461f414846d77c6f3e3f950e04374b4a53740ca6720a80f5be2a81d4a2ab94b2

General

Target

c3852d41a533fbbb77050892a58da592_JaffaCakes118.exe
Size

16KB
MD5

c3852d41a533fbbb77050892a58da592
SHA1

40d51519e16b469d2cf074e40c8e5e0a59b4acf5
SHA256

461f414846d77c6f3e3f950e04374b4a53740ca6720a80f5be2a81d4a2ab94b2
SHA512

15d560c281fcac9e376e0762ef96487649a1a32285d5115ae823a979bc6625be7fb53fc55174b3cf420f70f6c2feb1ad82417e1a676799a57554c9b648a65603
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJ2XN:hDXWipuE+K3/SSHgxiN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3044	DEMA88F.exe
2388	DEMFE7B.exe
2392	DEM5476.exe
944	DEMAB9B.exe
2336	DEM2A0.exe
2440	DEM58DA.exe

Loads dropped DLL 6 IoCs

pid	Process
1640	c3852d41a533fbbb77050892a58da592_JaffaCakes118.exe
3044	DEMA88F.exe
2388	DEMFE7B.exe
2392	DEM5476.exe
944	DEMAB9B.exe
2336	DEM2A0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3044	1640	c3852d41a533fbbb77050892a58da592_JaffaCakes118.exe	31
PID 1640 wrote to memory of 3044	1640	c3852d41a533fbbb77050892a58da592_JaffaCakes118.exe	31
PID 1640 wrote to memory of 3044	1640	c3852d41a533fbbb77050892a58da592_JaffaCakes118.exe	31
PID 1640 wrote to memory of 3044	1640	c3852d41a533fbbb77050892a58da592_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2388	3044	DEMA88F.exe	33
PID 3044 wrote to memory of 2388	3044	DEMA88F.exe	33
PID 3044 wrote to memory of 2388	3044	DEMA88F.exe	33
PID 3044 wrote to memory of 2388	3044	DEMA88F.exe	33
PID 2388 wrote to memory of 2392	2388	DEMFE7B.exe	35
PID 2388 wrote to memory of 2392	2388	DEMFE7B.exe	35
PID 2388 wrote to memory of 2392	2388	DEMFE7B.exe	35
PID 2388 wrote to memory of 2392	2388	DEMFE7B.exe	35
PID 2392 wrote to memory of 944	2392	DEM5476.exe	37
PID 2392 wrote to memory of 944	2392	DEM5476.exe	37
PID 2392 wrote to memory of 944	2392	DEM5476.exe	37
PID 2392 wrote to memory of 944	2392	DEM5476.exe	37
PID 944 wrote to memory of 2336	944	DEMAB9B.exe	39
PID 944 wrote to memory of 2336	944	DEMAB9B.exe	39
PID 944 wrote to memory of 2336	944	DEMAB9B.exe	39
PID 944 wrote to memory of 2336	944	DEMAB9B.exe	39
PID 2336 wrote to memory of 2440	2336	DEM2A0.exe	41
PID 2336 wrote to memory of 2440	2336	DEM2A0.exe	41
PID 2336 wrote to memory of 2440	2336	DEM2A0.exe	41
PID 2336 wrote to memory of 2440	2336	DEM2A0.exe	41

C:\Users\Admin\AppData\Local\Temp\c3852d41a533fbbb77050892a58da592_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c3852d41a533fbbb77050892a58da592_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\DEMA88F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA88F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\DEMFE7B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFE7B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\DEM5476.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5476.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\DEMAB9B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAB9B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:944
      - C:\Users\Admin\AppData\Local\Temp\DEM2A0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2A0.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\DEM58DA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM58DA.exe"
        7⤵
        Executes dropped EXE
        
        PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA88F.exe

Filesize
16KB

MD5
7ff3c785eedde5e7c6d31c959f6463fb

SHA1
263c3c2b371981fceb8ef98c78325b0b7a094bca

SHA256
5e80333fa3c9d8f1b07507e3a7b5d2441a8ab9cae258790d880913ad991e266a

SHA512
8a58e5f9b800aec98f0210e550a7d725212d87a3ee87026d94c3ab1f8c4f7933b7b2f1435dc703c86706e6aee1499ac01e06b093df423f0b229bfe03add8ae4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFE7B.exe

Filesize
16KB

MD5
0f374621a279060fe6d1f979d3727db1

SHA1
9d5ca746dc037a692793a280cdd2d39e555339e3

SHA256
ccc1b9cfb7b7ff187011f4a31c919149c35031ea9da9731c27cd49ae2014dba5

SHA512
e5762a08553268465f2d4770ca2dc3e5110fc41b3d7b418eb9db72c3b9e528bc8c2166e9e65bdb0e0f15c983ead3e80310cb6d9330a0f3bb3723c4c3a04d4680

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2A0.exe

Filesize
16KB

MD5
cb34e78d599eec07c208db1954113b07

SHA1
c8efd187ab8945da06cde38f5f65b178ebbbd9c7

SHA256
b00ab026896f4b8e51cb7df6c734fcfe473d4a96d1fcd3797e5628ca24e923ce

SHA512
5f821fe8bf9ce18682e08bef21d5a70a6d9f2872838f8426aca985bc31b14948e7817a7be3940831bb975616569fa2d8e277c82cf08b92ca58a656d63d157c8a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5476.exe

Filesize
16KB

MD5
1fb2152ce0ddd7e344b5f35d2af0ce0b

SHA1
4d8cf0b27b836c55a86707ce46c559d77a0951dc

SHA256
e98bbac5ee538ce85d3b773918dc0cde6cff7399a4cad0aec6b17d449d4fe5e3

SHA512
967a10180d85855cc17d248fda62199a4ecb7552b7d2f2b45e0375ba89162bc2302c0b4118414278de96f3cb81efc7934ebc2c84882212b914ba41fdb5027770

Download Submit
\Users\Admin\AppData\Local\Temp\DEM58DA.exe

Filesize
16KB

MD5
71d79141544eb5568ed66e1e3f13e5f9

SHA1
bd271c168f4237300a90a13cf26ee68a6db5d949

SHA256
513c857e636bcccbe4054db94625c1e4c3ed8f5d95d8a0d3145b5649bf4ebe77

SHA512
4344f55e9cafc6b6ad32315542773263b59cd343d84bd4b541b6bc9b1326a4fc266171c1491c50bb861ddfc01eadb92296ca761e39bce26e2c81b3a1317c6eb7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAB9B.exe

Filesize
16KB

MD5
ccef3ac2f7866eb3e7609c8caa39bc30

SHA1
d65369a5b0ba3c802846f9ee4895f2d233da7249

SHA256
6de801e9d4e4ac1f50da124db97eac0460e038db90e3e1ffbfa68063efc37bde

SHA512
0e4043a34e4c3571013d8bb545e4705624e3b9a9aece05f8bdecbba91c2ddeb378b7ae548cd3802f98557ee30b0422550b213b48824dea39fa4c9eb0eb573bee

Download Submit

Analysis

Sharing