266ae15d7eb24bbeadae42e9a7ed31dd99c1ea954197a762547b6d85cc7be86d

General

Target

c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe
Size

14KB
MD5

c77589d49fba08a129ff3fa1012d2709
SHA1

30c5618c55d226880493435e823b1e01cf27b023
SHA256

266ae15d7eb24bbeadae42e9a7ed31dd99c1ea954197a762547b6d85cc7be86d
SHA512

f280c69eaadfdab581ef354067d182c77b114af823b335c99647281a1372a6aa5f2f90b6de4b3e0e1faa6a4fd2df6b60a2a17ee015f306478746b5bef3630d5c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5u:hDXWipuE+K3/SSHgxm8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2852	DEM4A0B.exe
2808	DEMA18D.exe
1820	DEMF834.exe
2604	DEM4EEB.exe
576	DEMA5B1.exe
2796	DEMFD24.exe

Loads dropped DLL 6 IoCs

pid	Process
2236	c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe
2852	DEM4A0B.exe
2808	DEMA18D.exe
1820	DEMF834.exe
2604	DEM4EEB.exe
576	DEMA5B1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2852	2236	c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe	29
PID 2236 wrote to memory of 2852	2236	c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe	29
PID 2236 wrote to memory of 2852	2236	c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe	29
PID 2236 wrote to memory of 2852	2236	c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe	29
PID 2852 wrote to memory of 2808	2852	DEM4A0B.exe	33
PID 2852 wrote to memory of 2808	2852	DEM4A0B.exe	33
PID 2852 wrote to memory of 2808	2852	DEM4A0B.exe	33
PID 2852 wrote to memory of 2808	2852	DEM4A0B.exe	33
PID 2808 wrote to memory of 1820	2808	DEMA18D.exe	35
PID 2808 wrote to memory of 1820	2808	DEMA18D.exe	35
PID 2808 wrote to memory of 1820	2808	DEMA18D.exe	35
PID 2808 wrote to memory of 1820	2808	DEMA18D.exe	35
PID 1820 wrote to memory of 2604	1820	DEMF834.exe	37
PID 1820 wrote to memory of 2604	1820	DEMF834.exe	37
PID 1820 wrote to memory of 2604	1820	DEMF834.exe	37
PID 1820 wrote to memory of 2604	1820	DEMF834.exe	37
PID 2604 wrote to memory of 576	2604	DEM4EEB.exe	39
PID 2604 wrote to memory of 576	2604	DEM4EEB.exe	39
PID 2604 wrote to memory of 576	2604	DEM4EEB.exe	39
PID 2604 wrote to memory of 576	2604	DEM4EEB.exe	39
PID 576 wrote to memory of 2796	576	DEMA5B1.exe	41
PID 576 wrote to memory of 2796	576	DEMA5B1.exe	41
PID 576 wrote to memory of 2796	576	DEMA5B1.exe	41
PID 576 wrote to memory of 2796	576	DEMA5B1.exe	41

C:\Users\Admin\AppData\Local\Temp\c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\DEM4A0B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4A0B.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\DEMA18D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA18D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\DEMF834.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF834.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Users\Admin\AppData\Local\Temp\DEM4EEB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4EEB.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Users\Admin\AppData\Local\Temp\DEMA5B1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA5B1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\DEMFD24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFD24.exe"
        7⤵
        Executes dropped EXE
        
        PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4EEB.exe

Filesize
15KB

MD5
d34c1bd5ea3a0c35b9a493808a353792

SHA1
4c475afe77c142da0dc6b6b38d0073b312ca1f62

SHA256
b0d42fdcc548776273aa8872c41792a2348493da840aa5728341d157e2706a57

SHA512
67dba2e972f3e40a0730f798ac406102c44f6d8d0547f9f78dca3fd9348889c520b05df2b68e0909fea19634a64ce4bff822ad15b4f73f708b10161ae8b10be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA18D.exe

Filesize
15KB

MD5
36a05777f2e4dae032d1cbca7ce5027f

SHA1
be93f09c204484f29bfd148717df59656e13f25c

SHA256
0aada2382e70bf081bcae54c9c524f4b133671fcc0a5dfad85f3b67bb4eaefce

SHA512
b72ce131d7078c6efb65a03c80f2ef5786ee0c4c98df16c4f57200fd81a987250bb77c6cbab2a085c04145dc4a7825d6c71a86e8cf69754b5c13d1badfe69fc1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4A0B.exe

Filesize
15KB

MD5
f1678ded344ed4e26abfc9d4a1b9630c

SHA1
bc7698a9d0f330e3f5fda8465bfaeecf6eba9f2f

SHA256
4346c2ae2956f7bd8563a8babca5a1c275235862e128eba93133554db7fd89bd

SHA512
7091af7aff52144478d7c0dccd58e748b003e6434b324a0a64dba5424b5e4457da2c8ccd952d4c9067429c08ef7d60bf59d6bd50dfb62b503433564bb40387a8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA5B1.exe

Filesize
15KB

MD5
08660aa37a1c675203690230cff201fd

SHA1
a234ecb9ec50680fbfeae13ecb7d66fea79b24c9

SHA256
c18cf58517beb101139f95f6dcbbbebaa1aa19bc399fbbe79770d51663810af3

SHA512
ec5574eadf2fffbb17d59f4eac5b1a592607169dc06a96bdbe3ed39c1367e0a4b8fe68312bda646cdfb6408128c0cf828921b645f4f4f9933671a2028117a68e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF834.exe

Filesize
15KB

MD5
cb3ce50fcf38767878409cff9c36673e

SHA1
3a9e8d364cd03145d5da6353935f98081e5a05ac

SHA256
94fe994fd9d85a4cab269e7dbc7f9966eeb3e0d214f4da4254726e5d08525969

SHA512
0f20620c35fd6a3746898ef787fd7e8da48550c05564f80440d78ec04f873ef48f7dea4b927aaf89bf8db18712008b04f59673e912259903296397bd514e5737

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFD24.exe

Filesize
15KB

MD5
f3c53b69e720508f1be029719ca33cc2

SHA1
b4ec2316c55e66cd39abe09f501c08f1d6c0d2f8

SHA256
cd4f2591bee46a000ae13579751e4adab3713afc38aaeb3e9a5e14cf2c7adf1b

SHA512
2e910baf6f674fdd8edef1fff41a0f33e49104d69aae94986106a558dc7887b1c7eab8258b828241cdf64302f90ebfdfa591d854e1ffd2ab4130eda5c43e66ed

Download Submit

Analysis

Sharing