2c9d0c1c0573b0ef0eeef58b6f756f8e278005ab069ec69d0f7711166a66caec

General

Target

caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe
Size

20KB
MD5

caefd4838a129e8561b80141652c7ca5
SHA1

fd04d80f69c97ed0da031d4938466d2e189c9015
SHA256

2c9d0c1c0573b0ef0eeef58b6f756f8e278005ab069ec69d0f7711166a66caec
SHA512

c386c7ad531218b02d38963cba54c7c1a80f54778e2b69c021bfa963310b956fde62f621c633f51756d1dbc910edac5026586b72f3241ed22097912ad7095080
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PSL:hDXWipuE+K3/SSHgxmHZPSL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2612	DEM1999.exe
2868	DEM6ED9.exe
3064	DEMC40A.exe
2836	DEM1989.exe
1748	DEM6FB4.exe
1656	DEMC504.exe

Loads dropped DLL 6 IoCs

pid	Process
2912	caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe
2612	DEM1999.exe
2868	DEM6ED9.exe
3064	DEMC40A.exe
2836	DEM1989.exe
1748	DEM6FB4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2612	2912	caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2612	2912	caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2612	2912	caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2612	2912	caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe	29
PID 2612 wrote to memory of 2868	2612	DEM1999.exe	31
PID 2612 wrote to memory of 2868	2612	DEM1999.exe	31
PID 2612 wrote to memory of 2868	2612	DEM1999.exe	31
PID 2612 wrote to memory of 2868	2612	DEM1999.exe	31
PID 2868 wrote to memory of 3064	2868	DEM6ED9.exe	35
PID 2868 wrote to memory of 3064	2868	DEM6ED9.exe	35
PID 2868 wrote to memory of 3064	2868	DEM6ED9.exe	35
PID 2868 wrote to memory of 3064	2868	DEM6ED9.exe	35
PID 3064 wrote to memory of 2836	3064	DEMC40A.exe	37
PID 3064 wrote to memory of 2836	3064	DEMC40A.exe	37
PID 3064 wrote to memory of 2836	3064	DEMC40A.exe	37
PID 3064 wrote to memory of 2836	3064	DEMC40A.exe	37
PID 2836 wrote to memory of 1748	2836	DEM1989.exe	39
PID 2836 wrote to memory of 1748	2836	DEM1989.exe	39
PID 2836 wrote to memory of 1748	2836	DEM1989.exe	39
PID 2836 wrote to memory of 1748	2836	DEM1989.exe	39
PID 1748 wrote to memory of 1656	1748	DEM6FB4.exe	41
PID 1748 wrote to memory of 1656	1748	DEM6FB4.exe	41
PID 1748 wrote to memory of 1656	1748	DEM6FB4.exe	41
PID 1748 wrote to memory of 1656	1748	DEM6FB4.exe	41

C:\Users\Admin\AppData\Local\Temp\caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\DEM1999.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1999.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\DEM6ED9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6ED9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\DEMC40A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC40A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Users\Admin\AppData\Local\Temp\DEM1989.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1989.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Users\Admin\AppData\Local\Temp\DEM6FB4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6FB4.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\DEMC504.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC504.exe"
        7⤵
        Executes dropped EXE
        
        PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6ED9.exe

Filesize
20KB

MD5
1a61cf2309234b6e02f66497ab7227c3

SHA1
987c9bbb1329ddc5b600f3386891d85bb9458a83

SHA256
10746491db60f63edb8b0a45e9f3e2320a86d3afcfc74b386fe33709f453a943

SHA512
80a10f5989f8d2f05d50a1b83277a09547857365b28f15ca80cacc032a246942e814b3c09b37f92ce6f5a7324c0bfe00163d172d9bb64a4fb1f7b0dcbc6a4487

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1989.exe

Filesize
20KB

MD5
acd5c3a15f06335b8eeea43358d53226

SHA1
45b2ab637ef72211dc5275dc5acc0655a5037ced

SHA256
50de2158f5bd0785eaf2e051dfc96ff61246869d19596e8fff47e68452d42e97

SHA512
b017c9347fb4693451172b74f1399877e0a0e0eebace132bce8e53293898fa716b01a92a4717bf70f5e498440e89fd6d4860597140844d1e38fee48005311e54

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1999.exe

Filesize
20KB

MD5
9c7aa85e1d4ba6e859cecc13d8182f6f

SHA1
17e36db95ee92ef1e5ae4891593f93fed8c9cb6b

SHA256
20400034d9bb456e14d8dd2fe69f791e81bb3deeb5bb2e3d24dba94e2490be39

SHA512
243976273df8580e6e04d7720e7a40b331be0379126cdffa40327a4c1c2c25afbd51f4e211237e7ebe15f294f1c6312cf3b33726c75501723161f0c1443eb5c5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6FB4.exe

Filesize
20KB

MD5
0fd6295f534c9684ff1e95f1966bd8fe

SHA1
32e822b368d516d74d0f7e43c6513e225a8d7714

SHA256
74111cce8af005693478768b683a63671aacee5dac42647c68aec9869f2fcb96

SHA512
e9f67b66a456ecf722a866a5769738e4a544eec2aa87d901389dd573c68a950ad2221a7b8eed74f749003ec931baddbc184d73e985aa038b795e59eaca86c053

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC40A.exe

Filesize
20KB

MD5
eb70d9f57b497b0f4a60a98bc8ed08fa

SHA1
8bd9bb943a0ebe932248c1cc8d5f54a30a92c9c2

SHA256
69c68f57bc7bf470ffa5ff7d8b10361ccf535fd8cbd9ec74364122cb9f12b147

SHA512
7051b0c2b6cf4291d803aa680ccd4237c7ee0d9a886be3b30cb4e41388fe85b3d353688990f86b0188d871da89dc751a2d630825d0b0a183af26fa0c61527379

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC504.exe

Filesize
20KB

MD5
bdcb03d89cefc73888fd3cb095a06e57

SHA1
bfbcbada769ced0990728c0df4d2f194fb022e08

SHA256
a91fb5565e3e56246fa5091893277a230c8d59448116c8b34b5274b50c11e5f4

SHA512
b5c45c7d989de3b68e28206335ee8b2d22f85c384f6bb1ab03a8f4cb7c9509bd21aeb50212be58caa51d5edf6c75102e00d4f022908a297f89b758a36303ee11

Download Submit

Analysis

Sharing