7b46e4c9398903dae55626

SHA1
943b7b90db7a2646d89cd8d629cbb13b567a2fe7

SHA256
c7de9855ea3d58db0187434df3abb125768537630410a16dbd4792ab1533c8ef

SHA512
6713e0fde8536f3b9631c800e708f23d5a830dd638dc21bf3d478805e4780fcb3795e9e4a64c5ea04c2d992d62cf5c052bdd9b0786ae8be87524f97f94ed382f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD45F.exe

Filesize
14KB

MD5
7b409c06c7f78d61e969b8c99ce13551

SHA1
8e76798ad9db026cb15cffa3ea7683f37e9b012e

SHA256
ffbd5b38f49f07e7b6a98f9bde28514e889b09912581c27dd739161e0be90749

SHA512
0b4e4d5be12beccc70114f3651a421cfa19f0aed26259752175d123b3d241400eae116e8e0b45d2ce47858fc36958996d71f36fd9e8315b84c293f08a0d92809

Download Submit
\Users\Admin\AppData\Local\Temp\DEM29CE.exe

Filesize
14KB

MD5
55fc466830da7647df96fc72ee517053

SHA1
3b7ce6f3f37d3360aaa3a06dbf468eb6a80f10bc

SHA256
4d4a6ce015f55b4b96be34fce9b9bef473ff011c008e4b064e45df282e25866b

SHA512
77f1d832297b1661399acc86cfed6f9cdb22ccbc5a1290339326f9b115c3a4be4b17ee0ca4bc265d4f6c8231d30fd77d4945daa68a5d5cb6d092db4de0ce1874

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2DA5.exe

Filesize
14KB

MD5
2a28c8bcff644d01c84808c895fce19e

SHA1
7160f42d5197e6d142812c520a1c7579f50ee8db

SHA256
3458ee0305947dbd4a19d930feb35e5bc9ad3e3da37b87707fb0c84b929caf38

SHA512
a412e980fd2e4ff5dd62380d3ce4b20ab60f699b11d663a46297382882cef2ed4abd697b9c25790fd7adf4b7c9ab58740b74c3e27b241c4ed4108590f9d145ba

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7DA8.exe

Filesize
14KB

MD5
4d8bc154ef58174757cd1a3c0d76c304

SHA1
fcf5ec4c890d881487a874b6ba8287384da0557b

SHA256
2765cfa181aa48c5767afd6be5712df5998a11316cd15e3f3d82619adfb0edaa

SHA512
15e847372619da617fb9668b0ade04418bdd411246ee4ce3da696ccae988d46bbdba38cff05305421bdac78c6be0b0972e825c34290512956661d04aba6cfa76

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD6FE.exe

Filesize
14KB

MD5
d9565e1ed09df4ac47e70dac8241c4de

SHA1
dcb116dda40319388af66e34d64d20320c66a0df

SHA256
e9d1726b39990955283a08bc41aade721428778313926bb2bdfd417566e20ff6

SHA512
2844ad7a3309b4ed6ddbc07072ccca5fff19076dd9bb136adf3f1ac878c0cda7f840ecceb460b2405c6da8ba744485f99cd7866300ee1c03c5fdd8357bb3e099

Download Submit

Analysis

Sharing