96f7989358d3b37da30f4ce1837a2423dc9c795abaef6d76e7ef3ddcca3e3567

General

Target

27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe
Size

16KB
MD5

27fd7f5eb2fbb96affd0d9bf2af25a8a
SHA1

729db1a975d70a27d30bcff48356780685e340d6
SHA256

96f7989358d3b37da30f4ce1837a2423dc9c795abaef6d76e7ef3ddcca3e3567
SHA512

d4045c38a713ba8f40aeb9f7513252788ce6865f6e3cb75d996923f086f17c706b60d4522883be00e3bd8aebc4b66953818d5acf39a7c37a148cda5aa8244c79
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhjn:hDXWipuE+K3/SSHgx9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2628	DEM72EF.exe
2880	DEMC977.exe
1556	DEM1FA1.exe
2908	DEM757E.exe
2468	DEMCC44.exe
320	DEM225F.exe

Loads dropped DLL 6 IoCs

pid	Process
2484	27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe
2628	DEM72EF.exe
2880	DEMC977.exe
1556	DEM1FA1.exe
2908	DEM757E.exe
2468	DEMCC44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2628	2484	27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe	29
PID 2484 wrote to memory of 2628	2484	27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe	29
PID 2484 wrote to memory of 2628	2484	27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe	29
PID 2484 wrote to memory of 2628	2484	27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe	29
PID 2628 wrote to memory of 2880	2628	DEM72EF.exe	33
PID 2628 wrote to memory of 2880	2628	DEM72EF.exe	33
PID 2628 wrote to memory of 2880	2628	DEM72EF.exe	33
PID 2628 wrote to memory of 2880	2628	DEM72EF.exe	33
PID 2880 wrote to memory of 1556	2880	DEMC977.exe	35
PID 2880 wrote to memory of 1556	2880	DEMC977.exe	35
PID 2880 wrote to memory of 1556	2880	DEMC977.exe	35
PID 2880 wrote to memory of 1556	2880	DEMC977.exe	35
PID 1556 wrote to memory of 2908	1556	DEM1FA1.exe	37
PID 1556 wrote to memory of 2908	1556	DEM1FA1.exe	37
PID 1556 wrote to memory of 2908	1556	DEM1FA1.exe	37
PID 1556 wrote to memory of 2908	1556	DEM1FA1.exe	37
PID 2908 wrote to memory of 2468	2908	DEM757E.exe	39
PID 2908 wrote to memory of 2468	2908	DEM757E.exe	39
PID 2908 wrote to memory of 2468	2908	DEM757E.exe	39
PID 2908 wrote to memory of 2468	2908	DEM757E.exe	39
PID 2468 wrote to memory of 320	2468	DEMCC44.exe	41
PID 2468 wrote to memory of 320	2468	DEMCC44.exe	41
PID 2468 wrote to memory of 320	2468	DEMCC44.exe	41
PID 2468 wrote to memory of 320	2468	DEMCC44.exe	41

C:\Users\Admin\AppData\Local\Temp\27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\DEM72EF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM72EF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\DEMC977.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC977.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\DEM1FA1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1FA1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Users\Admin\AppData\Local\Temp\DEM757E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM757E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Users\Admin\AppData\Local\Temp\DEMCC44.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCC44.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\DEM225F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM225F.exe"
        7⤵
        Executes dropped EXE
        
        PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMC977.exe

Filesize
16KB

MD5
2209a7fe696266cef0c6b92bf041e512

SHA1
12494cf79f31f388156d6b335ba3373332aed6f2

SHA256
14251743bc9f25163be9ecaf63420906fa3b2a8a17abc0faa1dab02d38f96e2b

SHA512
7ef1a43be1d20367e1a3a857780901925e3ba826caeae85cb7b430eb04ada9eb7fbf4207ad5b21d8294ca520b9bfc4f80c980a1dded84b5812a1aff0b36aebd9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1FA1.exe

Filesize
16KB

MD5
b68eece6aa4ba7766e112bacc03ce449

SHA1
417e4b9469daa2a073ec91b4e142b4c236dac6f0

SHA256
3682f57d195818af1bb5c28453fbea5fa78f66b6161f78e50309be07dec6ea93

SHA512
1d41ca6bfdf26e6c2adc416ceaa28a1917d1803b7a9520ab84a9e6858a9acdc48705194cfec1df78c395c38416d54799d8f3b1442fc3965df778c2e5f6892df5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM225F.exe

Filesize
16KB

MD5
73d0d728c9076a393495dfa85fde5c98

SHA1
1dfdbc9cb05e1f7755d7871649705f727675fd1a

SHA256
d1bfd09f6cae9a38b9512e69f637b42a8574fbb1faa7ef7ce2c41fd9d9d9dafb

SHA512
cb56ca1aa7e154d9be3e7897180281110db1d3aa1d4408147deb0c95b57b63f786559ba52cb9d02f7916671177f592953c26b0eeb85aa982ce4e0cba1f549e1a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM72EF.exe

Filesize
16KB

MD5
532a06b68f12f4729a1e61af119764c9

SHA1
28dde4f5cd913aa3e835a0d288542676e9826dcb

SHA256
06492d26088c4b6e1bf57b3f9e904d97de3937bf8a16f1f65d859d30179c706f

SHA512
936564b4b470db8cc6c7a6659a2947929df3cce668916079ed769ef9fc1910cd72f46d1a12282fd5392bdedb1deb96ae8dae901e4420962e4dc3bffbfe42aaa7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM757E.exe

Filesize
16KB

MD5
79029803d3498c15c5ee2ec0d687b64b

SHA1
40aa1f497aa336a5720d43cb6e2838ca70ca2faa

SHA256
dc5dd26b3676e90a74189d0f19f3f64a11044d7f280eb358482be3999849ad6a

SHA512
96bf6413537f1e060737abf533b4aee635f5b61bcec9a435cd727c136f93097e81b95bea6720de0ea868b7b0ce1f7f4c0f43a93e51f98b6db0f2c926432f774d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCC44.exe

Filesize
16KB

MD5
306ba1708b60322102839a9abee870ac

SHA1
1bb492f1b84f7432e55d2933e557083c61b3368a

SHA256
55f4d23f421855d9f83ed6475e2efbfe1feeb8d70ca46af3d1ac4cc2308edca8

SHA512
20816466b55b08c27e293cdfcff9c29cac8cf3278c58a7ba9d4e40de4cc5bd46a7bc5d8730cfcf27b3d9e420d0228cb7a5232e6e50b6d434e1f2290fe967c0a2

Download Submit

Analysis

Sharing