bfa18cc1a3dffbaa117b2439ed75c3e3d8485942013a75cbe47407eebcad5c80

General

Target

28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe
Size

15KB
MD5

28423b49d4c68b00963b662c8128052d
SHA1

f7ce761cbcdf3204eafb854f30a8244ce3e8e642
SHA256

bfa18cc1a3dffbaa117b2439ed75c3e3d8485942013a75cbe47407eebcad5c80
SHA512

ef1be5661063f6ffd41d29169036e67cf793d3268028f415dfa2a8228894b5677cf3aa0badcdcf78fd58f07d516d32050391c07aa069da9dc6c6d95385724b9a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5X/EmD:hDXWipuE+K3/SSHgxm5s+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2576	DEM751.exe
2492	DEM5D9A.exe
2820	DEMB2CB.exe
2812	DEM7ED.exe
1476	DEM5DC9.exe
2268	DEMB396.exe

Loads dropped DLL 6 IoCs

pid	Process
2740	28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe
2576	DEM751.exe
2492	DEM5D9A.exe
2820	DEMB2CB.exe
2812	DEM7ED.exe
1476	DEM5DC9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2576	2740	28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe	29
PID 2740 wrote to memory of 2576	2740	28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe	29
PID 2740 wrote to memory of 2576	2740	28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe	29
PID 2740 wrote to memory of 2576	2740	28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2492	2576	DEM751.exe	31
PID 2576 wrote to memory of 2492	2576	DEM751.exe	31
PID 2576 wrote to memory of 2492	2576	DEM751.exe	31
PID 2576 wrote to memory of 2492	2576	DEM751.exe	31
PID 2492 wrote to memory of 2820	2492	DEM5D9A.exe	35
PID 2492 wrote to memory of 2820	2492	DEM5D9A.exe	35
PID 2492 wrote to memory of 2820	2492	DEM5D9A.exe	35
PID 2492 wrote to memory of 2820	2492	DEM5D9A.exe	35
PID 2820 wrote to memory of 2812	2820	DEMB2CB.exe	37
PID 2820 wrote to memory of 2812	2820	DEMB2CB.exe	37
PID 2820 wrote to memory of 2812	2820	DEMB2CB.exe	37
PID 2820 wrote to memory of 2812	2820	DEMB2CB.exe	37
PID 2812 wrote to memory of 1476	2812	DEM7ED.exe	39
PID 2812 wrote to memory of 1476	2812	DEM7ED.exe	39
PID 2812 wrote to memory of 1476	2812	DEM7ED.exe	39
PID 2812 wrote to memory of 1476	2812	DEM7ED.exe	39
PID 1476 wrote to memory of 2268	1476	DEM5DC9.exe	41
PID 1476 wrote to memory of 2268	1476	DEM5DC9.exe	41
PID 1476 wrote to memory of 2268	1476	DEM5DC9.exe	41
PID 1476 wrote to memory of 2268	1476	DEM5DC9.exe	41

C:\Users\Admin\AppData\Local\Temp\28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\DEM751.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM751.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\DEM5D9A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5D9A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\DEMB2CB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB2CB.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\DEM7ED.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7ED.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Users\Admin\AppData\Local\Temp\DEM5DC9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5DC9.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\DEMB396.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB396.exe"
        7⤵
        Executes dropped EXE
        
        PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5D9A.exe

Filesize
15KB

MD5
55b23af6605cdeeb492637553247a5a7

SHA1
28ad13faf8c1fdced3f405425b00733a7c84b756

SHA256
5b7e631d4e21e910bf3951b045daf8036f99de0dc174f1a4cb5d42a3662b8890

SHA512
92bc0098d91c128aba2f17e081bc2135147ac839a9bd4df6a523206e782c9d8237c850ec5badceda994d2fe21f971c77970aee9017fad388935c3eb3abf3a580

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5DC9.exe

Filesize
15KB

MD5
00b78d4f1e2f471dbf1b95a9dbe8a284

SHA1
4807cdd1d7333fd1945e87c9c2d8ff5f18ceb215

SHA256
04e3be2f8644204615854c02c21c546f7d7966db71c8a926f17b446579134431

SHA512
494872381d87e4b4a70e8b607ced6d9191521ff5b97e2395ee022f441edf123acfdc1446656f024492be9ad31382d2d27834d23b6241ee462e65e7ee429a3d56

Download Submit
\Users\Admin\AppData\Local\Temp\DEM751.exe

Filesize
15KB

MD5
f9e968342360b84052411647ba09e17f

SHA1
22dd409863e6a2b47215e9347a0225c475a54db4

SHA256
78cc3759ab9dcfc1c57bb5dce031d0a8a4ba21947a19ced643793d12a550332a

SHA512
952200aad9d720d32d450d309e6bc447ff0e7d4c115c9d0e5c447910e2446e77d13927ffb37e5f54dd9ba158e6ed9e1982bcf78433740a7887907739a0c0abf8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7ED.exe

Filesize
15KB

MD5
ba0aeda0eda0b7b0ca8faa2906570dac

SHA1
7395c069d552a797f2fe5ce41c933fb78d0e1804

SHA256
c2654cb57ee7056d0dae3fadfec39d49fe80a590db9b78dad2211ba0c0ab90b4

SHA512
79849a05ca17179c8dbb9dc626a437e84a9698e5a724e0976d6402d1a38ea70d783c03f95126503cb1495ec30ed02dd88aee6213bc0b255da364277e68f53013

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB2CB.exe

Filesize
15KB

MD5
a019a219d5d30b22682e221ae76c3c7a

SHA1
45f98187b02d7a2859bb55dd1906a723ab7ef859

SHA256
89d10d174f32950796db117e62345bcbac2d4e6e52962d64e5fd38639cb3e238

SHA512
f080799eefab73d67d9ba256ff4e7f3550121fa354ecaeda59ba9f90e08e6bf486142318d7d9bebd10cb469c5f12c77f88ce85e1c9eb9cb5162202e3bc97241e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB396.exe

Filesize
15KB

MD5
93c6ba34cc4678f68859c172b1543c8d

SHA1
be52e613f0e8915b77ed090f9a8a85e170c7c4fe

SHA256
048b7924802d2d65fdf689c317676fa2473d5458387e718fcab6860350f7370b

SHA512
731044304522e7bea264490e223d8aebf48ebf25745386e811909078df31748f2c7fd190ea1371ebdb2c3ef59a0fa0344ac4dff7b878da05f5ceefcdb24804c1

Download Submit

Analysis

Sharing