060d8d92ff5a5127139ce94d47775c7850a039f350443e644ae4b9051c80e8b6

General

Target

c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe
Size

16KB
MD5

c2a18284c8ac583ac2932e8babfa55fe
SHA1

d096bb1bcf17285164aa1d0fb65e760d5afea8cd
SHA256

060d8d92ff5a5127139ce94d47775c7850a039f350443e644ae4b9051c80e8b6
SHA512

b613e2f1446a79ae5cf49dd15064b33160e451a84e5a4ea2f2b077eda1dc26e593b55c8cfdc854c897a0c4609abcd0531bdf73847849a257774dc0c6f2eb0b43
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx4mZh:hDXWipuE+K3/SSHgxmHFz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2592	DEM2BD1.exe
2540	DEM82A7.exe
2468	DEMD8D2.exe
2752	DEM2F4A.exe
664	DEM8601.exe
336	DEMDC5B.exe

Loads dropped DLL 6 IoCs

pid	Process
2164	c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe
2592	DEM2BD1.exe
2540	DEM82A7.exe
2468	DEMD8D2.exe
2752	DEM2F4A.exe
664	DEM8601.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2592	2164	c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe	29
PID 2164 wrote to memory of 2592	2164	c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe	29
PID 2164 wrote to memory of 2592	2164	c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe	29
PID 2164 wrote to memory of 2592	2164	c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe	29
PID 2592 wrote to memory of 2540	2592	DEM2BD1.exe	33
PID 2592 wrote to memory of 2540	2592	DEM2BD1.exe	33
PID 2592 wrote to memory of 2540	2592	DEM2BD1.exe	33
PID 2592 wrote to memory of 2540	2592	DEM2BD1.exe	33
PID 2540 wrote to memory of 2468	2540	DEM82A7.exe	35
PID 2540 wrote to memory of 2468	2540	DEM82A7.exe	35
PID 2540 wrote to memory of 2468	2540	DEM82A7.exe	35
PID 2540 wrote to memory of 2468	2540	DEM82A7.exe	35
PID 2468 wrote to memory of 2752	2468	DEMD8D2.exe	37
PID 2468 wrote to memory of 2752	2468	DEMD8D2.exe	37
PID 2468 wrote to memory of 2752	2468	DEMD8D2.exe	37
PID 2468 wrote to memory of 2752	2468	DEMD8D2.exe	37
PID 2752 wrote to memory of 664	2752	DEM2F4A.exe	39
PID 2752 wrote to memory of 664	2752	DEM2F4A.exe	39
PID 2752 wrote to memory of 664	2752	DEM2F4A.exe	39
PID 2752 wrote to memory of 664	2752	DEM2F4A.exe	39
PID 664 wrote to memory of 336	664	DEM8601.exe	41
PID 664 wrote to memory of 336	664	DEM8601.exe	41
PID 664 wrote to memory of 336	664	DEM8601.exe	41
PID 664 wrote to memory of 336	664	DEM8601.exe	41

C:\Users\Admin\AppData\Local\Temp\c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\DEM2BD1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2BD1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\DEM82A7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM82A7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\DEMD8D2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD8D2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Users\Admin\AppData\Local\Temp\DEM2F4A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2F4A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Users\Admin\AppData\Local\Temp\DEM8601.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8601.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\DEMDC5B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDC5B.exe"
        7⤵
        Executes dropped EXE
        
        PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM82A7.exe

Filesize
16KB

MD5
8b69f7541b10d21b7abe18aec8ab9846

SHA1
4b50c75abd93ed933d0d99bc2d8028ab7ee6d124

SHA256
93f1d0bf3afb84196d125e72c059d26b16a7b2cf095fba810acf1a77742dfdd9

SHA512
b1a1f087a32a5f7e3b4f68b1483054f5e09ba74b6a75d8feeaecbe720d6dd9c71b04da21c78de9b65bf1bd2ec31c3e013c2ef2efd6e2a1bb49e76fec2edf10ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDC5B.exe

Filesize
16KB

MD5
fb54c47ee7b65bd4f7d782f3447f69a7

SHA1
83cbe33599b7f80dd4bdf6d41947293e2f5d74c7

SHA256
aef99d4f26335a39700b2a19259ea9ed6b61d2fce98af334724839dfbec8b486

SHA512
0e8ed150cc04af867f989d3026668895dfe5d485f801eda057c54f6b371f06329233629850aecff68037fb28be62841084e0f92406fe82c9ff8c11bc33cfdef7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2BD1.exe

Filesize
16KB

MD5
6b39106c2e66b4f77d051cbdb5730dc1

SHA1
3dde0440fd65ee7e966ccca6950135c017a202ba

SHA256
698708b4ee630cbe9d34e64fb9701041eb50843197bd2d907f202ea58992609e

SHA512
28e05b55414b8dc66798e562ecd283d1e02c9dc47b6138260d815ef71a83c8b03bc3e4017ea084d40ef942ed7d31e5ac4f2e582f6277ff107878faf688df1a6d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2F4A.exe

Filesize
16KB

MD5
6807ecfb7adb41038033d1498679f703

SHA1
1e56c00ac0f258b6a56da9d488c15271bc0a854b

SHA256
79e3dc553e87db1314265d368eb3463ba8c9ad3c9d4b7ea421287bbab25c65a1

SHA512
1c179f2b00b137f0a14fe0240e3fe3eb7e81046b749095ad18c2c05c2049023ce56ad244daa8c5bd02870ebd89b764e46f28ba36d851782e75b170f400ed413f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8601.exe

Filesize
16KB

MD5
479ddd5311ba14b87dd726a4b2d7dc88

SHA1
86f67769ff58084867fbce2514d85ea19d247e67

SHA256
462773df3840a53312fc92428e8370725d2f5ed7621ed6e734ec09936a7feaa5

SHA512
e7bbd38d13c24ae7992d2884fff9d6c4836d14e05d6917b6c1fc44dfd954b1d5d9d37b8fe219b710e26b92455b3e3ebfd076fe5477cad7b7aa3efc1767d24dc7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD8D2.exe

Filesize
16KB

MD5
f994baa9bb7c81516c80163806e8ffe5

SHA1
044b7bd4a1ed33354df6cb8770cfad7fb9c172df

SHA256
fd1096c95d58d4326bb35299cb9d23790654aba0074fa9e2e0517094d6318717

SHA512
3c9e6027d087d797c563c09a343043b45e4a189b4a4c884f07f287b57fc142edfc861fb164861e0e485eef55029f0141094fa9e51a417344df102b71dc17e9e2

Download Submit

Analysis

Sharing