a3ddeaf31334322966da3d5125e79163713366dcb55d9d7d8382d9f25335159b

General

Target

c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe
Size

14KB
MD5

c465db23493cc8393f7f868f2f0ece3c
SHA1

0aa728e9b13b3c75a8e96d1c9a12483ab14cd84a
SHA256

a3ddeaf31334322966da3d5125e79163713366dcb55d9d7d8382d9f25335159b
SHA512

ae9b9f51e7af26ea107d4b6594f8224dbf3ce291e1870479cf832d91ada060c0912c5060f0a41c9012deaa2cab2a5aef26d22404521641b142e03b2e53cb1396
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhh7qQ:hDXWipuE+K3/SSHgxzL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2672	DEM7E.exe
1880	DEM55BE.exe
1388	DEMAAFF.exe
2176	DEM6E.exe
2400	DEM55BF.exe
1624	DEMAB4D.exe

Loads dropped DLL 6 IoCs

pid	Process
2204	c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe
2672	DEM7E.exe
1880	DEM55BE.exe
1388	DEMAAFF.exe
2176	DEM6E.exe
2400	DEM55BF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2672	2204	c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2672	2204	c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2672	2204	c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2672	2204	c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe	29
PID 2672 wrote to memory of 1880	2672	DEM7E.exe	31
PID 2672 wrote to memory of 1880	2672	DEM7E.exe	31
PID 2672 wrote to memory of 1880	2672	DEM7E.exe	31
PID 2672 wrote to memory of 1880	2672	DEM7E.exe	31
PID 1880 wrote to memory of 1388	1880	DEM55BE.exe	35
PID 1880 wrote to memory of 1388	1880	DEM55BE.exe	35
PID 1880 wrote to memory of 1388	1880	DEM55BE.exe	35
PID 1880 wrote to memory of 1388	1880	DEM55BE.exe	35
PID 1388 wrote to memory of 2176	1388	DEMAAFF.exe	37
PID 1388 wrote to memory of 2176	1388	DEMAAFF.exe	37
PID 1388 wrote to memory of 2176	1388	DEMAAFF.exe	37
PID 1388 wrote to memory of 2176	1388	DEMAAFF.exe	37
PID 2176 wrote to memory of 2400	2176	DEM6E.exe	39
PID 2176 wrote to memory of 2400	2176	DEM6E.exe	39
PID 2176 wrote to memory of 2400	2176	DEM6E.exe	39
PID 2176 wrote to memory of 2400	2176	DEM6E.exe	39
PID 2400 wrote to memory of 1624	2400	DEM55BF.exe	41
PID 2400 wrote to memory of 1624	2400	DEM55BF.exe	41
PID 2400 wrote to memory of 1624	2400	DEM55BF.exe	41
PID 2400 wrote to memory of 1624	2400	DEM55BF.exe	41

C:\Users\Admin\AppData\Local\Temp\c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\DEM7E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\DEM55BE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM55BE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\DEMAAFF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAAFF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Users\Admin\AppData\Local\Temp\DEM6E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Users\Admin\AppData\Local\Temp\DEM55BF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM55BF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\DEMAB4D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAB4D.exe"
        7⤵
        Executes dropped EXE
        
        PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM55BE.exe

Filesize
14KB

MD5
4fdea8f5e890028e8e50ddb9b5975fb0

SHA1
8eaf0895ab4b17fbc978d90583058101b6c2ae86

SHA256
72335a7c82593e17c9bbec509daf7d068b4fb779645b5bd8ccf35f67f0bc20ea

SHA512
df83ceeb97ad088185b64a9ce41363aa022fc823995ad6312e8ec2f58e5136722ba68124f87d51c127bd2b45382880cd621af13bd16b3c4902b435ec947031a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7E.exe

Filesize
14KB

MD5
fd5d98518060f8c4f1e38d65495f01f8

SHA1
b21208e0d9a5c951236305c149af8a1d291dd757

SHA256
67b462d64d65830bd3bab6f2198cd9ac0361f65213861e67c11be64dc1cd5fcc

SHA512
cdfb86093c67047c056a3eb83534cdeda40faf3f3cb10b2ddfa5bbd3f91a0409a4bc4a43c14fa2721eca25be5dff911f19fa1582816b65bf444b2ec22f448b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAB4D.exe

Filesize
14KB

MD5
9bdf382e54f26c42d3bd13df574de306

SHA1
609939904ad4edc8a9ed384522833bb7379273b1

SHA256
fc74576fa903188a1f22c05fc5b7bd33e73deac6959fe5be983227048604d9f4

SHA512
b88441350a6df7fdd44e03e3d54dfb40cec9ae2ca86ca444c87feab5bc8e9e95c73bd9a714f8e3e854a5cac2d73c9d010e3fec6cbaf529c0faf174b2093fbd0a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM55BF.exe

Filesize
14KB

MD5
73f3f72f0c91254ab6c5b962783e6dff

SHA1
117d6d3fb5bbaa31164e02eb71199c371d88c29b

SHA256
af8f52cef2d35a7cf79038da8b9f6859abb8d186acf9023a725a6c1ef98c359c

SHA512
2c9f14027a926f50b8768169f53dc832b1c06a110e7a00ef2b6765977b390946bc7c9d7bb3abd2062d6562ef1351470481ab384e2b5b72954b8be23574803284

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6E.exe

Filesize
14KB

MD5
a8a87d68b58ad8cbc967cbe6dfa20e7d

SHA1
89e7a30a91905b12dcf9a2257a53114b04df6bb9

SHA256
4fc96f7054f0acb52f8bd6df9d81818f01c789f5324aa3c290fb73c40c963140

SHA512
acf3e8ac74bbb20099b8d826594dbc83b4953288ec19476afd18a1bfc01dd1ac30b97dcdc99688d063133c7286dbf56c4e15e317a2565f9d4a88af63b98dba97

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAAFF.exe

Filesize
14KB

MD5
46468e7606b69244f5e8736a4f302959

SHA1
7ce32b92ba308c3e3cdd8f81208e857234564941

SHA256
385d8e3534b2507efc24ef6a17313336e72d91fa6f96f5c8e722a0ae62ddb1a9

SHA512
0f0fa9fad18b9e4446aa82871a115ba1516842b69559d6ca0b8af2b4612c422d94f65eefdd13b25cd1b51eedac19168f4572c3ee5de6c5b88a5d0c293522a5cd

Download Submit

Analysis

Sharing