5541a2e32ef62900c25fa7c73ea059da9b02bdd754482a371b307928a369bea1

General

Target

282435c50bd504916f64101cb6efbc8e_JaffaCakes118.exe
Size

15KB
MD5

282435c50bd504916f64101cb6efbc8e
SHA1

24dc1b10a580e52a467fca458f06c20a811a0fc6
SHA256

5541a2e32ef62900c25fa7c73ea059da9b02bdd754482a371b307928a369bea1
SHA512

d5fadfe0206a9b07025ab547e85433aafadab398d2a15c613235614fc36307c2d544c66ab344d54f3139a56ed7718d580b4606fb79240f87ed509926e45cf797
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlpA:hDXWipuE+K3/SSHgxmlpA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2152	DEMACA.exe
2752	DEM6087.exe
2936	DEMB5B8.exe
2536	DEMB28.exe
320	DEM6097.exe
1968	DEMB683.exe

Loads dropped DLL 6 IoCs

pid	Process
2888	282435c50bd504916f64101cb6efbc8e_JaffaCakes118.exe
2152	DEMACA.exe
2752	DEM6087.exe
2936	DEMB5B8.exe
2536	DEMB28.exe
320	DEM6097.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2152	2888	282435c50bd504916f64101cb6efbc8e_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2152	2888	282435c50bd504916f64101cb6efbc8e_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2152	2888	282435c50bd504916f64101cb6efbc8e_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2152	2888	282435c50bd504916f64101cb6efbc8e_JaffaCakes118.exe	29
PID 2152 wrote to memory of 2752	2152	DEMACA.exe	31
PID 2152 wrote to memory of 2752	2152	DEMACA.exe	31
PID 2152 wrote to memory of 2752	2152	DEMACA.exe	31
PID 2152 wrote to memory of 2752	2152	DEMACA.exe	31
PID 2752 wrote to memory of 2936	2752	DEM6087.exe	35
PID 2752 wrote to memory of 2936	2752	DEM6087.exe	35
PID 2752 wrote to memory of 2936	2752	DEM6087.exe	35
PID 2752 wrote to memory of 2936	2752	DEM6087.exe	35
PID 2936 wrote to memory of 2536	2936	DEMB5B8.exe	37
PID 2936 wrote to memory of 2536	2936	DEMB5B8.exe	37
PID 2936 wrote to memory of 2536	2936	DEMB5B8.exe	37
PID 2936 wrote to memory of 2536	2936	DEMB5B8.exe	37
PID 2536 wrote to memory of 320	2536	DEMB28.exe	39
PID 2536 wrote to memory of 320	2536	DEMB28.exe	39
PID 2536 wrote to memory of 320	2536	DEMB28.exe	39
PID 2536 wrote to memory of 320	2536	DEMB28.exe	39
PID 320 wrote to memory of 1968	320	DEM6097.exe	41
PID 320 wrote to memory of 1968	320	DEM6097.exe	41
PID 320 wrote to memory of 1968	320	DEM6097.exe	41
PID 320 wrote to memory of 1968	320	DEM6097.exe	41

C:\Users\Admin\AppData\Local\Temp\282435c50bd504916f64101cb6efbc8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\282435c50bd504916f64101cb6efbc8e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\DEMACA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMACA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\DEM6087.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6087.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\DEMB5B8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB5B8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\DEMB28.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB28.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\DEM6097.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6097.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\DEMB683.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB683.exe"
        7⤵
        Executes dropped EXE
        
        PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6087.exe

Filesize
15KB

MD5
fc6f454d1d60616154883a76dc01225b

SHA1
e2ab06f88b6888bf884da307a67726d779e8937b

SHA256
f7ffa297d372b3dc0b0fa3f610c62f9c97c18a1a51d67628cf066cccb63c887e

SHA512
ec38ffbd990eacf99202177b713e4ce9f9d56afe056ce4d4fc64d0f9434e2202f0fbd37dee0d1738b89affa4f6e926ec92e9d3c582b9b5e768d66c54ba92a11b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6097.exe

Filesize
15KB

MD5
8988c04984f366b00b635519b8780e8e

SHA1
019d954738e789246331fdbb202b99f5afaaf1e6

SHA256
d25d5d06b68ca6d25b9d0139b52d1b9c1d7d367edbb149d41f4db2277345afd1

SHA512
15efff2210cdf22c321ff76f264803f004a331544a11f6fd2fc7e32beed141cec548198b356ca448245b1f5adf64354e622cb9a514c56a3bee3dba99efe74ab1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMACA.exe

Filesize
15KB

MD5
ebb1b197ff18b1064aaaf9db4494405a

SHA1
298ca2fea0190e0688b9a2491ad243caa2d6ccfb

SHA256
481149d7371de141feee274bb3c56b3b15b8afaa7f0d32d2d3e425f804bde2a8

SHA512
a4034651d5c87fe2bcdc667315c2c46daa3b14449856fd48e9101c1a146fdcf06da40c5472c3dc1076a5b604d7716f3b646728784cff049e80fbf9640518f6ca

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB28.exe

Filesize
15KB

MD5
f5e4cf2c2eb7a95fddf7872b3ca45131

SHA1
0f40af91df013d949c345323b8c6c4974d06ad64

SHA256
303fd002cc18429e5c6823566c97af189fd90b1efd15a996bdeb993d8b6648c8

SHA512
48b2b583c4b91af03aba2e4bc1f659f08b6dc1d02d1e0d72ff754d31108d06bf1ebf958c5be7bfe4672d1edf6af16e5fb78a289f39561951ea8f6af191803d0a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB5B8.exe

Filesize
15KB

MD5
2262066721d8a48c0ae7d7b32d5c23e8

SHA1
6947662924d1ffc49826d0a48a10709738446af3

SHA256
e2951d0eeb01a3f9bccf6a0099d81d5a8c12ffbb99c16b22eafb363dff516fde

SHA512
59045301174b90da0ab2f09af7d703fc2adf59c79e0719ab7f0a37d30863f3a22cb1938f16b86b62512983b739cb135663da2891b7e970113aae772dad2f94f9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB683.exe

Filesize
15KB

MD5
ce6c645fbae50781e4d6caaec981f3d2

SHA1
6e80ec63472f6707925c5c8cd667c26ffee201db

SHA256
f39c4171e83c93d5fec6e4b7d20640dd8896370b32cf9bf81306ccfa4c695405

SHA512
f14b4455f1399bb71c7efc5b719a5de7d12a4621848c0cd2bc8d6d54b5132169ac8d0e27620992c875df72cf74e73bc90017494ffe79b2e50b40964edf917b7a

Download Submit

Analysis

Sharing