569809624b5b29543a9ddb864a7a1effd0e47b95b4c7976bf2fe16dda49023c2

General

Target

ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe
Size

15KB
MD5

ca1ebdcc3803d46b77ec92363220b789
SHA1

29d05fd0da57ad7cfde6ffb0933ae41c7f32294c
SHA256

569809624b5b29543a9ddb864a7a1effd0e47b95b4c7976bf2fe16dda49023c2
SHA512

21deaaa6a96266f60418df80b82f7168dae6a044e73b77e47bf48e8e83c20af5faa2a5091e6b8b7df4bb29cb5bdd51620338d8b6e97a7d5c4f693f53793ddceb
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0mB:hDXWipuE+K3/SSHgxm0o

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2260	DEM10.exe
2564	DEM55BE.exe
1740	DEMABF8.exe
2508	DEM148.exe
2956	DEM566A.exe
2244	DEMAC27.exe

Loads dropped DLL 6 IoCs

pid	Process
936	ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe
2260	DEM10.exe
2564	DEM55BE.exe
1740	DEMABF8.exe
2508	DEM148.exe
2956	DEM566A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 2260	936	ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe	29
PID 936 wrote to memory of 2260	936	ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe	29
PID 936 wrote to memory of 2260	936	ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe	29
PID 936 wrote to memory of 2260	936	ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe	29
PID 2260 wrote to memory of 2564	2260	DEM10.exe	31
PID 2260 wrote to memory of 2564	2260	DEM10.exe	31
PID 2260 wrote to memory of 2564	2260	DEM10.exe	31
PID 2260 wrote to memory of 2564	2260	DEM10.exe	31
PID 2564 wrote to memory of 1740	2564	DEM55BE.exe	35
PID 2564 wrote to memory of 1740	2564	DEM55BE.exe	35
PID 2564 wrote to memory of 1740	2564	DEM55BE.exe	35
PID 2564 wrote to memory of 1740	2564	DEM55BE.exe	35
PID 1740 wrote to memory of 2508	1740	DEMABF8.exe	37
PID 1740 wrote to memory of 2508	1740	DEMABF8.exe	37
PID 1740 wrote to memory of 2508	1740	DEMABF8.exe	37
PID 1740 wrote to memory of 2508	1740	DEMABF8.exe	37
PID 2508 wrote to memory of 2956	2508	DEM148.exe	39
PID 2508 wrote to memory of 2956	2508	DEM148.exe	39
PID 2508 wrote to memory of 2956	2508	DEM148.exe	39
PID 2508 wrote to memory of 2956	2508	DEM148.exe	39
PID 2956 wrote to memory of 2244	2956	DEM566A.exe	41
PID 2956 wrote to memory of 2244	2956	DEM566A.exe	41
PID 2956 wrote to memory of 2244	2956	DEM566A.exe	41
PID 2956 wrote to memory of 2244	2956	DEM566A.exe	41

C:\Users\Admin\AppData\Local\Temp\ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\DEM10.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM10.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\DEM55BE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM55BE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\DEMABF8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMABF8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Users\Admin\AppData\Local\Temp\DEM148.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM148.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Users\Admin\AppData\Local\Temp\DEM566A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM566A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\DEMAC27.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAC27.exe"
        7⤵
        Executes dropped EXE
        
        PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM10.exe

Filesize
15KB

MD5
4221abf71a2f1bdc4a43ba61cc2b81c0

SHA1
ed3544e52bbaf1eceb2a50eb7a2ba769c5329ea3

SHA256
c56156ce68e5696a7c935911a9978f909320453c6020679446774894d959d753

SHA512
83d8d6b41a5209584e247f07ac0da9b9b6c783938ff71e4cccfd30a0ad3690d0b0f3fbc783b4f1119d7a520b7d6d9ee93a94c683bea9fa36253282442065f7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM55BE.exe

Filesize
15KB

MD5
ca4724865394752303440c3a754225f1

SHA1
8661773c0ccfb62e23df371481281d86acea4e1b

SHA256
1f9f4d0d5c6e50e06f8b8f5cbbe6178910cbd96e46403773a9f742e9bf448a34

SHA512
fb62d5f66dd1582df85bdcf63bc0faac237f527aac905dd2bf8191723c387ad0e3e79192ce5927ed87e478247d7d2742a72ad9d73ec00df47d53ad94bbad76a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM566A.exe

Filesize
15KB

MD5
50d8410e9d2eea93666c6e12b8f4797b

SHA1
a48003529ba17276728034ed0e30eef7c181fb7f

SHA256
69c80bfde1e0a7637075a841e853ad238cf74f99281c6cd78792f40e1965ac82

SHA512
5dbcd0a92eeb85caa65dcf154ce0f3052045df2d9e01edef2389b625a1ce71345ce77b8809b88ba7e202be4fb52a92b098dd86b7c7d3cb70ea5ec28edae0a4fb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM148.exe

Filesize
15KB

MD5
cd01f9ef08a6b3ba55ea101bdfcd950c

SHA1
c0f678c959555586a42ae7c746ff573ad7410451

SHA256
00f89f22b18d187408f95a4b5b2524c4b77e017c6e6b2793955b62b68f610ffe

SHA512
008025a3371488c38cde0f2a7d42d8ddf0a1a366926eaa9d43244cf700b1a4e3a0af5688a4c624e8ffc920aa3771966f5484c4d9f6fdd930ea3a8def92647db1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMABF8.exe

Filesize
15KB

MD5
b83667fcf3b7177df562231318018406

SHA1
74cb23e333e4444525cd7eaf81e1d5f25cc07cb3

SHA256
923d419e03887f6ae094f03df380e22e78a9f38f94f76dd2fbe36a552ea3a96f

SHA512
de21b8b9419fdc10eaa61d97e25a1520f9bc674a3c308cfa071a61be0779ca3fcbca2220c9501d0f6a7c006cca116893337c8861f109518d2f64d9b54f471edb

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAC27.exe

Filesize
15KB

MD5
48d29ac375be847a127a4d987fd1c167

SHA1
7bcb63a6b44c4fb0604b367ddb1533a24341e336

SHA256
04833321d697281c8f43871a3097af9f569c4fa7a4d6122d32b98a2822d28074

SHA512
e84de40ae26f5b754580c57752bc4ba5a2fbbf42f4140931725594a415b9b5802e3190ece5a28edfc52248a5c0afdc5db5d8bf93588fb59a8db97b6c7d255fdf

Download Submit

Analysis

Sharing