1c3f1ad869e7cacfedc2db9f638102a4b2f41edb6af7697e3f0486d44d17eb13

General

Target

c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe
Size

14KB
MD5

c2ccb64b7cc6f8bd3f7438058e056498
SHA1

a26d6b59a4d2b20d660ad42ebdd26f9279ba8db9
SHA256

1c3f1ad869e7cacfedc2db9f638102a4b2f41edb6af7697e3f0486d44d17eb13
SHA512

8511dc556e05848b3b19650780cec7a99652539f200a49bc6456bd9923f4197b9b2f7e4c3d77b7986b699848798ad41553469fbd483dcbf15c76c89de8d9c7eb
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5W:hDXWipuE+K3/SSHgxmI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1328	DEM50EE.exe
2408	DEMA860.exe
2704	DEMFF26.exe
2780	DEM5689.exe
576	DEMACF2.exe
1732	DEM2BF.exe

Loads dropped DLL 6 IoCs

pid	Process
844	c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe
1328	DEM50EE.exe
2408	DEMA860.exe
2704	DEMFF26.exe
2780	DEM5689.exe
576	DEMACF2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1328	844	c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe	29
PID 844 wrote to memory of 1328	844	c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe	29
PID 844 wrote to memory of 1328	844	c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe	29
PID 844 wrote to memory of 1328	844	c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe	29
PID 1328 wrote to memory of 2408	1328	DEM50EE.exe	33
PID 1328 wrote to memory of 2408	1328	DEM50EE.exe	33
PID 1328 wrote to memory of 2408	1328	DEM50EE.exe	33
PID 1328 wrote to memory of 2408	1328	DEM50EE.exe	33
PID 2408 wrote to memory of 2704	2408	DEMA860.exe	35
PID 2408 wrote to memory of 2704	2408	DEMA860.exe	35
PID 2408 wrote to memory of 2704	2408	DEMA860.exe	35
PID 2408 wrote to memory of 2704	2408	DEMA860.exe	35
PID 2704 wrote to memory of 2780	2704	DEMFF26.exe	37
PID 2704 wrote to memory of 2780	2704	DEMFF26.exe	37
PID 2704 wrote to memory of 2780	2704	DEMFF26.exe	37
PID 2704 wrote to memory of 2780	2704	DEMFF26.exe	37
PID 2780 wrote to memory of 576	2780	DEM5689.exe	39
PID 2780 wrote to memory of 576	2780	DEM5689.exe	39
PID 2780 wrote to memory of 576	2780	DEM5689.exe	39
PID 2780 wrote to memory of 576	2780	DEM5689.exe	39
PID 576 wrote to memory of 1732	576	DEMACF2.exe	41
PID 576 wrote to memory of 1732	576	DEMACF2.exe	41
PID 576 wrote to memory of 1732	576	DEMACF2.exe	41
PID 576 wrote to memory of 1732	576	DEMACF2.exe	41

C:\Users\Admin\AppData\Local\Temp\c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844
- C:\Users\Admin\AppData\Local\Temp\DEM50EE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM50EE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Users\Admin\AppData\Local\Temp\DEMA860.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA860.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\DEMFF26.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFF26.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\DEM5689.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5689.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Users\Admin\AppData\Local\Temp\DEMACF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMACF2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\DEM2BF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2BF.exe"
        7⤵
        Executes dropped EXE
        
        PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA860.exe

Filesize
14KB

MD5
2e026753c8062d92b4f64491097127e3

SHA1
ef91cf653527503a739a7707adc1fb12569e7eb7

SHA256
8e2dcb7bf22b1d6e0e04b1a7a395a6c75524c2dd5fcbfac893c1ba0cb5398ea7

SHA512
3660e8092d8176e88e8a5a69285e5ec879fdc620627fbe3d992fb71761d5902ced78585b41b5d191047a1b056a42d5c1045c7c32a3a4843951abb41325badadd

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2BF.exe

Filesize
14KB

MD5
5dafa0177d56bbfca78812f1342ea5fa

SHA1
1085adc43abc53e78e7d6ebe9de0c7ae75061f46

SHA256
1d2cd76331166b5cc3e5fb1462ad5bd53c37aaa20781dfe340513ed27f8f2b05

SHA512
97845adf0d34160eaaf90f8d8d564ab5289af0767a9f8e7f589d86ed9f3d3ad0663c52b19283b7b4af929187391cadaa90bf9894737ff1d03c8a0795350c0be9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM50EE.exe

Filesize
14KB

MD5
8ec8a88ad4d5c947c0960dc065d7fa91

SHA1
107e121dbbad6fade69cea137e25bb3c514a3eb6

SHA256
5582dddba2b40d679e45a254b61651c51626c04782c3fa44bae69a6dfc2e6a64

SHA512
a53a6b8f19cdfde1c24874bdec4aaa10142d173a113d37aa5e110c847b62123a637328edbf6629d1dfd06bd55b6baa0dbdc08d742972b98743298435db8734c8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5689.exe

Filesize
14KB

MD5
eee2bd05e3d86805056df0f10fd2b77e

SHA1
f1ad60d307a8d85268f4d4c50cde6b3af5d86695

SHA256
5a22972730ea96e682edc80801cb0c07febbb625586abede65b024e4751efd17

SHA512
bf4824e111b3a67d3d2e266f233caaebfaeec2361469547a4da21515f51b47eae892145ed5c891bdb0fa14a1c4ada28f6e913c41bb38e1b695ce1a183ef00c09

Download Submit
\Users\Admin\AppData\Local\Temp\DEMACF2.exe

Filesize
14KB

MD5
cdf99fdf3088da1bc4d38b414ca5c6fc

SHA1
fecbca8828300ec932873fb5f3dc5a586f1f9530

SHA256
38386221894467f7872808b302792e501d94c31041547e3056b68c81acd389ac

SHA512
622efa24349f5ce0869395aa35ee6d5cb9badf7246c400a790c8a52a80a141cfd103bfbaf6021ee4907b4b10037c9043edf9069e56a5db6da1111971ab3ba4d2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFF26.exe

Filesize
14KB

MD5
eeef7de1b1f98758017b105257677227

SHA1
579f8e510d08fef4a0b555a3fd112cbfd09bcfac

SHA256
5f6bad11604d9165ce3a6fb5fc7228db9699f36e1a7a29b97ffc920029f000c0

SHA512
345dd347e56adf79d3adf4d36f9056e38d7397912e34306d2e79836b90bcf42200129cdd0f6b8feadf59dde01b7c85de50c52fa0d419f90655c4aa43a54bb93a

Download Submit

Analysis

Sharing