c025f72c59127f9244c4fe6c716e614d05c9ae2f765162064e0f2d5b25a5f311

General

Target

d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe
Size

14KB
MD5

d0cc8b51c66686d121141cea281f6867
SHA1

d131fe5aabe1a57b3e5acdbcfc9b823843157d78
SHA256

c025f72c59127f9244c4fe6c716e614d05c9ae2f765162064e0f2d5b25a5f311
SHA512

294807a3cd03ffae3dff8924cee5d6d724de524e273bff63c1e28a1420fcbb4322e990a185d44fdf4e657f6dd3d0319c687c90239f2dc3cca27d0cd1daaa5d1e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4YZUN:hDXWipuE+K3/SSHgxm4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1664	DEM564A.exe
2428	DEMAC56.exe
2496	DEM36A.exe
1948	DEM5957.exe
1012	DEMAED5.exe
2784	DEM500.exe

Loads dropped DLL 6 IoCs

pid	Process
2180	d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe
1664	DEM564A.exe
2428	DEMAC56.exe
2496	DEM36A.exe
1948	DEM5957.exe
1012	DEMAED5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1664	2180	d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe	29
PID 2180 wrote to memory of 1664	2180	d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe	29
PID 2180 wrote to memory of 1664	2180	d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe	29
PID 2180 wrote to memory of 1664	2180	d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe	29
PID 1664 wrote to memory of 2428	1664	DEM564A.exe	33
PID 1664 wrote to memory of 2428	1664	DEM564A.exe	33
PID 1664 wrote to memory of 2428	1664	DEM564A.exe	33
PID 1664 wrote to memory of 2428	1664	DEM564A.exe	33
PID 2428 wrote to memory of 2496	2428	DEMAC56.exe	35
PID 2428 wrote to memory of 2496	2428	DEMAC56.exe	35
PID 2428 wrote to memory of 2496	2428	DEMAC56.exe	35
PID 2428 wrote to memory of 2496	2428	DEMAC56.exe	35
PID 2496 wrote to memory of 1948	2496	DEM36A.exe	37
PID 2496 wrote to memory of 1948	2496	DEM36A.exe	37
PID 2496 wrote to memory of 1948	2496	DEM36A.exe	37
PID 2496 wrote to memory of 1948	2496	DEM36A.exe	37
PID 1948 wrote to memory of 1012	1948	DEM5957.exe	39
PID 1948 wrote to memory of 1012	1948	DEM5957.exe	39
PID 1948 wrote to memory of 1012	1948	DEM5957.exe	39
PID 1948 wrote to memory of 1012	1948	DEM5957.exe	39
PID 1012 wrote to memory of 2784	1012	DEMAED5.exe	41
PID 1012 wrote to memory of 2784	1012	DEMAED5.exe	41
PID 1012 wrote to memory of 2784	1012	DEMAED5.exe	41
PID 1012 wrote to memory of 2784	1012	DEMAED5.exe	41

C:\Users\Admin\AppData\Local\Temp\d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\DEM564A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM564A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\DEMAC56.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAC56.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\DEM36A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM36A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\DEM5957.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5957.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Users\Admin\AppData\Local\Temp\DEMAED5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAED5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\DEM500.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM500.exe"
        7⤵
        Executes dropped EXE
        
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM36A.exe

Filesize
15KB

MD5
ea0a688249a5c264531f9f2e38f90e46

SHA1
a65ed3cb92e48a4ac917588c4fd405a281619ce2

SHA256
4a548192d43982978a52ee2850ee40bc8247bbb6081c61fb2ca5297a32703450

SHA512
eda6be80a9640a466e300d79f569eb82763acd5d428ab96aa4bcf298b6f0d30e031387ae28afbefec6b72b1ef0ed47c99484e3e29d89b99e72d292c15edee404

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM500.exe

Filesize
15KB

MD5
0db69787f5bd8b2cf384ac16474e959a

SHA1
df78ed05ef9d3bf6bde86f6c066075465c69b128

SHA256
0f84a18052cf977eb67d7f5f101181784aedb87a64f78963c2127efbabac377d

SHA512
905ed9c5f2db45e77dcef15b75e02f9f7ffb5f377fbd12902bcb1c12e46b79c006d577aa0d686a25b90cacde4af6096464ab1c28e8c96ff309b810c1e44e0d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM564A.exe

Filesize
14KB

MD5
c302a13f76e10f164be15a008b43fb55

SHA1
bd2ed8817943165374f90d2fac4b397ce7eec023

SHA256
2d2d37bd822ad9eeba931716c4abff0a426a62bf39a156d4f2e859a69d365a17

SHA512
7ac7550b21d95fa857c9fcfd25e62a443f7d6aceb7afbba39b307e021aefb5bbaee67004fe3167fbf04450495d7900d99df08a35c20b6d2e9104e2112fec9e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAC56.exe

Filesize
15KB

MD5
d81c0a8f2c16b2a49ef182f79da06233

SHA1
da2545f889d2429d4279e49c43154ba317b442e7

SHA256
d1513bbb1107848fb64ebe9d4c8a1880961acc9e1da984e5c5f0966d72fc8758

SHA512
a5b0d99216029dc202f21423d238b0e961e004f3cbb24d99de04658bc3f5e2b9eb2989e7e9effc6d2f3b103ee58be10d830133e41d23012b296ad34b6c164a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAED5.exe

Filesize
15KB

MD5
79e839d9d19e392993ab98d3399bfc4a

SHA1
711199f45d97f893162c4bd8fb083fb06ef4272f

SHA256
d17edc9ee99b3fa7b6fe0bf82503ce745321e8c6e07d03a59fe5b4a21d7aa913

SHA512
bef9f8349d2cc519e69e256a3bde42d32e45e92ec8af91113d36a5b892c12bc0b1362e33e1ea3769e8057fdd0001b33b82e2182a2fff4654bea1598898bde8ca

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5957.exe

Filesize
15KB

MD5
42bb8ae18ad5e23f869cae61f0bacc28

SHA1
0befb8738bc002f63674300be82f7e59e18ac198

SHA256
ded980e3fd34f64c6b9827ea11247eb9b59c8f2104e7b07cd2df2219f8de6dfd

SHA512
06edeca4d4561a21120c2366ef105b4f736a2a429480dd88a7dcd16878bd3f663c8e2c9e4f0c18393e7a2ec8bd2984aa89a165cf16630403a68369be38a7202c

Download Submit

Analysis

Sharing