99d030b6d50c846039217caf7a5cfc111838956b6a44f502f9442632cad01e15

General

Target

d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe
Size

16KB
MD5

d017f92ffeb850bd8f82357e37ce7441
SHA1

967046b69b8b61d78fa9d9b1b993d85640f87a56
SHA256

99d030b6d50c846039217caf7a5cfc111838956b6a44f502f9442632cad01e15
SHA512

83212e71fbb53b3999a3f9646005efb4eec62da9fafb4dd2c26ef9251e8732b7549944f27a01c772cdba7519c0dc9a3740ff60137ef37b960dcf703c639b2d1b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJGJGdQ:hDXWipuE+K3/SSHgxmwJGdQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2684	DEM56E6.exe
2976	DEMACE2.exe
992	DEM2FD.exe
2540	DEM58BB.exe
2712	DEMAE49.exe
1608	DEM426.exe

Loads dropped DLL 6 IoCs

pid	Process
2200	d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe
2684	DEM56E6.exe
2976	DEMACE2.exe
992	DEM2FD.exe
2540	DEM58BB.exe
2712	DEMAE49.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2684	2200	d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe	29
PID 2200 wrote to memory of 2684	2200	d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe	29
PID 2200 wrote to memory of 2684	2200	d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe	29
PID 2200 wrote to memory of 2684	2200	d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe	29
PID 2684 wrote to memory of 2976	2684	DEM56E6.exe	33
PID 2684 wrote to memory of 2976	2684	DEM56E6.exe	33
PID 2684 wrote to memory of 2976	2684	DEM56E6.exe	33
PID 2684 wrote to memory of 2976	2684	DEM56E6.exe	33
PID 2976 wrote to memory of 992	2976	DEMACE2.exe	35
PID 2976 wrote to memory of 992	2976	DEMACE2.exe	35
PID 2976 wrote to memory of 992	2976	DEMACE2.exe	35
PID 2976 wrote to memory of 992	2976	DEMACE2.exe	35
PID 992 wrote to memory of 2540	992	DEM2FD.exe	37
PID 992 wrote to memory of 2540	992	DEM2FD.exe	37
PID 992 wrote to memory of 2540	992	DEM2FD.exe	37
PID 992 wrote to memory of 2540	992	DEM2FD.exe	37
PID 2540 wrote to memory of 2712	2540	DEM58BB.exe	39
PID 2540 wrote to memory of 2712	2540	DEM58BB.exe	39
PID 2540 wrote to memory of 2712	2540	DEM58BB.exe	39
PID 2540 wrote to memory of 2712	2540	DEM58BB.exe	39
PID 2712 wrote to memory of 1608	2712	DEMAE49.exe	41
PID 2712 wrote to memory of 1608	2712	DEMAE49.exe	41
PID 2712 wrote to memory of 1608	2712	DEMAE49.exe	41
PID 2712 wrote to memory of 1608	2712	DEMAE49.exe	41

C:\Users\Admin\AppData\Local\Temp\d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\DEM56E6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM56E6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\DEMACE2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMACE2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\DEM2FD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2FD.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Users\Admin\AppData\Local\Temp\DEM58BB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM58BB.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Users\Admin\AppData\Local\Temp\DEMAE49.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAE49.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\DEM426.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM426.exe"
        7⤵
        Executes dropped EXE
        
        PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM426.exe

Filesize
16KB

MD5
0e5eb2de006201f9f626b46488829a93

SHA1
b2e2e8f88982b434f0fff96eaa817bfeeef423e3

SHA256
6b0097656ab7307cb077895d263dd5615d02b5b535bb9a21ff12b3d31104ffe4

SHA512
91273d62efca6659a901fe8cb9eb238e62831f3ff31125e4d40b49e8b57a38dbbb469af8fcf6f09ee24dd79b481dc2e3545e51e476928441b518e07231df6053

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM58BB.exe

Filesize
16KB

MD5
25d163867f0e6cf59352870407812ed7

SHA1
75438fb873015674b2dedeeafe0a212cdb6de306

SHA256
3035990a8deb64d5917bdaac4b6e6e41a218c57472d2cfb7169559abcda73ed3

SHA512
998b5ab1c9245a18ab798aa059280b961b1093aca8949de6a6fbda3dbcb4891876997d3fecb57f26d638d9ac621bb07b18cda401ac5ed7a49e8977856ef78673

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMACE2.exe

Filesize
16KB

MD5
ec3857a7484c70ebdc5cfb6574fa92d6

SHA1
e8e8601f51c241bf7129d2b0024936fd729861f3

SHA256
540f8d193a782524caabeca62a8a2060fd23550663a55a3d8dba824f0ddd86b6

SHA512
1f67a755d14dffb50575c5a37258b1c13f9b189f1e0fe1b12a1bc4d69111032ebee1f9225523d1aaae36e88c91f362bbf69973a575af93e3de6c4795e05c07e3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2FD.exe

Filesize
16KB

MD5
57dbf6dd60e7d7c7b03f3d6609498bdb

SHA1
2775e8355b6b41be0aae629da0975440bab4a42d

SHA256
28f16254bd701ff60da0cc9386e878e8234dc107eea44cff4c627bf9bf247144

SHA512
fc679f2d04b0804085364aad0daf3fa42429a3946c9e62edec508bd3d671f60f6fb039c811d73a4ef7f11a14513d986539d297e258aba5edb1b12c68d1fee29a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM56E6.exe

Filesize
16KB

MD5
e5c9929487a9649b346a58a5fd33dfb8

SHA1
763afaa15910315f335cae39e8e11562d9b163f1

SHA256
e0a39c229490b3826c2da6f5805e1c20fd70c7511b5a661fa71efa01e47319d2

SHA512
0685c8df0961c7bf652b3c17863b27f2db67522424c0887ae2551642af0124efff2a94acb8391e43581769e11261ab3fd110a3ad51caa37755260878378e2932

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAE49.exe

Filesize
16KB

MD5
7e44342857d4f54830a2fc9a464fc43f

SHA1
9594231a87304da360921550e8f7aaef06e8985c

SHA256
f230a6cd7280a28cec9c88d946f2354ac3a3c384ab4b2daa7455e8ebf2749284

SHA512
5f8b93de3ba4966919134b9c58376d13aa1f793c32a7e6c9114e5114c556e10d39e0f971b554d645f8ce622ddf7f9c3cb603916fee794073715440d37bdeba48

Download Submit

Analysis

Sharing