39897d9370763b63b14ff3e57abd9bd7f590d7a19586ee32afe2f9df191ba009

General

Target

c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe
Size

14KB
MD5

c9e277601c4bedaba072f547c145c3c5
SHA1

a4b725665c0f7ce654989b80fdba168096de776d
SHA256

39897d9370763b63b14ff3e57abd9bd7f590d7a19586ee32afe2f9df191ba009
SHA512

dbbd47e998fce696d72efc82083537bc39eda85aad03d331b880959ef864ae66640680e895360d904a630c4db01fbd617dcb79bef8644e506fe1a4c1ec1a8495
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdH2Q:hDXWipuE+K3/SSHgx3NH2Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2668	DEM2AC8.exe
2460	DEM7FF9.exe
2696	DEMD50B.exe
1860	DEM2A1C.exe
652	DEM7F2E.exe
2488	DEMD450.exe

Loads dropped DLL 6 IoCs

pid	Process
2176	c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe
2668	DEM2AC8.exe
2460	DEM7FF9.exe
2696	DEMD50B.exe
1860	DEM2A1C.exe
652	DEM7F2E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2668	2176	c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2668	2176	c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2668	2176	c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2668	2176	c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe	29
PID 2668 wrote to memory of 2460	2668	DEM2AC8.exe	33
PID 2668 wrote to memory of 2460	2668	DEM2AC8.exe	33
PID 2668 wrote to memory of 2460	2668	DEM2AC8.exe	33
PID 2668 wrote to memory of 2460	2668	DEM2AC8.exe	33
PID 2460 wrote to memory of 2696	2460	DEM7FF9.exe	35
PID 2460 wrote to memory of 2696	2460	DEM7FF9.exe	35
PID 2460 wrote to memory of 2696	2460	DEM7FF9.exe	35
PID 2460 wrote to memory of 2696	2460	DEM7FF9.exe	35
PID 2696 wrote to memory of 1860	2696	DEMD50B.exe	37
PID 2696 wrote to memory of 1860	2696	DEMD50B.exe	37
PID 2696 wrote to memory of 1860	2696	DEMD50B.exe	37
PID 2696 wrote to memory of 1860	2696	DEMD50B.exe	37
PID 1860 wrote to memory of 652	1860	DEM2A1C.exe	39
PID 1860 wrote to memory of 652	1860	DEM2A1C.exe	39
PID 1860 wrote to memory of 652	1860	DEM2A1C.exe	39
PID 1860 wrote to memory of 652	1860	DEM2A1C.exe	39
PID 652 wrote to memory of 2488	652	DEM7F2E.exe	41
PID 652 wrote to memory of 2488	652	DEM7F2E.exe	41
PID 652 wrote to memory of 2488	652	DEM7F2E.exe	41
PID 652 wrote to memory of 2488	652	DEM7F2E.exe	41

C:\Users\Admin\AppData\Local\Temp\c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\DEM2AC8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2AC8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\DEM7FF9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7FF9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\DEMD50B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD50B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\DEM2A1C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2A1C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Users\Admin\AppData\Local\Temp\DEM7F2E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7F2E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\DEMD450.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD450.exe"
        7⤵
        Executes dropped EXE
        
        PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2AC8.exe

Filesize
14KB

MD5
3e148326935c9403a27fe2103207ebbd

SHA1
e0dbeb6ed7a7adf8a08a8d1ad1407b9b211d5abf

SHA256
9ccb1b6f3a6895bd43a2e30b4dbe36cbd0e1a05ae0212c666463260f87ba9427

SHA512
fdd5f95ccf48db569fda80081f292e747bb0da88e2c71b57952b2dfeef7cb146a94d58ba9fe73935705d9de74f568225a0cea13d4c27e0e6d41e813a37cca6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7F2E.exe

Filesize
14KB

MD5
5db526fad85bd2336f5d297c5ae7f2c8

SHA1
2eb970af251e13816c00306a208f126bb023eb81

SHA256
93964af5ddaee2fd5369629e6145e67118940eb04789e41d3e457f4828b352d1

SHA512
231fdf070527a7a66a3bed93e9b0c3e72b9a39a18d47c8e37bfd3530542a5e2f9ed1b810889a8bad2f8aa80b9f03ac9b47d5d9f9f7c745a5f9ca7d3b08472d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7FF9.exe

Filesize
14KB

MD5
eac1497901c5489b4749f487a1015d32

SHA1
3ea08d8a5fda285dc1613e86d07cbfa1e4102156

SHA256
e940981ad7c1900fc9e67a660087b3277a5426f628c4cbd7e4269252b30e9bee

SHA512
ccb2f47416611e2206905e74630dbbe065397badbeac11ec5075e79b986ad3080c97bbd2d8aec573789ed90a70e75cda8f8923d035840ba332fc6b7515a2ae89

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2A1C.exe

Filesize
14KB

MD5
630ae070a71ee2928a6ec3b497d8f023

SHA1
4b59c5a66b89b3c5c27e509c48190d5e39b6bc36

SHA256
8cffce74aff40354e32126623f225895ae8985d5fee89a67e08714e889fb74cd

SHA512
ccc7b90692f4eadade730c70c8c4d6e6d89c724e1ceea02ef980966450befd9526e346663b6caac5ac938dac2e076a8ed59d8b1e2026a0fd25f6e5747486ad9f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD450.exe

Filesize
14KB

MD5
984f348a783d26aba77635f38ede889c

SHA1
b966417dbbb0a67f5044ea6e6645f554a3d6e8e0

SHA256
d01cd2dcdfcd694c88ed9f279fe8ca491ae110edce872e6ec117660f99b13902

SHA512
99a274e730995c43cd8d4fc8876ac19afc865103454c8bb2a24b37fead595b0e50e7969f7a0c063929d93e0339104daf39bf434a2413e7596f36d244593b554e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD50B.exe

Filesize
14KB

MD5
46679d227b78e055c11199214750481f

SHA1
e6211a4623614752cb05b1e787f4767594097d8d

SHA256
49ae6e0f8ac8b4b959dac8a78eb0734bdf3778e138e2c21b1d27accd17b68c5d

SHA512
f20afff30e8bf419feb2c67b0a6650b404524ec7682c36d4c51c4a6b4865875e3b515c13dc71ff5a9139f19744a12acb17c47be44e709188b9fab81ca89ff562

Download Submit

Analysis

Sharing