f74cf3063220d8ff8754ea7a749c3f90cba4ef1db01e065f263f60050792b120

General

Target

c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe
Size

14KB
MD5

c3205ba22e31f513db9f555cf4fd7f23
SHA1

799ded4daa2f278d7c8a9b1e63bcc4b676e00733
SHA256

f74cf3063220d8ff8754ea7a749c3f90cba4ef1db01e065f263f60050792b120
SHA512

5cc0a4972fdbe433bebe6d757ffcfc9114d02b3c08dae92b31ff2bcd00237a2ff2253315bfa046a3b44160eb82e72aa6c89edaefc2d1cbaae5f6b15beb9f2acc
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5Hj:hDXWipuE+K3/SSHgxmdj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2628	DEM5C24.exe
2468	DEMB210.exe
1380	DEM879.exe
1976	DEM5EB3.exe
772	DEMAFDF.exe
2716	DEM56D.exe

Loads dropped DLL 6 IoCs

pid	Process
2092	c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe
2628	DEM5C24.exe
2468	DEMB210.exe
1380	DEM879.exe
1976	DEM5EB3.exe
772	DEMAFDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2628	2092	c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe	29
PID 2092 wrote to memory of 2628	2092	c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe	29
PID 2092 wrote to memory of 2628	2092	c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe	29
PID 2092 wrote to memory of 2628	2092	c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe	29
PID 2628 wrote to memory of 2468	2628	DEM5C24.exe	33
PID 2628 wrote to memory of 2468	2628	DEM5C24.exe	33
PID 2628 wrote to memory of 2468	2628	DEM5C24.exe	33
PID 2628 wrote to memory of 2468	2628	DEM5C24.exe	33
PID 2468 wrote to memory of 1380	2468	DEMB210.exe	35
PID 2468 wrote to memory of 1380	2468	DEMB210.exe	35
PID 2468 wrote to memory of 1380	2468	DEMB210.exe	35
PID 2468 wrote to memory of 1380	2468	DEMB210.exe	35
PID 1380 wrote to memory of 1976	1380	DEM879.exe	37
PID 1380 wrote to memory of 1976	1380	DEM879.exe	37
PID 1380 wrote to memory of 1976	1380	DEM879.exe	37
PID 1380 wrote to memory of 1976	1380	DEM879.exe	37
PID 1976 wrote to memory of 772	1976	DEM5EB3.exe	39
PID 1976 wrote to memory of 772	1976	DEM5EB3.exe	39
PID 1976 wrote to memory of 772	1976	DEM5EB3.exe	39
PID 1976 wrote to memory of 772	1976	DEM5EB3.exe	39
PID 772 wrote to memory of 2716	772	DEMAFDF.exe	41
PID 772 wrote to memory of 2716	772	DEMAFDF.exe	41
PID 772 wrote to memory of 2716	772	DEMAFDF.exe	41
PID 772 wrote to memory of 2716	772	DEMAFDF.exe	41

C:\Users\Admin\AppData\Local\Temp\c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\DEM5C24.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5C24.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\DEMB210.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB210.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\DEM879.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM879.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Users\Admin\AppData\Local\Temp\DEM5EB3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5EB3.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\DEMAFDF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAFDF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\DEM56D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM56D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5C24.exe

Filesize
14KB

MD5
90e185c49c40320c98037327c3939b08

SHA1
1f07010fd85235ac7d66499f11ca00bda075e3aa

SHA256
062da0abd557283795730b220c8dab36fa429735f9fdbdf45612a1420b7e7576

SHA512
3e56b56145b6ff63959f9c112f0956bd684e828636c6fd1938343281538dedcb4c7eb906db5cab527b61da259fc723cee968cf85716d4a4235ad6ce466c53eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB210.exe

Filesize
14KB

MD5
6521732d3bd8e911680f75dc69794ffa

SHA1
469f819132309af2a529a9304b7dad2b1432a0d9

SHA256
d6739ca947a41caafe7f2968447aa9f98c0239f24a384f26d565edf28af7e812

SHA512
a675f97b107e07fe70e1e1e6e9b184b4d1f93c482e1d132e8a23e03628c80a2fdcc741c0970493f1046b843eab7b9ae6e9bae9f38e97a00c77df743043a01e2a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM56D.exe

Filesize
14KB

MD5
97b9f19c6359f69fe4a9c46efe52260a

SHA1
7170c99770451180c944ad41223a13d6b9b28840

SHA256
506052bedeb870f95288ac6852fe7ab72f10c0885cdc9b8cfc90cde486e13f8b

SHA512
39d5b9e21cf6c4b8c4904aa8593bbe305a8321a764b3daf27e238894c30e79666a00dc84a0466a202efbb32de26e9cb371617dede6922d19c64256eef9380ec1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5EB3.exe

Filesize
14KB

MD5
3d4aa3b6cef48daf2962bab0667fe804

SHA1
8b01083cf10880fd6adc4978dfb9b21616c34703

SHA256
0cc36cd12c195913074e98e40b95574ce6cb1ed57de80055fbc9e1474ed050c7

SHA512
c44ceae8124f82757c42b76124a27eefb877eb1be4859228817bb86e9273a609a703035912063fa18ea89570841a8955d7025afc6653fe74ccdfccc6de863abc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM879.exe

Filesize
14KB

MD5
9f66f4c69486eae1f965c86f82c344f9

SHA1
6a17ab3293a9d945e8e530ebb080fff9004b786b

SHA256
e522cc7a988e4d4eebbae32a333c2226292cbcd6ce4a0d29cbc559efe08ce746

SHA512
0b9505f4c7099fa60b7c2b0d02de2ed92e0f938b12a15ff937449c373aec447b6cc22e6124c088c9a9aa167755ba0a07dc8a18d444024652c5fbdbd0bd3956c1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAFDF.exe

Filesize
14KB

MD5
96a8cef9af415c77581551c05a3e5117

SHA1
4ba9e20b4182574713fc79ec04c4a3dc49238d23

SHA256
c36ceddcdf465de67c121306227d15e34e861284b7897024a1453a196002d634

SHA512
abefddde1e42a83c5f01d1d97e3d3a2f8242ce62befeb4007680f0199a5d854db73c6e37eb1a792e631282f1b96fd8c53a06e761facd1522629a71321adcb86b

Download Submit

Analysis

Sharing