2d439e492632b3094d3753f5d26e0e93b92ca657672e5899e909ff5c74847c65

General

Target

cfa0bb964e8d848ba671621707757802_JaffaCakes118.exe
Size

20KB
MD5

cfa0bb964e8d848ba671621707757802
SHA1

261f0de7719926f83aacf9db81fd4824f5495753
SHA256

2d439e492632b3094d3753f5d26e0e93b92ca657672e5899e909ff5c74847c65
SHA512

228bf83ddee9065a160f5f8aaadbdd2ab1dbb5a89b6b81a1c29dc18acce8164a58d34f4d894de3fb1ce27fdb1a0c6284653649cdebbaf386e52ddd286b769199
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxX:hDXWipuE+K3/SSHgxmHB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2664	DEM4808.exe
3000	DEM9F3C.exe
2848	DEMF586.exe
1208	DEM4BCF.exe
900	DEMA209.exe
2400	DEMF863.exe

Loads dropped DLL 6 IoCs

pid	Process
2972	cfa0bb964e8d848ba671621707757802_JaffaCakes118.exe
2664	DEM4808.exe
3000	DEM9F3C.exe
2848	DEMF586.exe
1208	DEM4BCF.exe
900	DEMA209.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2664	2972	cfa0bb964e8d848ba671621707757802_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2664	2972	cfa0bb964e8d848ba671621707757802_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2664	2972	cfa0bb964e8d848ba671621707757802_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2664	2972	cfa0bb964e8d848ba671621707757802_JaffaCakes118.exe	29
PID 2664 wrote to memory of 3000	2664	DEM4808.exe	33
PID 2664 wrote to memory of 3000	2664	DEM4808.exe	33
PID 2664 wrote to memory of 3000	2664	DEM4808.exe	33
PID 2664 wrote to memory of 3000	2664	DEM4808.exe	33
PID 3000 wrote to memory of 2848	3000	DEM9F3C.exe	35
PID 3000 wrote to memory of 2848	3000	DEM9F3C.exe	35
PID 3000 wrote to memory of 2848	3000	DEM9F3C.exe	35
PID 3000 wrote to memory of 2848	3000	DEM9F3C.exe	35
PID 2848 wrote to memory of 1208	2848	DEMF586.exe	37
PID 2848 wrote to memory of 1208	2848	DEMF586.exe	37
PID 2848 wrote to memory of 1208	2848	DEMF586.exe	37
PID 2848 wrote to memory of 1208	2848	DEMF586.exe	37
PID 1208 wrote to memory of 900	1208	DEM4BCF.exe	39
PID 1208 wrote to memory of 900	1208	DEM4BCF.exe	39
PID 1208 wrote to memory of 900	1208	DEM4BCF.exe	39
PID 1208 wrote to memory of 900	1208	DEM4BCF.exe	39
PID 900 wrote to memory of 2400	900	DEMA209.exe	41
PID 900 wrote to memory of 2400	900	DEMA209.exe	41
PID 900 wrote to memory of 2400	900	DEMA209.exe	41
PID 900 wrote to memory of 2400	900	DEMA209.exe	41

C:\Users\Admin\AppData\Local\Temp\cfa0bb964e8d848ba671621707757802_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfa0bb964e8d848ba671621707757802_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\DEM4808.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4808.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\DEM9F3C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9F3C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\DEMF586.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF586.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\DEM4BCF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4BCF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Users\Admin\AppData\Local\Temp\DEMA209.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA209.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\DEMF863.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF863.exe"
        7⤵
        Executes dropped EXE
        
        PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4808.exe

Filesize
20KB

MD5
92a931eefee75ce6114f4d8176081641

SHA1
b68f172c22d873d6cdd299a95caa3d69fee71e1f

SHA256
f7c127498a4ab6c9ded39eedd088c0e6aefd9a859c0999727e1e040b17b6ce76

SHA512
80d6be18d5dd3f003f3161ec2896bb23e9b2a61e49f91e84816942ce2c2e0ec26a4a63bf6399bcfc2836da7425b21b291b2d7a59a1a3d9643d7a145c691edc9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9F3C.exe

Filesize
20KB

MD5
aa53d3d999651ce324bc4286eb3bf495

SHA1
ac3c641614ae3bc4f691610d257d32279f2759f5

SHA256
e3b319342bc76fc84212aade2a2bbb925f4cea528f964ce3a1886d32f0db3938

SHA512
11f57446a6a0dc426b182c5472ec3bc331aaeeeb0fdc4a97334eec2da4feeb43a891ae64b326278bc5ab95930624b0ce9c364e9d1db875efc03ed1d63c3ca0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF863.exe

Filesize
20KB

MD5
5a2a0ac9da5384439085f9f0392f6366

SHA1
dee8f6ef1f84bd553494e9616f21cb6b29aabdcd

SHA256
1531779449c95dd1d69df8a3156811dc827ed809fc0dead8d5121d257c7c6b19

SHA512
9ee1418c16d5ebd8772f2d70e9c0baa2d9f5b52c2744615b5a43dc81b22b63ef81f0c554dfa0c618e8bfc6c1c2d7052ed64ec500a69f3b3fcdc6a70e5e85c856

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4BCF.exe

Filesize
20KB

MD5
1d2b62debf79f05500df1b75863e1bd5

SHA1
747d118eee1c38dc9da5dbba900b1d7f194bd3c4

SHA256
223fad5073bce66299b7be26c67865cf4b9b144866af9787dc7f57b644ff9e2d

SHA512
adf1039a49b030f2588475ccd6abdfa11abb117ddbdf4cf08dcdec776dd24d5dd8ede6ddea9e7b50f6b17b91dd916d1aac179aedabd3c697baf18c40d677d85e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA209.exe

Filesize
20KB

MD5
515a375d31291999a33a53135750912c

SHA1
576a18a95515c7927e74bd0b0315e3eaa3473544

SHA256
e51c14aebab84c8f8c3d55c738feecba215e403ecbf49abe05a89af18253f4c0

SHA512
aacca0e1003a8dcb2d792f03f70c485fa6dad995e59526e8e23b4fdc6bcc2c3e51a76289bcd3cf5caf3db76367fdd70a6111fa0575272dcc94dd309fc7048b60

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF586.exe

Filesize
20KB

MD5
c035c7110220b53a4f4788001c6a0aaa

SHA1
299fd5fca26764834136cefb0b453d81d35e6d42

SHA256
019d343eeae16c7223705a8781e176811c604566c52455e11998d9da3f62662f

SHA512
8c2c331d574053c5f2e351814dec025d971e6d84d2f6550e30f8ea7e297e7a24d346b17a5034522d253bbee55627de70fe8ede186d7c803decc0abcb637b52fd

Download Submit

Analysis

Sharing