37002e302a6c3137c3423f776e8d758360844741322eabda884422a900c26a07

General

Target

bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe
Size

16KB
MD5

bd727d638ae580c236196eef293a61ae
SHA1

00a66c39462ec325521c9b6b1cbd62ace37497a7
SHA256

37002e302a6c3137c3423f776e8d758360844741322eabda884422a900c26a07
SHA512

2da0adaf85f0ba9cdfd58af52077a322c32dd91768b1e2cda906d69fb52edcf8e1ae1d5de7ed1e6e0f86f1ceedd0f7d9f042d6147001de8e44c0b71786dc1c07
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhD8Sac:hDXWipuE+K3/SSHgxtph

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2092	DEM426.exe
2572	DEM5995.exe
2272	DEMAEF5.exe
2840	DEM435.exe
1548	DEM59C4.exe
1724	DEMAF81.exe

Loads dropped DLL 6 IoCs

pid	Process
2392	bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe
2092	DEM426.exe
2572	DEM5995.exe
2272	DEMAEF5.exe
2840	DEM435.exe
1548	DEM59C4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2092	2392	bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe	29
PID 2392 wrote to memory of 2092	2392	bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe	29
PID 2392 wrote to memory of 2092	2392	bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe	29
PID 2392 wrote to memory of 2092	2392	bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe	29
PID 2092 wrote to memory of 2572	2092	DEM426.exe	31
PID 2092 wrote to memory of 2572	2092	DEM426.exe	31
PID 2092 wrote to memory of 2572	2092	DEM426.exe	31
PID 2092 wrote to memory of 2572	2092	DEM426.exe	31
PID 2572 wrote to memory of 2272	2572	DEM5995.exe	35
PID 2572 wrote to memory of 2272	2572	DEM5995.exe	35
PID 2572 wrote to memory of 2272	2572	DEM5995.exe	35
PID 2572 wrote to memory of 2272	2572	DEM5995.exe	35
PID 2272 wrote to memory of 2840	2272	DEMAEF5.exe	37
PID 2272 wrote to memory of 2840	2272	DEMAEF5.exe	37
PID 2272 wrote to memory of 2840	2272	DEMAEF5.exe	37
PID 2272 wrote to memory of 2840	2272	DEMAEF5.exe	37
PID 2840 wrote to memory of 1548	2840	DEM435.exe	39
PID 2840 wrote to memory of 1548	2840	DEM435.exe	39
PID 2840 wrote to memory of 1548	2840	DEM435.exe	39
PID 2840 wrote to memory of 1548	2840	DEM435.exe	39
PID 1548 wrote to memory of 1724	1548	DEM59C4.exe	41
PID 1548 wrote to memory of 1724	1548	DEM59C4.exe	41
PID 1548 wrote to memory of 1724	1548	DEM59C4.exe	41
PID 1548 wrote to memory of 1724	1548	DEM59C4.exe	41

C:\Users\Admin\AppData\Local\Temp\bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\DEM426.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM426.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\DEM5995.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5995.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\DEMAEF5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAEF5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Users\Admin\AppData\Local\Temp\DEM435.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM435.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Users\Admin\AppData\Local\Temp\DEM59C4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM59C4.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\DEMAF81.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAF81.exe"
        7⤵
        Executes dropped EXE
        
        PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM435.exe

Filesize
16KB

MD5
3b2240ded30244b17172f326ccef076a

SHA1
5c35a16a7240483db92e926fa948f8e172d1a8eb

SHA256
ae903d507fabdaca7420b71a7bd571d99c17313de345983b51b86f63f5081332

SHA512
32d834df6888f9c5d3647d6ef8a2be07c05afa1eaf357ee7c5cd9cb36efc300709d896807795f45cba4bb6609fa78fab2b4532de4a909661155701e32da98089

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5995.exe

Filesize
16KB

MD5
d8b812f5bd590dc5a470f9b0779e5d2f

SHA1
9193b418006cda0b3c0609d6870096ddac029149

SHA256
cfa797f49a8e9d1adebefcf8531118a9f568b92b284bae559e300a67d0c2c225

SHA512
4e0e106d9975f40b63f0e15275f927a9e253e27a44028ffd40e8e44912f2da6127bf60cc252b1585056cefc67a9f029e011a1243b9447814e8dfdd07454569d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAEF5.exe

Filesize
16KB

MD5
4a80801b41229ccab7b36243f393a2f8

SHA1
beb48c7afe11b9f80e8fc14cc005b5ff7644ffb1

SHA256
f53208789a232d83fa41fce267ac5e42892f7e29282f0184ef2fec1785e068d2

SHA512
08c699257e8cd1b3f108aeeaf90b2b79867c988f9e94022916c188454b3399367efa2fe0837f920cc86b7ada8f7c3364661f30afc32cb58d902cb525748d286f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM426.exe

Filesize
16KB

MD5
214a292ed778b6d9c3aff7a723541ede

SHA1
ef3ba5effa4bc11feb265ede14871fd1c633033a

SHA256
34e0eb65c08eed139d8f263e780ac945259b3a0372b9faea72c536d4557e78fe

SHA512
32e15fc63b10305d66b99cfdb3f55e31c4855d00a29ec464958f37f7162049a76aec86408d0046dd82c986c288e2907d592b71581ee80a27d5cd41b98323bd9c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM59C4.exe

Filesize
16KB

MD5
095cc33078d9ca84f57b98308a7aee8a

SHA1
b1a3ddfcfb08a3c78b2fe54446bf91f8e50a7526

SHA256
48cf67e85f4eecd0d68f26347eba6f20699bb7e81f98b568e886ddc04ee756dc

SHA512
327e694173bef26321b781857ca1a50b05e84eec51bd988a6662b786970b0d12f2a5adb1644cc3d9025b7071df586a892a331616c5fb89fa7f50f6b2ea771d51

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAF81.exe

Filesize
16KB

MD5
15d58d96ff9cc50cf8a40c51bb943182

SHA1
cbb0e18e76a5c7c920935fac8d4241ccd64e507d

SHA256
7789c8d4ead7f04e3a03e159a47dae7cc19abe76999fc91e28df0909a29d9fae

SHA512
8a570d22bb39f87c97ba0434d242b9e679fc6cd2abb06ab8e1c0fde22bd0ec8fcee093d97d2015ee891e0d5ad3a5498376fd449893ebf8201525114b077ba220

Download Submit

Analysis

Sharing