40ac8b0693ce54668588b9097e9764ed1d1c1505e9da69c7a8760e4fc0032311

General

Target

c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe
Size

20KB
MD5

c454e7e2f02b1bcf216f2739cf3c9d1d
SHA1

18a9185239b1da38ff414a2fd8e762ca5f1017c3
SHA256

40ac8b0693ce54668588b9097e9764ed1d1c1505e9da69c7a8760e4fc0032311
SHA512

bc9bfa3859383c79856df487e512ff719f70c392ef9997cbb456b3f65f18384e790f40b0a3bd4bf3897d5c96cba2c438a4cc5d954a0aa4dd42d6dafa12cf1cdb
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4P8UzM:hDXWipuE+K3/SSHgxmHZPC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2292	DEM1F24.exe
2640	DEM757E.exe
2816	DEMCB0C.exe
2196	DEM2156.exe
2804	DEM7704.exe
2056	DEMCCC1.exe

Loads dropped DLL 6 IoCs

pid	Process
2356	c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe
2292	DEM1F24.exe
2640	DEM757E.exe
2816	DEMCB0C.exe
2196	DEM2156.exe
2804	DEM7704.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2292	2356	c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe	29
PID 2356 wrote to memory of 2292	2356	c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe	29
PID 2356 wrote to memory of 2292	2356	c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe	29
PID 2356 wrote to memory of 2292	2356	c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe	29
PID 2292 wrote to memory of 2640	2292	DEM1F24.exe	31
PID 2292 wrote to memory of 2640	2292	DEM1F24.exe	31
PID 2292 wrote to memory of 2640	2292	DEM1F24.exe	31
PID 2292 wrote to memory of 2640	2292	DEM1F24.exe	31
PID 2640 wrote to memory of 2816	2640	DEM757E.exe	35
PID 2640 wrote to memory of 2816	2640	DEM757E.exe	35
PID 2640 wrote to memory of 2816	2640	DEM757E.exe	35
PID 2640 wrote to memory of 2816	2640	DEM757E.exe	35
PID 2816 wrote to memory of 2196	2816	DEMCB0C.exe	37
PID 2816 wrote to memory of 2196	2816	DEMCB0C.exe	37
PID 2816 wrote to memory of 2196	2816	DEMCB0C.exe	37
PID 2816 wrote to memory of 2196	2816	DEMCB0C.exe	37
PID 2196 wrote to memory of 2804	2196	DEM2156.exe	39
PID 2196 wrote to memory of 2804	2196	DEM2156.exe	39
PID 2196 wrote to memory of 2804	2196	DEM2156.exe	39
PID 2196 wrote to memory of 2804	2196	DEM2156.exe	39
PID 2804 wrote to memory of 2056	2804	DEM7704.exe	41
PID 2804 wrote to memory of 2056	2804	DEM7704.exe	41
PID 2804 wrote to memory of 2056	2804	DEM7704.exe	41
PID 2804 wrote to memory of 2056	2804	DEM7704.exe	41

C:\Users\Admin\AppData\Local\Temp\c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\DEM1F24.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1F24.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\DEM757E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM757E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\DEMCB0C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCB0C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\DEM2156.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2156.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Users\Admin\AppData\Local\Temp\DEM7704.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7704.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\DEMCCC1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCCC1.exe"
        7⤵
        Executes dropped EXE
        
        PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM757E.exe

Filesize
20KB

MD5
3329d4fc653ab82ac0ec89baa57768cd

SHA1
74494203dc400482ea3c1f845e6ff235bd48997f

SHA256
89a3977b5c90b433a2dfc4954e92872410ca1643ec6b5663d56550b2e7c57aa3

SHA512
0d3c6d5ededa2196c5632f1a9bff15189d3cea6462a31a2294270ed6770be700e77c9f72c8024d4d2f167698b66ce6b2a6d80454a54f5e66f879e03613cb08bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7704.exe

Filesize
20KB

MD5
0bb14048a6cd23f1e7f62e9cd9ea1eb4

SHA1
3dc9b3cbb334facd3e351d3c909feaa073a07aed

SHA256
dc54a58cf24a51475baba077505dc638ae86b7e5f994e032cd3d54118f429348

SHA512
ded6ee9cba11388fd4cf3d5de9f9d67745bf7088f034f0a00fc9f3b17d547f8de49a515b7eb9bbc3c57bfdca89c4e7d70ba7ee98bc31c8fc195002f9f1cdcf44

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1F24.exe

Filesize
20KB

MD5
3ffb0d6f27b8e4aafcd448ef475d1d56

SHA1
44e5c4e57aa24fb05e8d4cf1ec0117223770487c

SHA256
71a673353b5064c8d1c689434b212b9f441f59cce4e2fe20ea546e12d84f3d6e

SHA512
b9c67ea223b962bf71f81a32bf806aa2199331f4338e1b08e27d60b5c80c53d02e2b855be46cbe6720daaa13d093ea9a2c1a9d3321f2423168ee8b62dd849670

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2156.exe

Filesize
20KB

MD5
a018c55f0c14986534b8c84367fd0209

SHA1
13eab2e7c853a2bd258663055e450bfa2a552a5f

SHA256
b29777fc706ad093ec3bef5a7fbd525e115aea8c697d0ffcec800eeb67977afc

SHA512
b113cf4b52685174ddecced79b35ced657ba1b6f7bfa696b7433d24cf7112ecf92a6f35822c22dccac89ba6a380ee142849b57f80675d451e138250142fa2922

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCB0C.exe

Filesize
20KB

MD5
a6d46a02152cacf5286c89430c56b7f7

SHA1
a6c02cf61c86b132b1215bc84f2463a6da241232

SHA256
576b4e9bcad4e05386a1c424be69a25e2d31a7e7f8af7f195e5e1a56b3d7309f

SHA512
8815ad76273d20622aa90b9f72eca4fd47482346470ccc247797d4c5a7069b746aaf78a44ee64f6dbfa2973f1c9e553840909691c306c50202eb41fc8474b59c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCCC1.exe

Filesize
20KB

MD5
c831fc97f8c298b58ee2c522e27aa701

SHA1
02b8f5e4e702d4969674bedd44ca8cc187a3a927

SHA256
77c20a0b80202dfe0fa0e8285d9a7d43871d43efa2b6ae0799097956ac81a7dc

SHA512
354c9bd97b2cb724dd885768a6b14f93155c47ab48abfb0b6bc0dedb411bfb5f62e92c0368b02ca37180f24035176d49c818a98d0e904b84f62ad154ec8a4ce3

Download Submit

Analysis

Sharing