2f25286a82d3df38025c5c4d37279064c50662a04e7f2f2d860571be55ef854a

General

Target

c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe
Size

14KB
MD5

c1ec9ea6984f021046382f79f55efdb4
SHA1

c4e8aeeae10b9b8e2eab05ebeb6f508033681e61
SHA256

2f25286a82d3df38025c5c4d37279064c50662a04e7f2f2d860571be55ef854a
SHA512

e5f36c58fc6b84df776ba812af84974b9b9bd02477891f742ace659d188693b158bf760d349d3940959f70649cc42f25cc2b0c4f755dc9543c178178cd477b15
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHuE:hDXWipuE+K3/SSHgx3NHHb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3024	DEMA812.exe
2508	DEMFF46.exe
2496	DEM56A8.exe
1884	DEMADDC.exe
1124	DEM55E.exe
2368	DEM5C43.exe

Loads dropped DLL 6 IoCs

pid	Process
2292	c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe
3024	DEMA812.exe
2508	DEMFF46.exe
2496	DEM56A8.exe
1884	DEMADDC.exe
1124	DEM55E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 3024	2292	c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe	31
PID 2292 wrote to memory of 3024	2292	c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe	31
PID 2292 wrote to memory of 3024	2292	c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe	31
PID 2292 wrote to memory of 3024	2292	c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2508	3024	DEMA812.exe	33
PID 3024 wrote to memory of 2508	3024	DEMA812.exe	33
PID 3024 wrote to memory of 2508	3024	DEMA812.exe	33
PID 3024 wrote to memory of 2508	3024	DEMA812.exe	33
PID 2508 wrote to memory of 2496	2508	DEMFF46.exe	35
PID 2508 wrote to memory of 2496	2508	DEMFF46.exe	35
PID 2508 wrote to memory of 2496	2508	DEMFF46.exe	35
PID 2508 wrote to memory of 2496	2508	DEMFF46.exe	35
PID 2496 wrote to memory of 1884	2496	DEM56A8.exe	37
PID 2496 wrote to memory of 1884	2496	DEM56A8.exe	37
PID 2496 wrote to memory of 1884	2496	DEM56A8.exe	37
PID 2496 wrote to memory of 1884	2496	DEM56A8.exe	37
PID 1884 wrote to memory of 1124	1884	DEMADDC.exe	39
PID 1884 wrote to memory of 1124	1884	DEMADDC.exe	39
PID 1884 wrote to memory of 1124	1884	DEMADDC.exe	39
PID 1884 wrote to memory of 1124	1884	DEMADDC.exe	39
PID 1124 wrote to memory of 2368	1124	DEM55E.exe	41
PID 1124 wrote to memory of 2368	1124	DEM55E.exe	41
PID 1124 wrote to memory of 2368	1124	DEM55E.exe	41
PID 1124 wrote to memory of 2368	1124	DEM55E.exe	41

C:\Users\Admin\AppData\Local\Temp\c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\DEMA812.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA812.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\DEMFF46.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFF46.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\DEM56A8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM56A8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\DEMADDC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMADDC.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Users\Admin\AppData\Local\Temp\DEM55E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM55E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\DEM5C43.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5C43.exe"
        7⤵
        Executes dropped EXE
        
        PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMFF46.exe

Filesize
14KB

MD5
ccedd13eaa1d6c6170f874a614dd48ed

SHA1
a68cf9ec3465e60d4d987f0ece302ecf93ed2113

SHA256
f5090e957979d444ee6a25020678876e8def3684de0454c74e1878fc72d44d6b

SHA512
337905c1502f095c712cfb5b80ea2497caf66ab9a7ddbadc0585a2ee817399d8fdfbe78c03a272b126927ca8edbfd3e88e3338ffa453568c44fb8af5016edc12

Download Submit
\Users\Admin\AppData\Local\Temp\DEM55E.exe

Filesize
14KB

MD5
f8723f00740d22c440fd951aa868de30

SHA1
a3fa066b47cd61fdf5000ff1d16721cc0af9eb70

SHA256
beaa29b6b0a58effacac18d89bdc66bc5873a017be90db57ef1f610f7cf68514

SHA512
e1a0af15e4c3509d4007a6e606ae48840ff559830df15636fda55a750323e1a9fe0a9fb50ed2f6036c7827929680343a6165cec2cc0d1ea140a53c09f862406f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM56A8.exe

Filesize
14KB

MD5
0575b08abdd20497ffb35fc927f9550e

SHA1
e75cdc3c31c693a7ac2e8f95f9fd256b70039323

SHA256
479fc7010564236f4c335e743c8cb36d360d23d991d708620179af4b53fa234e

SHA512
e20a673fb6a35fa4556217c96022635a05f147d1bdb84ab9afe7f0d38c820efacc19c9f34ce8d40b11a703bec9122c7c17e50db595e8415940fca5a78fb4b55b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5C43.exe

Filesize
14KB

MD5
11e3b6ef312d3d69ee81841e30c69d8d

SHA1
ea429d89d85317271e56079a10b62c68f46fc0c2

SHA256
993adfcfd3b47b827fe8204969e7cb494c1341528601789916b9df769d2ef410

SHA512
6d7097a460a3989837ad3d022407c9bbcf7deade793538d06b33e88143ebddf7ebdd599a1492f5c5abbea7303975c538df8196497ac73b635324c4edc0f0dab6

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA812.exe

Filesize
14KB

MD5
718fe4d25950da0721e3eeb73a808d4f

SHA1
64993305be71d2626a90bb56eba9422869cf37de

SHA256
337a79f5ef3fdb7663ed22f9bf2eb785870a2f8e3dd62fa313bfbb5c9554cee1

SHA512
30c244c3078b384a94073abee1a69d7354b8f57ae8c1ec9f281947a99ad46ef1f7c86b81b05ecf5351f00ccb6a13265aef95c7f6e487ef7c527d5113abed545c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMADDC.exe

Filesize
14KB

MD5
94d2a19c30675715de0623a63a24cd6c

SHA1
13b2a6be529548771f8fd83ea5e919a2a150c478

SHA256
2b944fa81eaacfcdf6f7467e19f6a0a5f5c249f0bf0fe358c35d98dbe8bace54

SHA512
6e7259f1fbe323bfa54289332d927f4ea7e759b5911eea2b959ee82f2aec54598c9c07330d1ab104c9ed4ab04fc5e676a5f75ee8c1c926612c2d281512490e44

Download Submit

Analysis

Sharing