1ea94b1abd5c7d05b282a4011933b1f4e307c4f6c6c6591771e1682cb7cd9a4f

General

Target

c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe
Size

20KB
MD5

c9fb2233e4b7457127be9e20c8348a4f
SHA1

30179db78366170683dca9d0973ef44cad40799e
SHA256

1ea94b1abd5c7d05b282a4011933b1f4e307c4f6c6c6591771e1682cb7cd9a4f
SHA512

19012338290e87a036ec754ac24b014449bcc7aa2e7d85177b7fde5ad8bafca939feefe7615ad3997bdf43d0519ce5a80d2d9992c78daea081a8313b21c191ec
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4P8UzsRW:hDXWipuE+K3/SSHgxmHZP+w

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2616	DEM690F.exe
2888	DEMC014.exe
1004	DEM165E.exe
1636	DEM6CE6.exe
1820	DEMC301.exe
1316	DEM19A8.exe

Loads dropped DLL 6 IoCs

pid	Process
1540	c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe
2616	DEM690F.exe
2888	DEMC014.exe
1004	DEM165E.exe
1636	DEM6CE6.exe
1820	DEMC301.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2616	1540	c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2616	1540	c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2616	1540	c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2616	1540	c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe	29
PID 2616 wrote to memory of 2888	2616	DEM690F.exe	33
PID 2616 wrote to memory of 2888	2616	DEM690F.exe	33
PID 2616 wrote to memory of 2888	2616	DEM690F.exe	33
PID 2616 wrote to memory of 2888	2616	DEM690F.exe	33
PID 2888 wrote to memory of 1004	2888	DEMC014.exe	35
PID 2888 wrote to memory of 1004	2888	DEMC014.exe	35
PID 2888 wrote to memory of 1004	2888	DEMC014.exe	35
PID 2888 wrote to memory of 1004	2888	DEMC014.exe	35
PID 1004 wrote to memory of 1636	1004	DEM165E.exe	37
PID 1004 wrote to memory of 1636	1004	DEM165E.exe	37
PID 1004 wrote to memory of 1636	1004	DEM165E.exe	37
PID 1004 wrote to memory of 1636	1004	DEM165E.exe	37
PID 1636 wrote to memory of 1820	1636	DEM6CE6.exe	39
PID 1636 wrote to memory of 1820	1636	DEM6CE6.exe	39
PID 1636 wrote to memory of 1820	1636	DEM6CE6.exe	39
PID 1636 wrote to memory of 1820	1636	DEM6CE6.exe	39
PID 1820 wrote to memory of 1316	1820	DEMC301.exe	41
PID 1820 wrote to memory of 1316	1820	DEMC301.exe	41
PID 1820 wrote to memory of 1316	1820	DEMC301.exe	41
PID 1820 wrote to memory of 1316	1820	DEMC301.exe	41

C:\Users\Admin\AppData\Local\Temp\c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\DEM690F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM690F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\DEMC014.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC014.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\DEM165E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM165E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Users\Admin\AppData\Local\Temp\DEM6CE6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6CE6.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Users\Admin\AppData\Local\Temp\DEMC301.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC301.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\DEM19A8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM19A8.exe"
        7⤵
        Executes dropped EXE
        
        PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM19A8.exe

Filesize
20KB

MD5
1842465e06d392d3dbcad3e3ab052e01

SHA1
3d2e2fba31104eec0b94b8d1decba09b8eca0b9f

SHA256
a2a4cedcfc3c62ea899494e342a8a1ef8ddfa8056188b5146fb1e3d8d3ac63e5

SHA512
60c7d821c2bed971fe0b1f94125ac61dd8fefc0cda1a84b8d8242f2a856508d2a492cbf54393b7d11ef42dc1e304f3d1b577b450342952b7857574dbad6d09b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC014.exe

Filesize
20KB

MD5
08415529640bb09d7acf8fc5354a2670

SHA1
b6e9fa1eea4c90a9cbeee7680fbfc9fe5551993b

SHA256
57bb5b601b8c78d340558064645e5adf284ebe1bbce85b6610817f37ab133007

SHA512
b08ed284a65fe75166800b71916ee3c62d2bc7bb4760162ea30cd448736acc8e6bad9639f49e5ff63cff9b4c87c1f4ce639131147edeb0784494727721f7822b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC301.exe

Filesize
20KB

MD5
0a459ebbdd32fd1a56e95d1ddc74a225

SHA1
7897e048f29323b2c1ac78f3b872624d817e0f98

SHA256
171601db4c67cf7453fac100764acc79ca419eb4d35169ff7ad2b709c505022b

SHA512
dcdad46a7f0e6e3c116d48ce9473028266886c1ca747275f62e360df7c2a140b5f858f1156848220a9687256580c21b1a0fdf4018430f9a2a780119c8554ff2c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM165E.exe

Filesize
20KB

MD5
09a3acb120562f1187148c7c451ac548

SHA1
dedc7721fa20f510640937cbaddfde3d4f1ec8d9

SHA256
ba391ab07fc6d4eeeb9dc928671000259b78b9cb60296ebfd414481c0d8ba4f4

SHA512
c7ad23401adb71d569a35d339cd187754891fec39ba0b1600ad2de46dd25f64e3e47cbb5f715e17a961d25a14c25075f50c4fa94d22a01ca61d506a8beb767e5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM690F.exe

Filesize
20KB

MD5
5ae8e08ca89c6a8cfdcb36f280ee47ec

SHA1
83941051e61b71076f24277ebc895a11a1c0f586

SHA256
ace204dd53ab5d4f0f7da2896bc1f7c4b84393d3437632cb17cf160a551f400c

SHA512
a2074650de7aa55902d1789951261b3530b4beb39d803a975b85ae661e09ef2bd1bc598a0f07e649ca8efd57458fa3d65a708ee39c2f5e27a81fe5c6388bc352

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6CE6.exe

Filesize
20KB

MD5
45b070db434f439fa10efb1298ad0de2

SHA1
a5856900f09d43715e1b7cc36a001320a8bacaf4

SHA256
12ed9b9900b86ccb2b38f95cbc4062a6f876b6cd70924fa38fe19d5b73677e82

SHA512
3b499d9c5168f69ef2bb52e03b056d97788549dbb7e651a3e86a489848eda30a2a95c84a4d7353407e37c999313db8ffb183e5e6414e8944a0f3fac02bbc0c0f

Download Submit

Analysis

Sharing