3e0ee1045ce79cf30eba0919b69f9eaf4152073dbeee4f6971100c31519974d3

General

Target

c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe
Size

16KB
MD5

c3afb352a070c28674b4afa49e946e13
SHA1

4c0a1c2b09f1ade3ada23756acc3311ee269fc8c
SHA256

3e0ee1045ce79cf30eba0919b69f9eaf4152073dbeee4f6971100c31519974d3
SHA512

4617ceadf27fbc63c760fa0dc026198cd17c9d3f9b6952ca642641de65736dc6e8be2d39597e122d666657ab08fc1f00f9e3c65aa8b499020ca50e22f98a3ab7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlj:hDXWipuE+K3/SSHgxmlj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2672	DEM1.exe
2676	DEM55DD.exe
1388	DEMABBA.exe
2176	DEMDB.exe
2400	DEM56B8.exe
2208	DEMABE9.exe

Loads dropped DLL 6 IoCs

pid	Process
1976	c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe
2672	DEM1.exe
2676	DEM55DD.exe
1388	DEMABBA.exe
2176	DEMDB.exe
2400	DEM56B8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2672	1976	c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe	29
PID 1976 wrote to memory of 2672	1976	c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe	29
PID 1976 wrote to memory of 2672	1976	c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe	29
PID 1976 wrote to memory of 2672	1976	c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe	29
PID 2672 wrote to memory of 2676	2672	DEM1.exe	31
PID 2672 wrote to memory of 2676	2672	DEM1.exe	31
PID 2672 wrote to memory of 2676	2672	DEM1.exe	31
PID 2672 wrote to memory of 2676	2672	DEM1.exe	31
PID 2676 wrote to memory of 1388	2676	DEM55DD.exe	35
PID 2676 wrote to memory of 1388	2676	DEM55DD.exe	35
PID 2676 wrote to memory of 1388	2676	DEM55DD.exe	35
PID 2676 wrote to memory of 1388	2676	DEM55DD.exe	35
PID 1388 wrote to memory of 2176	1388	DEMABBA.exe	37
PID 1388 wrote to memory of 2176	1388	DEMABBA.exe	37
PID 1388 wrote to memory of 2176	1388	DEMABBA.exe	37
PID 1388 wrote to memory of 2176	1388	DEMABBA.exe	37
PID 2176 wrote to memory of 2400	2176	DEMDB.exe	39
PID 2176 wrote to memory of 2400	2176	DEMDB.exe	39
PID 2176 wrote to memory of 2400	2176	DEMDB.exe	39
PID 2176 wrote to memory of 2400	2176	DEMDB.exe	39
PID 2400 wrote to memory of 2208	2400	DEM56B8.exe	41
PID 2400 wrote to memory of 2208	2400	DEM56B8.exe	41
PID 2400 wrote to memory of 2208	2400	DEM56B8.exe	41
PID 2400 wrote to memory of 2208	2400	DEM56B8.exe	41

C:\Users\Admin\AppData\Local\Temp\c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\DEM1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\DEM55DD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM55DD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\DEMABBA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMABBA.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Users\Admin\AppData\Local\Temp\DEMDB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDB.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Users\Admin\AppData\Local\Temp\DEM56B8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM56B8.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\DEMABE9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMABE9.exe"
        7⤵
        Executes dropped EXE
        
        PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM55DD.exe

Filesize
16KB

MD5
dc668efbf9ef739b5f7a2e95e8de2328

SHA1
71e522eff70a8353337bd112d2321464c6d18f79

SHA256
799859640236d0c2a522306f4c64634b760d60aeccd8bafcdd3834ca6d939451

SHA512
b892cbeaa971e459b1219c01cbde4aaea2014cf7a0de38cf29b24c4c3aaf15b8860473ecd9e82d61b33840b50ff803842262ce362dbb63b1419b0c69b35ea5ec

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1.exe

Filesize
16KB

MD5
f5252d70a408c3d925c9eb2bb693cbc6

SHA1
e674966757478a5c9c1a7fab143b1302998d361a

SHA256
96a89549c62d977cadc85941cc123fc94b02a5ab427593a5f58eaa3b0bb9fa9d

SHA512
4a11bdbd9d54e0ba7a0b9c4cb18f438a9c1bb95816ce955cf6899f72729113255ad8b698f112ae0f80932e6b6eb5ceeb8ff2ccaa7a897e1ee046dc697685dff2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM56B8.exe

Filesize
16KB

MD5
e70e9fbdb73c06b98d49f69cd38ddd39

SHA1
9b0a4abba708186d57c6e7aad9020dfe10cc72eb

SHA256
08912849a519c1be6b0e653dab3a829931f909e7ccb18315ab0a3763c19a5007

SHA512
b53a95649da6ac68d7e8ee38c04e9191fa7918bd6b02fae51a95329394e6778d5339cb7a301aa3e6f4d27d54d7a04532564177faae8327d9fb8c500d81b9d65c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMABBA.exe

Filesize
16KB

MD5
bb26737fb86574fdad96cf3239f35310

SHA1
496215aa2bf5b8c5558a76b2f14cec3bca6fce57

SHA256
7dccbb01d38c510e7e18f372429e554eeb23cd8791898147f2680d5c7b7c0144

SHA512
1f9c1e522affbac50751fb998e88f13b3653ecc2b1d4cf6920042843f84276a4f7fd9121d574d6470c8f90c9733aa34b5d179e4dfbe50597e78ed37b9541d1cc

Download Submit
\Users\Admin\AppData\Local\Temp\DEMABE9.exe

Filesize
16KB

MD5
a20b7069bef1afde2e324dc18450beec

SHA1
3cf663f15bbd5584e723b09cfac265b3eaa32cc6

SHA256
f03ce0cdc50cc64d488f60f9146c91fc4a9d9ec5da173d7c996ebd2ec6840a4f

SHA512
c8356d6e581318f14d8b9a574c1ebfedfd5f7e1e00d459ddf41e56ea9441307695f4b1a846db237eee3414fe81b767739a8775c30fde60067d1b07993189b55a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDB.exe

Filesize
16KB

MD5
13fb0155489f24020c97c0b01f7c00e1

SHA1
349f3448893b84c722f014688f1cc6e26f96fbfd

SHA256
aecd74198cdc64a530ebb2efcb19adf72bc331d6f9e38bdb5db6abcf5d690b91

SHA512
c6538233e704ae77f8974beaafad4116cc7f6c1235ea2e133875eb08485cc49afac3c5a256faa066e8b59a85af253e8ac7e2c60565f4956492d0a75d3dcbfb17

Download Submit

Analysis

Sharing