17970b8505ea45b5f6543f70aa3622b6a4a302b45420624a6374c35b89c295bd

General

Target

bdf706433abc5b66927098d4b8bbfa0a_JaffaCakes118.exe
Size

14KB
MD5

bdf706433abc5b66927098d4b8bbfa0a
SHA1

804655a13563d974a05321f280125eb8956dffc1
SHA256

17970b8505ea45b5f6543f70aa3622b6a4a302b45420624a6374c35b89c295bd
SHA512

f87ac98f8e65c694778983f75f583a3cb859f131d09ffd91522a70e6324238ce36ae4c7716e2f1e2f043b290fb2a2f9a06a7c4763b22a20ffe040171548486f1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/wrdd:hDXWipuE+K3/SSHgxm/E

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2520	DEM3082.exe
2424	DEM866F.exe
2716	DEMDBDE.exe
2028	DEM319B.exe
1092	DEM8768.exe
1624	DEMDD35.exe

Loads dropped DLL 6 IoCs

pid	Process
2684	bdf706433abc5b66927098d4b8bbfa0a_JaffaCakes118.exe
2520	DEM3082.exe
2424	DEM866F.exe
2716	DEMDBDE.exe
2028	DEM319B.exe
1092	DEM8768.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2520	2684	bdf706433abc5b66927098d4b8bbfa0a_JaffaCakes118.exe	29
PID 2684 wrote to memory of 2520	2684	bdf706433abc5b66927098d4b8bbfa0a_JaffaCakes118.exe	29
PID 2684 wrote to memory of 2520	2684	bdf706433abc5b66927098d4b8bbfa0a_JaffaCakes118.exe	29
PID 2684 wrote to memory of 2520	2684	bdf706433abc5b66927098d4b8bbfa0a_JaffaCakes118.exe	29
PID 2520 wrote to memory of 2424	2520	DEM3082.exe	33
PID 2520 wrote to memory of 2424	2520	DEM3082.exe	33
PID 2520 wrote to memory of 2424	2520	DEM3082.exe	33
PID 2520 wrote to memory of 2424	2520	DEM3082.exe	33
PID 2424 wrote to memory of 2716	2424	DEM866F.exe	35
PID 2424 wrote to memory of 2716	2424	DEM866F.exe	35
PID 2424 wrote to memory of 2716	2424	DEM866F.exe	35
PID 2424 wrote to memory of 2716	2424	DEM866F.exe	35
PID 2716 wrote to memory of 2028	2716	DEMDBDE.exe	37
PID 2716 wrote to memory of 2028	2716	DEMDBDE.exe	37
PID 2716 wrote to memory of 2028	2716	DEMDBDE.exe	37
PID 2716 wrote to memory of 2028	2716	DEMDBDE.exe	37
PID 2028 wrote to memory of 1092	2028	DEM319B.exe	39
PID 2028 wrote to memory of 1092	2028	DEM319B.exe	39
PID 2028 wrote to memory of 1092	2028	DEM319B.exe	39
PID 2028 wrote to memory of 1092	2028	DEM319B.exe	39
PID 1092 wrote to memory of 1624	1092	DEM8768.exe	41
PID 1092 wrote to memory of 1624	1092	DEM8768.exe	41
PID 1092 wrote to memory of 1624	1092	DEM8768.exe	41
PID 1092 wrote to memory of 1624	1092	DEM8768.exe	41

C:\Users\Admin\AppData\Local\Temp\bdf706433abc5b66927098d4b8bbfa0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdf706433abc5b66927098d4b8bbfa0a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\DEM3082.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3082.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\DEM866F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM866F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\DEMDBDE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDBDE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Users\Admin\AppData\Local\Temp\DEM319B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM319B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Users\Admin\AppData\Local\Temp\DEM8768.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8768.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\DEMDD35.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDD35.exe"
        7⤵
        Executes dropped EXE
        
        PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM866F.exe

Filesize
14KB

MD5
22942e37c798d0b2d422451ec071aabe

SHA1
d86f68e27b36eeaae8cb38bc2cdb7a08a9e475b2

SHA256
b6a4e7bd64dccaf3e22a2768c86c2f87dd060e0bb47725e20611e7eecf886fae

SHA512
7a3d9a86a23eec88ec4fc2e3d5a96b596f8ed37e8d7479a74f6fbf3691edf54dda9f75ff561875f327dd8529c4a5c7cf2053a2f6e7d5682d9af7a889e2866e03

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3082.exe

Filesize
14KB

MD5
323099ea4b040078e32e8c82a88c4ebc

SHA1
2040cd240d471fcde031ae1d2a75fab268d90409

SHA256
4677aaf45949db97cd6732b7aa59cc6eebed3920f6d02e69c58fbc8e75c81403

SHA512
8103c31d838cc6834ce7361c4527d63b0b6c484266942e698663989efa689d809e7c84f415d222e454e52d2c0961896b6daf9e8ebf99933ebb51a045030858ca

Download Submit
\Users\Admin\AppData\Local\Temp\DEM319B.exe

Filesize
14KB

MD5
08048b0828d95950d881aeb45e3725d1

SHA1
8041a19509f9906c54cdc93efa71bb0aa2e6ad5a

SHA256
3ee95427719edafb49d67a814186657ca345a5df82b0707e6f996f9a7519c6c1

SHA512
c7a753a1e636ef3353d090bbf26c98547263edae8e99febd290badb62cd276fd3ac25a757f435b47f4ffa79c2334c8aa090b87e21cc24d2a504031b77cc9efcd

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8768.exe

Filesize
15KB

MD5
0a917ab90eb177c2ddd2039904d4f96e

SHA1
13a727eb33ee0ed35acd2687f9b3ac39d3af0ff1

SHA256
099e89d94f3f5833b21c07f9b79b1b4037e933cac6ad2179dba3925d191bcd7b

SHA512
8bf7be170d18faefb99e3e36ba25beb004c029aa6b8e8453e72a32dc79af9f68520c2dea7c32c73ee677cccdc013a72e1404a295273cfd875aa01eab3a690f5e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDBDE.exe

Filesize
14KB

MD5
747415e10e797b7f0b4c74f87966b1c6

SHA1
b79439d401a6a26a76deb29dfb444e32ceb6edef

SHA256
230e03bd3637fe99b2c678d7792cd21bfc2a81483f638eec449cf38ff3cccf92

SHA512
b445f0fb8d91fa9d604ffc6890840c89397fc7143d96a8ec3729ac6ad7df7add8bab066997b4601e91ca18aaa41630e51479186111656648a641d5510ff6b98e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDD35.exe

Filesize
15KB

MD5
9b4b042b6a41ed0bad654d8ed3fd2d15

SHA1
b43df23217e01d31af320b0842c8b41ef9f22850

SHA256
6193eaea13796f6bc2633c118dec78ba226a174941cd76e77430f5b4ed9338d6

SHA512
b9361fae1b642238025856cb9dc431662b39d5d9affb7b0dafa1254a8fc90162d3af162f08b050d064b1f9094ce8a84ab540ff764ae6a38a92a797f2eb28ab34

Download Submit

Analysis

Sharing