a744cc046c02a5c0ba25f8caf085653ab9a9d4162d144c0d2771413c2a32d197

General

Target

be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe
Size

14KB
MD5

be485c9e6c60e3d5a332ce522817cc44
SHA1

4b4fc4f8ecfb1f5523fd74604e3362bec91048da
SHA256

a744cc046c02a5c0ba25f8caf085653ab9a9d4162d144c0d2771413c2a32d197
SHA512

073337ed75cd09ae090ca240780616db944afc0c985968789273d9083b724cf3c4ead51250af10f96d34f195be51b0e88cff939cc07dad18d28971c8fb78c418
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRJ:hDXWipuE+K3/SSHgxt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2704	DEM41E0.exe
2912	DEM9914.exe
1892	DEMEF9C.exe
1272	DEM4579.exe
1372	DEM9C3F.exe
2036	DEMF354.exe

Loads dropped DLL 6 IoCs

pid	Process
2396	be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe
2704	DEM41E0.exe
2912	DEM9914.exe
1892	DEMEF9C.exe
1272	DEM4579.exe
1372	DEM9C3F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2704	2396	be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe	29
PID 2396 wrote to memory of 2704	2396	be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe	29
PID 2396 wrote to memory of 2704	2396	be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe	29
PID 2396 wrote to memory of 2704	2396	be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe	29
PID 2704 wrote to memory of 2912	2704	DEM41E0.exe	33
PID 2704 wrote to memory of 2912	2704	DEM41E0.exe	33
PID 2704 wrote to memory of 2912	2704	DEM41E0.exe	33
PID 2704 wrote to memory of 2912	2704	DEM41E0.exe	33
PID 2912 wrote to memory of 1892	2912	DEM9914.exe	35
PID 2912 wrote to memory of 1892	2912	DEM9914.exe	35
PID 2912 wrote to memory of 1892	2912	DEM9914.exe	35
PID 2912 wrote to memory of 1892	2912	DEM9914.exe	35
PID 1892 wrote to memory of 1272	1892	DEMEF9C.exe	37
PID 1892 wrote to memory of 1272	1892	DEMEF9C.exe	37
PID 1892 wrote to memory of 1272	1892	DEMEF9C.exe	37
PID 1892 wrote to memory of 1272	1892	DEMEF9C.exe	37
PID 1272 wrote to memory of 1372	1272	DEM4579.exe	39
PID 1272 wrote to memory of 1372	1272	DEM4579.exe	39
PID 1272 wrote to memory of 1372	1272	DEM4579.exe	39
PID 1272 wrote to memory of 1372	1272	DEM4579.exe	39
PID 1372 wrote to memory of 2036	1372	DEM9C3F.exe	41
PID 1372 wrote to memory of 2036	1372	DEM9C3F.exe	41
PID 1372 wrote to memory of 2036	1372	DEM9C3F.exe	41
PID 1372 wrote to memory of 2036	1372	DEM9C3F.exe	41

C:\Users\Admin\AppData\Local\Temp\be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\DEM41E0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM41E0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\DEM9914.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9914.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\DEMEF9C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEF9C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\DEM4579.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4579.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Users\Admin\AppData\Local\Temp\DEM9C3F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9C3F.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\DEMF354.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF354.exe"
        7⤵
        Executes dropped EXE
        
        PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM9914.exe

Filesize
14KB

MD5
0363783bf918f5fb9814814d32317dd9

SHA1
f45fd8dc76f2831db94d8a8dfbdd7549a33eba88

SHA256
1dbef3e913069caeb1e1e05e2933cafac74f3d7655605e18103ce346ae8dc523

SHA512
caadf6059abbd08e0d2bbbbf83d060a945727451c98e83cb036cfb972265d29324bf8da8d33a51ceb3a467ba525420645fb775c9304513322e4167a5f8e5e82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEF9C.exe

Filesize
14KB

MD5
62c8311da66fbea147fea959b2b9d272

SHA1
0ae546004c855a1f251181b3e0226ff6b90950c8

SHA256
e9b1a9bc5424a0d111eb1db92cffa2603e7e8722da8fdd118cc47b6675ed1fc7

SHA512
354340da87d0a1cc790ba081759ddbaac37424a99408848857bf5334783f61ff747a606f440c0aac5ab7fe63ecb56b1ccd372d8efc623c42fe5a5741258d4541

Download Submit
\Users\Admin\AppData\Local\Temp\DEM41E0.exe

Filesize
14KB

MD5
58b0b783fef9a655481ac06d7d04d579

SHA1
1325a662fb2eb077ee6ffa9f7c0949780b37b555

SHA256
72ef0ff34ef671db5cae7316ebd6c5d4112ce944e93f21b62c459082b90ce899

SHA512
9aaa2706376c608b95e4cc76e8687add342df14f4a2ac05eb832e4d5330c2bb665cd219932a650aca510f096d9015c50cdc04a2d0fa43aa451f7065a11a214cd

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4579.exe

Filesize
15KB

MD5
03ccba75e8496ddb8a361b69c2e42b12

SHA1
98ed46f6eec3bddf435c7c592c9df18e722561b5

SHA256
bc7b9638b79a49113a2131d874e6ead6c81346655a8fc54a66d5f82cdd248bb3

SHA512
80c4d4ee3ae69f46d39718860073c6b81fc25a9616654ca45892a3a0a020c35ebb0030723d1694cee6b45191bdc249245bd08bdde1b560480cc7b9e25ce0d193

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9C3F.exe

Filesize
15KB

MD5
5f2baa9c7bfb997569d0b182be2535e4

SHA1
9f8cb4fc83d82b4c1c795c4ac72aac260f0218d1

SHA256
8d38b3172f4d0f2f5fffda52a2a067e6251e20e0e1579dc2652af7e212dc4bfc

SHA512
45fe7c4e2a4d107b8a04c07b71445846acb5f1d2c569385045588dfcbff5b94c9cf5770c23072d6dda5a69d80f82f24d9fc8b9a2f2d8127840d93b6236b51414

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF354.exe

Filesize
15KB

MD5
5f92530848dcc5d77c9c0def30e2f2ab

SHA1
70f5b46ffda56121f39774a7d0a1b6f55da59d80

SHA256
98b20c258e405cee7e6e8e07018090dd3c721695e5753840d9595539d8a0ee06

SHA512
a722b00f91fe9546960ed35d20fdaa8f554196b8a384f02a3b39fb45508379722dc77ec44d52bc1e106201034aad7a6fa4b92507ea5544dc32776550b980c9ee

Download Submit

Analysis

Sharing