fee33fcfaaa255888cbe28f6ac09b85c6ebeef0c1d43e4749fdf37c3ae9b69a2

General

Target

c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe
Size

15KB
MD5

c1d267e024733c74ec6c9da774e67c0a
SHA1

bbfb8a4e40b011013102a34af25a0b47aa777d1a
SHA256

fee33fcfaaa255888cbe28f6ac09b85c6ebeef0c1d43e4749fdf37c3ae9b69a2
SHA512

b48f70726f2af1e4e3b0219952c7a28fa1ba37fe815884705ef8b83bd75ce678c7a9bbb4b5206f822ab2b08fd094f2e4685eb4cad2beb56f88a3389292453593
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5WS:hDXWipuE+K3/SSHgxl5WS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2628	DEM1D70.exe
2676	DEM72B0.exe
2716	DEMC7A3.exe
1556	DEM1CB4.exe
1148	DEM71E5.exe
1208	DEMC6F7.exe

Loads dropped DLL 6 IoCs

pid	Process
2908	c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe
2628	DEM1D70.exe
2676	DEM72B0.exe
2716	DEMC7A3.exe
1556	DEM1CB4.exe
1148	DEM71E5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2628	2908	c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe	29
PID 2908 wrote to memory of 2628	2908	c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe	29
PID 2908 wrote to memory of 2628	2908	c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe	29
PID 2908 wrote to memory of 2628	2908	c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe	29
PID 2628 wrote to memory of 2676	2628	DEM1D70.exe	31
PID 2628 wrote to memory of 2676	2628	DEM1D70.exe	31
PID 2628 wrote to memory of 2676	2628	DEM1D70.exe	31
PID 2628 wrote to memory of 2676	2628	DEM1D70.exe	31
PID 2676 wrote to memory of 2716	2676	DEM72B0.exe	35
PID 2676 wrote to memory of 2716	2676	DEM72B0.exe	35
PID 2676 wrote to memory of 2716	2676	DEM72B0.exe	35
PID 2676 wrote to memory of 2716	2676	DEM72B0.exe	35
PID 2716 wrote to memory of 1556	2716	DEMC7A3.exe	37
PID 2716 wrote to memory of 1556	2716	DEMC7A3.exe	37
PID 2716 wrote to memory of 1556	2716	DEMC7A3.exe	37
PID 2716 wrote to memory of 1556	2716	DEMC7A3.exe	37
PID 1556 wrote to memory of 1148	1556	DEM1CB4.exe	39
PID 1556 wrote to memory of 1148	1556	DEM1CB4.exe	39
PID 1556 wrote to memory of 1148	1556	DEM1CB4.exe	39
PID 1556 wrote to memory of 1148	1556	DEM1CB4.exe	39
PID 1148 wrote to memory of 1208	1148	DEM71E5.exe	41
PID 1148 wrote to memory of 1208	1148	DEM71E5.exe	41
PID 1148 wrote to memory of 1208	1148	DEM71E5.exe	41
PID 1148 wrote to memory of 1208	1148	DEM71E5.exe	41

C:\Users\Admin\AppData\Local\Temp\c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\DEM1D70.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1D70.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\DEM72B0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM72B0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\DEMC7A3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC7A3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Users\Admin\AppData\Local\Temp\DEM1CB4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1CB4.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Users\Admin\AppData\Local\Temp\DEM71E5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM71E5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\DEMC6F7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC6F7.exe"
        7⤵
        Executes dropped EXE
        
        PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1D70.exe

Filesize
15KB

MD5
5962a1fcfa169c41a557eb63d1144989

SHA1
d84f04cdeeb98f1805d4cc35dad0a481ef13dc12

SHA256
14d46fa102423759abca33a164027da23fac860054b63151af8c29d23f5f049a

SHA512
8efe473e518eaefc8b5b9ad5a3848ee3b6b31a35f1854a21ff0c328a4874dd0b4c40e23a38bd3165868bd751618492e01818430a11073b0b0b63d9ed146152b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM71E5.exe

Filesize
15KB

MD5
45e87b135cf66effd055d02f654e668f

SHA1
af4d246c72f51f8252c9894dce47b3466f6efcc2

SHA256
5b128665ff7101b6d165e54dbbfeefce42fbb097718524044f3eb586b1a9e9bf

SHA512
30fdf4d8d3dd206f5e5634b05b538003bfcd484459b727f87789beb6b8d7bc911b17749f12dfc7aea8961695b83800d91f67228ac3a20cd26822b57d1f5fb0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM72B0.exe

Filesize
15KB

MD5
2ba8df97f32839e8c01815a36df6c424

SHA1
fceaa3fcbf188db0335078c44871312d28a62f6f

SHA256
797115bf2b1bc4faeffc65d3ed9f32df363f6928ba11651571727db1346bfa4a

SHA512
6930e1189413cd2a58e5d42b0d998c85f333172c99bbd90cafd015c43b95b2ad24d49a74dbc7c00a1f340de44e2c048e12f16c52023c59c7c442716af4e94ebe

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1CB4.exe

Filesize
15KB

MD5
383c44a97c0c1b34eb8568270b816438

SHA1
31ecd0a887abe75705fb0d13c6f5bddc12addc6b

SHA256
18696064996e0dc8a0784ad7e381f9a3debd7d7ab3c2252b45be846783f2c46f

SHA512
e38e1da3e878b4a8109c5211dd8ac2c52e1dd147bb5bffe9478eff622fc1b287ffa39802cb04301510a7eff217aa47fe38b98089567dd5e59fc030ca3bfadc84

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC6F7.exe

Filesize
15KB

MD5
db752c120586c6ba34c4a47be67c6cb5

SHA1
3bf13e1cf379d0779703ead5341ae5d1c35abeea

SHA256
cb273ee5d810668ea78cc55b09f5d8aaea2922fece34d25f35bd01f9f3a39359

SHA512
19de49eee76ad0194994aafdf511297944c6e8624fa485a798bdaa732505015cee4394195256dd9e392e6da8a0ad25ddfae2e6badf0bc53877a718e578f8ca12

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC7A3.exe

Filesize
15KB

MD5
ed80115a375a5635bebb89907db96427

SHA1
42e778d93abcafa4ed7eee90edf0402df1beadf2

SHA256
df2f75d6aa11d09f89e4e70d0a6fa1b941d85ea0d467f89f791c343a07dc3baa

SHA512
886bd20c5ddceaf0d59308d4d9e726ba49c663feb86619bacddede01c1a2e265c299178f30d4665cd6f0c607a872b170472b1d7bbfda1b53be0e18f359e98fd9

Download Submit

Analysis

Sharing