c3e31f5882bbcb632d18ec1f59d7f04858e3178bdb4885fbf79e2d8c1deb2743

General

Target

cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe
Size

20KB
MD5

cf72aac49d80d49c2007b5b0c25b1c63
SHA1

043302305055bea72fec2b327140ce4656ebc508
SHA256

c3e31f5882bbcb632d18ec1f59d7f04858e3178bdb4885fbf79e2d8c1deb2743
SHA512

da75b154854d1eabbb1c85e557b767895fb1ed5c2a9b05c84517284787ab5593c1e288b162ad787f430bb1cd4e52d20cc82dfaf136f700b0ae6a48c46b95880b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PST:hDXWipuE+K3/SSHgxmHZPST

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2224	DEMB28.exe
2940	DEM6087.exe
2656	DEMB654.exe
1960	DEMC31.exe
1504	DEM6181.exe
2064	DEMB6D1.exe

Loads dropped DLL 6 IoCs

pid	Process
1640	cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe
2224	DEMB28.exe
2940	DEM6087.exe
2656	DEMB654.exe
1960	DEMC31.exe
1504	DEM6181.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2224	1640	cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe	29
PID 1640 wrote to memory of 2224	1640	cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe	29
PID 1640 wrote to memory of 2224	1640	cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe	29
PID 1640 wrote to memory of 2224	1640	cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2940	2224	DEMB28.exe	31
PID 2224 wrote to memory of 2940	2224	DEMB28.exe	31
PID 2224 wrote to memory of 2940	2224	DEMB28.exe	31
PID 2224 wrote to memory of 2940	2224	DEMB28.exe	31
PID 2940 wrote to memory of 2656	2940	DEM6087.exe	35
PID 2940 wrote to memory of 2656	2940	DEM6087.exe	35
PID 2940 wrote to memory of 2656	2940	DEM6087.exe	35
PID 2940 wrote to memory of 2656	2940	DEM6087.exe	35
PID 2656 wrote to memory of 1960	2656	DEMB654.exe	37
PID 2656 wrote to memory of 1960	2656	DEMB654.exe	37
PID 2656 wrote to memory of 1960	2656	DEMB654.exe	37
PID 2656 wrote to memory of 1960	2656	DEMB654.exe	37
PID 1960 wrote to memory of 1504	1960	DEMC31.exe	39
PID 1960 wrote to memory of 1504	1960	DEMC31.exe	39
PID 1960 wrote to memory of 1504	1960	DEMC31.exe	39
PID 1960 wrote to memory of 1504	1960	DEMC31.exe	39
PID 1504 wrote to memory of 2064	1504	DEM6181.exe	41
PID 1504 wrote to memory of 2064	1504	DEM6181.exe	41
PID 1504 wrote to memory of 2064	1504	DEM6181.exe	41
PID 1504 wrote to memory of 2064	1504	DEM6181.exe	41

C:\Users\Admin\AppData\Local\Temp\cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\DEMB28.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB28.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\DEM6087.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6087.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\DEMB654.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB654.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\DEMC31.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC31.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\DEM6181.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6181.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\DEMB6D1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB6D1.exe"
        7⤵
        Executes dropped EXE
        
        PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6087.exe

Filesize
20KB

MD5
92e01bdb7c67aa1de61e020705f405e9

SHA1
47d1411072da82daaf42e8d6f5c814cb4d143b7b

SHA256
696a4e5d533861aa723099a5059f63a35cd10db70c07eac629c70f69e2b835ed

SHA512
01e35d0720919e635eb44709b03c5003606490e1ad6c5a73f9226ab9768e8d7fc0bd14d743663e534e15e665eea6876d753eab1cbc72d06ca395bab3f9ab6044

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6181.exe

Filesize
20KB

MD5
b740890d04f793f014b14107b5a15f4f

SHA1
714b1ecf18bcf5d6221975cb7f5383b98cf76952

SHA256
a3d1c929c6269a1a6b1bb3badd7f1f0b4a4f6aa30729047282c08dd973763422

SHA512
4dd66cc250b48f9f7c28febdd62a8352691be6fe95c7943fa856573ab03be4ba9ab2fa0dccd00fcc68a23b0be3a8209a06670b5a9fd96c46ac868aef99ac5b18

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB28.exe

Filesize
20KB

MD5
a243f7e9d0f3f368e2ec03416eb5f63b

SHA1
3ba615dd65b752c02c0e9ac218ccbc34883923b3

SHA256
55248adf861b54f3d230fc7586cb0d4d42efa21d7e3f14df9ca8a7892cad4c67

SHA512
624eafa259fc02b90014409fec3b315c56933740d92dc65127efa15cbfe3af38a2dfee6d192f6a2329b991a95a42a78b8758a2448f5e3dcb3ca6d552701b4f41

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB654.exe

Filesize
20KB

MD5
13be385177f4f1682551eb2c7d041e48

SHA1
fbebb004d1be8da4bc6fecf8c3ee6af76fffbf5e

SHA256
0491afd3ddab3b6b6532f515098aeeda4807fd32a10324b081eb79543b94cdb4

SHA512
2a983f2ac210ebc2b48a0ea9d8e5c843c1958931a66e1ad5c24da9c1ab7c30589e8fad1f0763348d69b9348d48f0a270ca34e80cf04ed3fc1f647bd063a23fe6

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB6D1.exe

Filesize
20KB

MD5
9a8593f625ad33039613ba0e7df60438

SHA1
63f770393fc65f30b1923448fc7c7b9fd934d094

SHA256
e5a3aeb68226c91b7980e995c9592957a39d1b142494114658ea4e2274749762

SHA512
c7e5b1c3aaa0922fd1efd769b75ec89d78fb5858135884acb91109ae939a76c4b7287cea4e02e4e222c9cf43599bd219ca173d1c203dc728083c4de5faebbe0f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC31.exe

Filesize
20KB

MD5
4f5ad5cfbb6f7f81cdec2300820b7805

SHA1
f34ed633e8551a11a7678c56c2b0ab635e33e2a9

SHA256
1822b94e2167381c71d70590ebfbf570090630bec07b1625f07345add2c2d7f7

SHA512
5c8ae778e1c7f65216697f8d419d6a6e25d9f9e13d5612f111925ed10d69416fe5a8e5705b9bdd2b5d6f199e34b15058d9cc3803597591f7eda4eb5b4f85f43f

Download Submit

Analysis

Sharing