4591a087652354b0be79f081a76885b2f205b39eb3cdc6f2df93e3b7feed2078

General

Target

c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe
Size

16KB
MD5

c4d27c195cdcaad6a9d87adf7ed10b6d
SHA1

068c7b26cdd450497e9776df2fb46066fb80456d
SHA256

4591a087652354b0be79f081a76885b2f205b39eb3cdc6f2df93e3b7feed2078
SHA512

13339ed589733da1adad6d8e0096834dc1646141e518ce9c17dce8cfc8b7a9a714d948fe84198bdb83c5a0ae58c5d6f0d9cb79c99730879bfde37a0d5b8808b8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYHzo:hDXWipuE+K3/SSHgxmHs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2512	DEM1FD0.exe
2732	DEM7501.exe
1696	DEMCA13.exe
608	DEM1F34.exe
2788	DEM74E2.exe
2924	DEMC9F3.exe

Loads dropped DLL 6 IoCs

pid	Process
2872	c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe
2512	DEM1FD0.exe
2732	DEM7501.exe
1696	DEMCA13.exe
608	DEM1F34.exe
2788	DEM74E2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2512	2872	c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2512	2872	c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2512	2872	c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2512	2872	c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe	29
PID 2512 wrote to memory of 2732	2512	DEM1FD0.exe	31
PID 2512 wrote to memory of 2732	2512	DEM1FD0.exe	31
PID 2512 wrote to memory of 2732	2512	DEM1FD0.exe	31
PID 2512 wrote to memory of 2732	2512	DEM1FD0.exe	31
PID 2732 wrote to memory of 1696	2732	DEM7501.exe	35
PID 2732 wrote to memory of 1696	2732	DEM7501.exe	35
PID 2732 wrote to memory of 1696	2732	DEM7501.exe	35
PID 2732 wrote to memory of 1696	2732	DEM7501.exe	35
PID 1696 wrote to memory of 608	1696	DEMCA13.exe	37
PID 1696 wrote to memory of 608	1696	DEMCA13.exe	37
PID 1696 wrote to memory of 608	1696	DEMCA13.exe	37
PID 1696 wrote to memory of 608	1696	DEMCA13.exe	37
PID 608 wrote to memory of 2788	608	DEM1F34.exe	39
PID 608 wrote to memory of 2788	608	DEM1F34.exe	39
PID 608 wrote to memory of 2788	608	DEM1F34.exe	39
PID 608 wrote to memory of 2788	608	DEM1F34.exe	39
PID 2788 wrote to memory of 2924	2788	DEM74E2.exe	41
PID 2788 wrote to memory of 2924	2788	DEM74E2.exe	41
PID 2788 wrote to memory of 2924	2788	DEM74E2.exe	41
PID 2788 wrote to memory of 2924	2788	DEM74E2.exe	41

C:\Users\Admin\AppData\Local\Temp\c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\DEM1FD0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1FD0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\DEM7501.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7501.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\DEMCA13.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCA13.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Users\Admin\AppData\Local\Temp\DEM1F34.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1F34.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:608
      - C:\Users\Admin\AppData\Local\Temp\DEM74E2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM74E2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\DEMC9F3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC9F3.exe"
        7⤵
        Executes dropped EXE
        
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1F34.exe

Filesize
16KB

MD5
b4fc37b5ee293a3c58116dc665b2d72a

SHA1
505888d59c212208f7664d356ce316c3c0b983a3

SHA256
3377ad12534a2c0350341189237465ccbc216b367e49983d5504f221cf787261

SHA512
f848faae03f977a2f8202cd3a7465ab6606065ed26e9bde780b4403388bc5637ee555b8520cd7b9efdb7c6187a4b9f079e96ce331625273caad29e4167b89ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7501.exe

Filesize
16KB

MD5
d221facd02a356b2da4de9cc0d6b0aec

SHA1
be5cebf1d2f4d64d7dc7592d0e3b0bdd525420b7

SHA256
91cefb61fbf2da2e0bde7ea311093ad1dbde441385257d2366ff2e1aa8ae8c9d

SHA512
12522e9108b527cac542a41fdd75880a0d7fcdbf484bd27818916a73cba5a33a2150cc5e16463bdb9a0137563ea7efa1f1eb1b95adcf7f15ec25d3443b44eeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC9F3.exe

Filesize
16KB

MD5
9168f007bf7b5b46f5d95b29255bcdd2

SHA1
8ab1ae9ca9e2d19b0a3fd0e8259290f0fdf2a73a

SHA256
2abaa374b65f7bd89443139e86aa4be0a11222ef10f6b0e9c8d0c07b04555acc

SHA512
d42f94d901dcb606d2e019ecbce27b52d07a9bccd6ccef0dd350336c67852aac3f005ca2a3abc4015f2590221afe6d50b4db2f5f97c516c94480fe967c058dcc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1FD0.exe

Filesize
16KB

MD5
4fe3e9a42ce866b2b821d901c75e1bdc

SHA1
a83c910ef10719e62ead8b75a111570eea4210e8

SHA256
d8b438638cadadac6bdfb75ce55e84945e8dbb472815369c63407186b883177f

SHA512
4fb9da783fb1484c12ec4590d854e82b66e44e15a5529f630a336b570f98b75c875d58d8f67c861be468a719cc1becac423ec31786aaba473f1e8faf1665af03

Download Submit
\Users\Admin\AppData\Local\Temp\DEM74E2.exe

Filesize
16KB

MD5
403a29f0d844e3be104b460816976a8b

SHA1
ce89b4ab6a0dca1e4979ff6120f55ac196b06900

SHA256
5f795c462926a9fa903d828827496f1fb84a4d8b87173e1fd29f12c5600cc356

SHA512
ff38fa15776781437a726ca1ffa5a13124e7335b66d62a3232a9311cc37ea6653f13744f8bed116193137178cdab2803d1789da431b1658dff99ee9f69413cf7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCA13.exe

Filesize
16KB

MD5
008f345b33199d27b4435fa53069f6e8

SHA1
ed29eabadd4c792473f4e9b7defd812db8c48f06

SHA256
54b231d4cde75e10c1674e14e54e0c05fce4fedefa53b1e04ed20139b1844f9f

SHA512
dd6f5188cdc42a697b4a73b184028273187412ad907ab05bd348f2b4b3b3636d715f1785a7e075a0402c4e6faa58749ab43f7c877935ae1abedf6ed2ae610cb0

Download Submit

Analysis

Sharing