5b5311b75f67053c6df98825205f3badb5d80984fe9aa0e4c8b919e193f0af94

General

Target

2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe
Size

16KB
MD5

2970e1c26ef472285f0888308b7f6e73
SHA1

86953b3e9291f7a4585eef2e843055e2e2274744
SHA256

5b5311b75f67053c6df98825205f3badb5d80984fe9aa0e4c8b919e193f0af94
SHA512

87d7b25afc5c768092f5d6d0b99f9b10d56a2b696c29c9a9f3a78a1dad51901415652cc3b2edf2ab3e348af3a1b4d29f596b8c1f4e669639e2d42ed2e9f539aa
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlt:hDXWipuE+K3/SSHgxmlt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2584	DEM14D8.exe
2156	DEM6A38.exe
2736	DEMBF88.exe
1784	DEM14E8.exe
2028	DEM6A47.exe
2616	DEMBF78.exe

Loads dropped DLL 6 IoCs

pid	Process
2476	2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe
2584	DEM14D8.exe
2156	DEM6A38.exe
2736	DEMBF88.exe
1784	DEM14E8.exe
2028	DEM6A47.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2584	2476	2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe	29
PID 2476 wrote to memory of 2584	2476	2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe	29
PID 2476 wrote to memory of 2584	2476	2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe	29
PID 2476 wrote to memory of 2584	2476	2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe	29
PID 2584 wrote to memory of 2156	2584	DEM14D8.exe	31
PID 2584 wrote to memory of 2156	2584	DEM14D8.exe	31
PID 2584 wrote to memory of 2156	2584	DEM14D8.exe	31
PID 2584 wrote to memory of 2156	2584	DEM14D8.exe	31
PID 2156 wrote to memory of 2736	2156	DEM6A38.exe	35
PID 2156 wrote to memory of 2736	2156	DEM6A38.exe	35
PID 2156 wrote to memory of 2736	2156	DEM6A38.exe	35
PID 2156 wrote to memory of 2736	2156	DEM6A38.exe	35
PID 2736 wrote to memory of 1784	2736	DEMBF88.exe	37
PID 2736 wrote to memory of 1784	2736	DEMBF88.exe	37
PID 2736 wrote to memory of 1784	2736	DEMBF88.exe	37
PID 2736 wrote to memory of 1784	2736	DEMBF88.exe	37
PID 1784 wrote to memory of 2028	1784	DEM14E8.exe	39
PID 1784 wrote to memory of 2028	1784	DEM14E8.exe	39
PID 1784 wrote to memory of 2028	1784	DEM14E8.exe	39
PID 1784 wrote to memory of 2028	1784	DEM14E8.exe	39
PID 2028 wrote to memory of 2616	2028	DEM6A47.exe	41
PID 2028 wrote to memory of 2616	2028	DEM6A47.exe	41
PID 2028 wrote to memory of 2616	2028	DEM6A47.exe	41
PID 2028 wrote to memory of 2616	2028	DEM6A47.exe	41

C:\Users\Admin\AppData\Local\Temp\2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\DEM14D8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM14D8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\DEM6A38.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6A38.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\DEMBF88.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBF88.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\DEM14E8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM14E8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\DEM6A47.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6A47.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\DEMBF78.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBF78.exe"
        7⤵
        Executes dropped EXE
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6A38.exe

Filesize
16KB

MD5
c9ce4894afe6f2a3e0fe4222ac0eafe7

SHA1
84524afe933a2ada35ca0d00eb41d9ef60b2b58b

SHA256
241980fac3e48b2467e05ec4e8e05593787023ca08efdf0ce8caf4d0a7b92ea1

SHA512
d0f8fa81cdfdacbb106122150b45d80f3aa7680080290433ebd7ee4b15ecca84f820b32186bd9a381d0fb20a7947e5821c0cfe5151719f2858aa1df805270338

Download Submit
\Users\Admin\AppData\Local\Temp\DEM14D8.exe

Filesize
16KB

MD5
5bbdc26b1335f8f083b330881dc1c21b

SHA1
1536c60563c9672273e2234ff8ae3ba99fba5a74

SHA256
280f025dc67d1d1106217970188b91cbb8fafe8853455b388d3a8ef1218dda7d

SHA512
ed3a88e06d590c92803c45997cc4ce1c1e8a2b11aed7c194aabb56232e7495840c7430749614260a3d35859ade66deef4d137651903c92a68bbd1bdc26e67c37

Download Submit
\Users\Admin\AppData\Local\Temp\DEM14E8.exe

Filesize
16KB

MD5
da73d44da5d930ecbb2d522da0ebb708

SHA1
49a5c268177a11dfbb47d73196243946b04f36cd

SHA256
718a7cb39f0198df0254fdfad22ac870b740c91f5a425d7163dfe8c71630bb3c

SHA512
5191fd448edbffd90fbe0891a14191c0512133738353db713e672784801f810fb007e32244f7f3b36380ecfe7902809db90d0510c53d89f74c92cfc2631fad95

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6A47.exe

Filesize
16KB

MD5
0dd071466f9bb82f1b174afa02b0a52b

SHA1
26f0bc15c7b9384fbd82ef04ca8168b95d18ebf7

SHA256
89b6590da677bc6c22af90c0aea80ca8ececac8fe5bba0a50edd7f0ee1c0d8b0

SHA512
4d509132ad6df93355d4e802f7816a9b0c57ad5ad35a4c7d842c2829e0142e0ff728699dcdbb300bf98a18fc942e9d66d1d241c862367f17358e57ce53074976

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBF78.exe

Filesize
16KB

MD5
88c23a75242bebb58649af5a83ac8274

SHA1
387f1d8c2687f7c85898638c39499a7b1e41db7f

SHA256
98b153a6c5d9ca370d2fb4172b818dc4d18ac806b45811bf29576a54ece12177

SHA512
e7c0e9714c756d031b884d83c77bd7081da11ec61fd24af990f1efe118d952e1a644d9cb61f7dd3a28679d8a2a087d248a3a29b157ff3c2fed5a09c66774979f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBF88.exe

Filesize
16KB

MD5
614f2609e6f75a6d37fd42a2483350dd

SHA1
d639ea3d1936f1b9c25e80456594351242a0a9ad

SHA256
c4c9101a8b3ffbfbab99318f35c57abdc72536d3eba27b3c1508dfecbef7cece

SHA512
6a6c2f9c0ac8df2785e74ddea20e9f977dc73acbac6a735c8dd91ba4b11754891da05913ddd92d592fe79753d39bf47c5c1c139f1191d00b9ff8527f32ab05c5

Download Submit

Analysis

Sharing