b38c7845a1a1dca4b08318bbec8f646f3e19f7dc65156120c933835a5f501954

General

Target

29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe
Size

16KB
MD5

29ed5766c3c0f4017f646d01ae95ab89
SHA1

5d53769c07eaf0f117b7e1bdd35db2cb79c9e77a
SHA256

b38c7845a1a1dca4b08318bbec8f646f3e19f7dc65156120c933835a5f501954
SHA512

69de70a05d6d7922314382210acd5a7dd1094d1827c4dac6ec2f5d0381af472c672c7030db04ef007612164a48374916e4da3a945ab13ecea21bfa1cd4dda751
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5ZWu:hDXWipuE+K3/SSHgxl5n

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2568	DEM428C.exe
2436	DEM98C6.exe
1924	DEMEE55.exe
1040	DEM43F3.exe
1148	DEM9972.exe
1828	DEMEF9C.exe

Loads dropped DLL 6 IoCs

pid	Process
2216	29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe
2568	DEM428C.exe
2436	DEM98C6.exe
1924	DEMEE55.exe
1040	DEM43F3.exe
1148	DEM9972.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2568	2216	29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe	29
PID 2216 wrote to memory of 2568	2216	29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe	29
PID 2216 wrote to memory of 2568	2216	29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe	29
PID 2216 wrote to memory of 2568	2216	29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe	29
PID 2568 wrote to memory of 2436	2568	DEM428C.exe	33
PID 2568 wrote to memory of 2436	2568	DEM428C.exe	33
PID 2568 wrote to memory of 2436	2568	DEM428C.exe	33
PID 2568 wrote to memory of 2436	2568	DEM428C.exe	33
PID 2436 wrote to memory of 1924	2436	DEM98C6.exe	35
PID 2436 wrote to memory of 1924	2436	DEM98C6.exe	35
PID 2436 wrote to memory of 1924	2436	DEM98C6.exe	35
PID 2436 wrote to memory of 1924	2436	DEM98C6.exe	35
PID 1924 wrote to memory of 1040	1924	DEMEE55.exe	37
PID 1924 wrote to memory of 1040	1924	DEMEE55.exe	37
PID 1924 wrote to memory of 1040	1924	DEMEE55.exe	37
PID 1924 wrote to memory of 1040	1924	DEMEE55.exe	37
PID 1040 wrote to memory of 1148	1040	DEM43F3.exe	39
PID 1040 wrote to memory of 1148	1040	DEM43F3.exe	39
PID 1040 wrote to memory of 1148	1040	DEM43F3.exe	39
PID 1040 wrote to memory of 1148	1040	DEM43F3.exe	39
PID 1148 wrote to memory of 1828	1148	DEM9972.exe	41
PID 1148 wrote to memory of 1828	1148	DEM9972.exe	41
PID 1148 wrote to memory of 1828	1148	DEM9972.exe	41
PID 1148 wrote to memory of 1828	1148	DEM9972.exe	41

C:\Users\Admin\AppData\Local\Temp\29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\DEM428C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM428C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\DEM98C6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM98C6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\DEMEE55.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEE55.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Users\Admin\AppData\Local\Temp\DEM43F3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM43F3.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Users\Admin\AppData\Local\Temp\DEM9972.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9972.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\DEMEF9C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEF9C.exe"
        7⤵
        Executes dropped EXE
        
        PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM98C6.exe

Filesize
16KB

MD5
09725b77c205156b98ca150788f963f8

SHA1
6dc946a0ec3c1939cde8e4a4ab5b209077c8dfed

SHA256
99367e70b991e97fc9178439b8a39d48ca7d79c83b333077483eaa6c8dd19458

SHA512
dfc9b49ba5e137a179a7dc116e9ad9ace3d252a15b7f09bbd87f194843b532e63e77c6ba9995a21aabde0437bdfb34e3b2faca28101cfdf890f04711f80e369e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9972.exe

Filesize
16KB

MD5
6c0304df9d7e9111039ef8cce488e2cf

SHA1
5e9235f0a9a22ff2737343def7155e4812569621

SHA256
091f87cab5c55913a64b6d0dd60892206570569d3429865e8bef99d1bc765536

SHA512
870876c2e2262fbd14ce6800d6ee0a13cd8eade076fd1cf5bd2b44593b1b3270ca0e518d34e6788088e098af85cfc9fa17fd8522e3d63e2e78da5b9ff0fc769c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM428C.exe

Filesize
16KB

MD5
ec3b9e196e80bf7ebe0e0ba6d3220eda

SHA1
0f65184948afbe342d294235f608b3c025cab36f

SHA256
e4d11744ed55c0e40a1d6c6ef42290ef422dde8e38e937dfc158a32f5b3fe841

SHA512
b7e6886b2524ca1e7dac4dc2a8e3a3440b265bae1e6b02066d0156f97035d57d6391045ba61c99956679a8d06ce6d3a909e7cfe3801db38b03fcf178c7f288d0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM43F3.exe

Filesize
16KB

MD5
884ea0ad3a2fe751dd654013efcdf373

SHA1
d38c9615fe687fc336064b8976433bacd4c6ac53

SHA256
d0c09b5ab28e2a363071e786699727a36620b7efead76b111fda8263e6855d28

SHA512
7453ad82c055239b601a97f21767ebefaffcd11686eefea37486d776966fe2308b1a407d900566b7ce2b67f5d7c873c0bdf90b183cfb778afb76c8f486315617

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEE55.exe

Filesize
16KB

MD5
ed973b1f4f7c88439dc1c5f8d92f5c81

SHA1
4cd07d8935a6048ed24e74d1093d1bfd838acbec

SHA256
5f568b21f6e354155c6f0eb5a0d8bd747391e356aca6551ec219f2315873c76d

SHA512
f2b3cdcc361fce12f67953b7f7a40a54bfa4f9a3f04733acf597ca7e54b9496beade4668447835e029aba8309a11c37ba2efd84c60613075556344720fdfc20a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEF9C.exe

Filesize
16KB

MD5
1eed7c4648639d4440de98efb4b6df83

SHA1
bb050a66bf9479053836d03dfaa25de76d0b20b4

SHA256
3cda0cfeafdc1e73ff09cbd08dfdf1fb6a87f17c1485740078604addb882eb5b

SHA512
d30d9c76aeff2e7873e2dbc1b25371f843497fa554c5133e1e4fbff781b1d0321c21992b07d146436d6ea4900c13cbce676d8ab45dd65306db2201885278ce8f

Download Submit

Analysis

Sharing