31dacb0e4b58b7d12e82ca3991afe7462ec64359a4f7ef9f51f4a47123a99cda

General

Target

c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe
Size

14KB
MD5

c7914dbe9884a7e18ac279033e5020fc
SHA1

0d8d0bb22079b88f253ec28e32153f8da50b36df
SHA256

31dacb0e4b58b7d12e82ca3991afe7462ec64359a4f7ef9f51f4a47123a99cda
SHA512

a501d9ae505f64199165da4541b48ca2d14cfa52ff9528a716fc761397c299963a3daf627340ed9a3ae8631052d7fd0b57e797cd947bb253faa15b7123633706
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh5RAnCg:hDXWipuE+K3/SSHgxfg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2600	DEM23A7.exe
500	DEM7974.exe
2756	DEMCF12.exe
1900	DEM2491.exe
2940	DEM7A4E.exe
1232	DEMD02B.exe

Loads dropped DLL 6 IoCs

pid	Process
2164	c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe
2600	DEM23A7.exe
500	DEM7974.exe
2756	DEMCF12.exe
1900	DEM2491.exe
2940	DEM7A4E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2600	2164	c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe	29
PID 2164 wrote to memory of 2600	2164	c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe	29
PID 2164 wrote to memory of 2600	2164	c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe	29
PID 2164 wrote to memory of 2600	2164	c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe	29
PID 2600 wrote to memory of 500	2600	DEM23A7.exe	33
PID 2600 wrote to memory of 500	2600	DEM23A7.exe	33
PID 2600 wrote to memory of 500	2600	DEM23A7.exe	33
PID 2600 wrote to memory of 500	2600	DEM23A7.exe	33
PID 500 wrote to memory of 2756	500	DEM7974.exe	35
PID 500 wrote to memory of 2756	500	DEM7974.exe	35
PID 500 wrote to memory of 2756	500	DEM7974.exe	35
PID 500 wrote to memory of 2756	500	DEM7974.exe	35
PID 2756 wrote to memory of 1900	2756	DEMCF12.exe	37
PID 2756 wrote to memory of 1900	2756	DEMCF12.exe	37
PID 2756 wrote to memory of 1900	2756	DEMCF12.exe	37
PID 2756 wrote to memory of 1900	2756	DEMCF12.exe	37
PID 1900 wrote to memory of 2940	1900	DEM2491.exe	39
PID 1900 wrote to memory of 2940	1900	DEM2491.exe	39
PID 1900 wrote to memory of 2940	1900	DEM2491.exe	39
PID 1900 wrote to memory of 2940	1900	DEM2491.exe	39
PID 2940 wrote to memory of 1232	2940	DEM7A4E.exe	41
PID 2940 wrote to memory of 1232	2940	DEM7A4E.exe	41
PID 2940 wrote to memory of 1232	2940	DEM7A4E.exe	41
PID 2940 wrote to memory of 1232	2940	DEM7A4E.exe	41

C:\Users\Admin\AppData\Local\Temp\c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\DEM23A7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM23A7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\DEM7974.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7974.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:500
  - - C:\Users\Admin\AppData\Local\Temp\DEMCF12.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCF12.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Users\Admin\AppData\Local\Temp\DEM2491.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2491.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Users\Admin\AppData\Local\Temp\DEM7A4E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7A4E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\DEMD02B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD02B.exe"
        7⤵
        Executes dropped EXE
        
        PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM23A7.exe

Filesize
14KB

MD5
90ac4ecb92d76467448edd0aa5f7b98c

SHA1
24bbf09eed184753b9267821595549beee61d300

SHA256
94b77cce9b6d96771ccdb22d08f54b6f26712a4b01603fb2e7ba02a2714bd78f

SHA512
45fc88df340f8eaaf2edc3e31a381fea40c18f90a2c3ad4d218b8c7512f866744adf5801b8ce8d080ef6368f5c427934048332497eecdb3af6fa7408504c1fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7974.exe

Filesize
14KB

MD5
aa30e4d1963f43de2faabd1718e3f28a

SHA1
784b8e1e9e7cda8edf8fa2f4de935643758cd282

SHA256
aa2c5843a79833e9dc4032778faa7d12a1bed8fa289f868b99a4477fa73c74f2

SHA512
8726b58e01aa371da157ed8b691e40ba76fa6ac4a15e5317ffd7d0de9731559059791a4838f7765488eb85df56a49b562587f55a48763eaccf2cc353d0e37074

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD02B.exe

Filesize
14KB

MD5
560cae4f0298d20a2ec35f5f3ff785ae

SHA1
67011d9e9babe5d7a59cf1037cb4d17317efeeaa

SHA256
b3c2c9dd4a22248b1051f9be5682da76363fa942d1d06a101017451d7d7330a1

SHA512
86bebca097b9dd0a6b631bf7593bf4f2e6febb53f0b1f7554ba76a36306bca813739e5744d5750af90f82750f71185ba2751cd8cd949144d1aec9d39720b04e6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2491.exe

Filesize
14KB

MD5
6b1928951198670791da053bffe2e3ee

SHA1
07e40334b7bfa161df14053578ba7933abeaa8c3

SHA256
8767d07cff774c75394242e7fa2b00fd82812bd43eea1c49cc3937cf3e33520f

SHA512
8fd57608268fbfc7a9639b67b39c725a8487fb3c58860443708b183cba31fc61dcb11a21e2e37d7d0c578f121b4e3d6249afd2e9e3d00aecc7560923ee008455

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7A4E.exe

Filesize
14KB

MD5
47418811a670e3daa385a588ad5667a8

SHA1
cf7bf43a43acc5f7bdabdcdc663b6a138181fe0d

SHA256
9804e4e85bb74fcded27f5b0459c878463a00c81ccd61e87a984d2be95349f7e

SHA512
095f14b113d9569194e4460afbe26d7f392e2964b7f0b07209ff8fa6a8a5e8f3dbaa28f82ea46146450fa7bc37847a64779454fb0cc38d3b98aa0f63c42ddd97

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCF12.exe

Filesize
14KB

MD5
8d41c3bd29e49914af27014ed01aa4ba

SHA1
2bb98169ac12750c3f853927512dce6b8335065e

SHA256
12c45b9f0ddc989e8af94350e7bf774b56c08dc09838c45bd6257d9763ede40b

SHA512
35e0f8f897bbfcf69f7840a2491397685486047ddbf200a77f49c903bb5471b7f4364997894debcfd6efd221b760436547a73014e81581854df0e518a344ba21

Download Submit

Analysis

Sharing