9ffc3978c63c4f750a4b999d9f0ef69d4ce84194c47b7e2a4736cc1dc333f45d

General

Target

c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe
Size

16KB
MD5

c961b92bcd7d10f9e51d8729f98c6c23
SHA1

ee179558b02b5d3322f4119cf8161751d056b087
SHA256

9ffc3978c63c4f750a4b999d9f0ef69d4ce84194c47b7e2a4736cc1dc333f45d
SHA512

3752813d5ffcf014b63bc46b444c38d1d6f0bca05a75ef52d06f12ad4221ab5cdae842c7f01e2d02e2935801ded9e58a5039d1a258095826fe2edcaab306b083
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlOjZ:hDXWipuE+K3/SSHgxmlWZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2572	DEM196A.exe
2492	DEM6ECA.exe
1164	DEMC41A.exe
2800	DEM19F6.exe
952	DEM6F75.exe
1796	DEMC497.exe

Loads dropped DLL 6 IoCs

pid	Process
2964	c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe
2572	DEM196A.exe
2492	DEM6ECA.exe
1164	DEMC41A.exe
2800	DEM19F6.exe
952	DEM6F75.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2572	2964	c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe	29
PID 2964 wrote to memory of 2572	2964	c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe	29
PID 2964 wrote to memory of 2572	2964	c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe	29
PID 2964 wrote to memory of 2572	2964	c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe	29
PID 2572 wrote to memory of 2492	2572	DEM196A.exe	31
PID 2572 wrote to memory of 2492	2572	DEM196A.exe	31
PID 2572 wrote to memory of 2492	2572	DEM196A.exe	31
PID 2572 wrote to memory of 2492	2572	DEM196A.exe	31
PID 2492 wrote to memory of 1164	2492	DEM6ECA.exe	35
PID 2492 wrote to memory of 1164	2492	DEM6ECA.exe	35
PID 2492 wrote to memory of 1164	2492	DEM6ECA.exe	35
PID 2492 wrote to memory of 1164	2492	DEM6ECA.exe	35
PID 1164 wrote to memory of 2800	1164	DEMC41A.exe	37
PID 1164 wrote to memory of 2800	1164	DEMC41A.exe	37
PID 1164 wrote to memory of 2800	1164	DEMC41A.exe	37
PID 1164 wrote to memory of 2800	1164	DEMC41A.exe	37
PID 2800 wrote to memory of 952	2800	DEM19F6.exe	39
PID 2800 wrote to memory of 952	2800	DEM19F6.exe	39
PID 2800 wrote to memory of 952	2800	DEM19F6.exe	39
PID 2800 wrote to memory of 952	2800	DEM19F6.exe	39
PID 952 wrote to memory of 1796	952	DEM6F75.exe	41
PID 952 wrote to memory of 1796	952	DEM6F75.exe	41
PID 952 wrote to memory of 1796	952	DEM6F75.exe	41
PID 952 wrote to memory of 1796	952	DEM6F75.exe	41

C:\Users\Admin\AppData\Local\Temp\c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\DEM196A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM196A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\DEM6ECA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6ECA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\DEMC41A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC41A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\DEM19F6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM19F6.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Users\Admin\AppData\Local\Temp\DEM6F75.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6F75.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\DEMC497.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC497.exe"
        7⤵
        Executes dropped EXE
        
        PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6ECA.exe

Filesize
16KB

MD5
156bd2b4866e0ae74019a8a5d66770c2

SHA1
f8b895c9d990a1aacced1a384d59a086714d7f71

SHA256
6315eced20cd842ce7ed3328bd1f15b90408248f9aae656fa7d46043ed4f5bb2

SHA512
37daf39058a2f09cd403013fe005728d97e643470685a4d367a5167846f4dc2f661ef46b07ab5e30cee30ba0223108fe38a594a63677bbae6a3077ee57ca6563

Download Submit
\Users\Admin\AppData\Local\Temp\DEM196A.exe

Filesize
16KB

MD5
f94138bc2e3982f8753a790ccc13f952

SHA1
a68d7ffd5c6b371142b5b8538dea4ee39b71ce7d

SHA256
48c1b69634a0209cede62e67f3887c5ec6e00916119d8e587e240d3107109633

SHA512
4a765c9886339b47ca9a17f3c3ed04b9fab46614ed12cbe04b2412a453ce5f29afc104d21dd341852f550812e11fcda02f3896f41122079b135424ccc8d463ed

Download Submit
\Users\Admin\AppData\Local\Temp\DEM19F6.exe

Filesize
16KB

MD5
ebc79dff244695f52f80d16eeab05e07

SHA1
a1b4d9eac1a3e9f17c1f851a32902240db1f4608

SHA256
e71fb9e01d8dbac7ceafc252c376419def91fd9fd2027c20fb12fb9c64d4e6de

SHA512
612bdbbc6cd736aca437b2a3c5be01e5d12c5cdf51b764564a9411904ce5d6e9277f65d5ffbec8e02dc6c55feb9a80832c81a4d71d606cb58e9d6f541a10dd52

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6F75.exe

Filesize
16KB

MD5
cda57caebdaed46578c53eee438a880b

SHA1
38b6ffbc32a77e4d2f6caee1444f250e4edfcb4e

SHA256
c74b8bf9adc9f4822a07abe10de419acc2e5821a989777f6871b773c7a5a545d

SHA512
3f813fc181c8a2a2d062d50d9788f7d281147926fe702cdf84c49d81580691a1b7e24869e52a1e7c2d2a85c01069085c5abee7fff2b49823ca704132977d2796

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC41A.exe

Filesize
16KB

MD5
78c6d913c7d56220e39593dc78931199

SHA1
c94810befe3aa05617e41eeec74220e23db486e8

SHA256
60bfa8f9ba88aa3e05543595901ad91c8a15f883e1c13df7e36198ae9df37c6c

SHA512
286781e6d625ffab9b6974c809a79d5a42c278867a89bcad96d083207a5ecd8cb7a43a470f2faef59a4b1f83324842edfef35d03e4b3d23c496986f4d331a660

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC497.exe

Filesize
16KB

MD5
2b02350f1cd1509374160b904104b1a7

SHA1
bbed2934fca09c43cd429ff39451d11cd6933cee

SHA256
0fc6979957b5e3dc727d0a8ebfa77de2c0a04cb50fc72c391159a7e7e48927f9

SHA512
d28c155b1f659fe0cfb01b1a63d164afda9f06e1a11cedde334ab7a0567c4b9d87de262a65463631ccb4ff1ada8ff027fb731eafc891f38a05fc5e894932c6cd

Download Submit

Analysis

Sharing