16d7eedabc5363a98628bb535b499ba14dc126993f3738eb5624fdbb9b6c69f5

General

Target

bf4b4fb130ed297b7fb2fbef6b03547d_JaffaCakes118.exe
Size

14KB
MD5

bf4b4fb130ed297b7fb2fbef6b03547d
SHA1

54b91a47fbdaa9b83f466c09007bc16255235fdb
SHA256

16d7eedabc5363a98628bb535b499ba14dc126993f3738eb5624fdbb9b6c69f5
SHA512

ff15711804d4aa5c2695861658e233a8a2b9834bd0a67b02ecc41093a8fc23ebb9493711310c7309915ff0fffb03aac01741474edcc9fef57ed8233dedb51029
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh9N:hDXWipuE+K3/SSHgxHN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2388	DEMBDA4.exe
1876	DEM2B45.exe
1808	DEM80F3.exe
2444	DEMD643.exe
2180	DEM2BB2.exe
2284	DEM816F.exe

Loads dropped DLL 6 IoCs

pid	Process
2492	bf4b4fb130ed297b7fb2fbef6b03547d_JaffaCakes118.exe
2388	DEMBDA4.exe
1876	DEM2B45.exe
1808	DEM80F3.exe
2444	DEMD643.exe
2180	DEM2BB2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2388	2492	bf4b4fb130ed297b7fb2fbef6b03547d_JaffaCakes118.exe	31
PID 2492 wrote to memory of 2388	2492	bf4b4fb130ed297b7fb2fbef6b03547d_JaffaCakes118.exe	31
PID 2492 wrote to memory of 2388	2492	bf4b4fb130ed297b7fb2fbef6b03547d_JaffaCakes118.exe	31
PID 2492 wrote to memory of 2388	2492	bf4b4fb130ed297b7fb2fbef6b03547d_JaffaCakes118.exe	31
PID 2388 wrote to memory of 1876	2388	DEMBDA4.exe	33
PID 2388 wrote to memory of 1876	2388	DEMBDA4.exe	33
PID 2388 wrote to memory of 1876	2388	DEMBDA4.exe	33
PID 2388 wrote to memory of 1876	2388	DEMBDA4.exe	33
PID 1876 wrote to memory of 1808	1876	DEM2B45.exe	35
PID 1876 wrote to memory of 1808	1876	DEM2B45.exe	35
PID 1876 wrote to memory of 1808	1876	DEM2B45.exe	35
PID 1876 wrote to memory of 1808	1876	DEM2B45.exe	35
PID 1808 wrote to memory of 2444	1808	DEM80F3.exe	37
PID 1808 wrote to memory of 2444	1808	DEM80F3.exe	37
PID 1808 wrote to memory of 2444	1808	DEM80F3.exe	37
PID 1808 wrote to memory of 2444	1808	DEM80F3.exe	37
PID 2444 wrote to memory of 2180	2444	DEMD643.exe	39
PID 2444 wrote to memory of 2180	2444	DEMD643.exe	39
PID 2444 wrote to memory of 2180	2444	DEMD643.exe	39
PID 2444 wrote to memory of 2180	2444	DEMD643.exe	39
PID 2180 wrote to memory of 2284	2180	DEM2BB2.exe	41
PID 2180 wrote to memory of 2284	2180	DEM2BB2.exe	41
PID 2180 wrote to memory of 2284	2180	DEM2BB2.exe	41
PID 2180 wrote to memory of 2284	2180	DEM2BB2.exe	41

C:\Users\Admin\AppData\Local\Temp\bf4b4fb130ed297b7fb2fbef6b03547d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf4b4fb130ed297b7fb2fbef6b03547d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\DEMBDA4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBDA4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\DEM2B45.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2B45.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\DEM80F3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM80F3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Users\Admin\AppData\Local\Temp\DEMD643.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD643.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Users\Admin\AppData\Local\Temp\DEM2BB2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2BB2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\DEM816F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM816F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2B45.exe

Filesize
14KB

MD5
c96631bdc29cc3369d6f1668b22e86fe

SHA1
69bee4899a8ab88587fee3a8738d0503188d5244

SHA256
f866758b7c2138071bc4e8a3535ba83e4d25989ffdca33f88b4136c0e44f45d5

SHA512
b970e22c67bd65e8fe033fc89e626169ff6c988d771e8e2fae267c89a8fa74c53401b4a36637d19dc1d255adf0be9a32e00ed9aeef94cb2c616c53de9baae2b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM816F.exe

Filesize
14KB

MD5
188bff0ceab52fdf761cae360d1026ba

SHA1
908618222d0bbe05a596b44d618d58ed3ebb1534

SHA256
76e92c7c12cf33d62ec0bdd1c7de9f7f15276f0e5773dd3da1452dc126365e7a

SHA512
30a48f5b536448125ad9affa03c749bc81b4fa0b56b5c0f87a3477d7e236cd5e96df779da612d7e07ffb69118f95a6e3fe47a28860ca91eaf051c83cb5b173dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBDA4.exe

Filesize
14KB

MD5
4b337ebfbaef5133795814be8c3b6454

SHA1
c90327a9fbcff99e780403979d2b445d71270d47

SHA256
dc426797fb13f9d5b90421efa96d36375cf075451cdd137adb02a7a8d0001712

SHA512
91a71aff2d82198a03ebe7fcae35253f3c8d0428b98548974a06afdb74fbf80e15771414b44400d5d2c0c5d811d16bfd9f0750b66def1904c251bce9a0b53deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD643.exe

Filesize
14KB

MD5
3ea53618589ceac4d34c1ed0c37c169e

SHA1
7ed4dc697ae7cde1bfd87b7ebd88514883469a29

SHA256
8af2726d79b9d7c120795cb8e468ee69e73e1303a52b5c556e1e0af20396683c

SHA512
ab0180bef1cb6af86b24462416615543cfee7655194297d7ea0f26741e3bc6b2a4b69e59b1bc13b089f3781d5af4c79f2411d282747e6260f536710b7e7b882f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2BB2.exe

Filesize
14KB

MD5
fea01131d4f7efc1aeda327d46ca4aa6

SHA1
406de4bb4f0d3db009a4b457aff27afbff0b3e98

SHA256
c45aa05a09d6b40322cd3d0b4a178e5ef9d06a976db387ad691ac87179ae629d

SHA512
d2ad1ec815ae7b42ee002e330d67b422db915aef43f8db5b50593eec07b682540e587bab0ec325ecd39895f8ac9a667c5749462555c8aec16c32aa00f440b897

Download Submit
\Users\Admin\AppData\Local\Temp\DEM80F3.exe

Filesize
14KB

MD5
f49acd33ff9a1ac41e135a97f11b9882

SHA1
9ba37355e0022eb6c2f973cc92e8e3939e568627

SHA256
916192fbe23c3a229f82d729ec980bf263b322ed7b4934a8b70541c90c7e42dc

SHA512
70f5329342d185e955bb45726d13ef2e054fd6022608a46c02d8d6c79c4ec159bd9ea2244d1a2473aa61329a91410c093a73791803f34834063a3c2d4efeeeea

Download Submit

Analysis

Sharing