Analysis
-
max time kernel
132s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 09:37
Static task
static1
Behavioral task
behavioral1
Sample
d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe
Resource
win10v2004-20240319-en
General
-
Target
d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe
-
Size
16KB
-
MD5
d017f92ffeb850bd8f82357e37ce7441
-
SHA1
967046b69b8b61d78fa9d9b1b993d85640f87a56
-
SHA256
99d030b6d50c846039217caf7a5cfc111838956b6a44f502f9442632cad01e15
-
SHA512
83212e71fbb53b3999a3f9646005efb4eec62da9fafb4dd2c26ef9251e8732b7549944f27a01c772cdba7519c0dc9a3740ff60137ef37b960dcf703c639b2d1b
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJGJGdQ:hDXWipuE+K3/SSHgxmwJGdQ
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2684 DEM56E6.exe 2976 DEMACE2.exe 992 DEM2FD.exe 2540 DEM58BB.exe 2712 DEMAE49.exe 1608 DEM426.exe -
Loads dropped DLL 6 IoCs
pid Process 2200 d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe 2684 DEM56E6.exe 2976 DEMACE2.exe 992 DEM2FD.exe 2540 DEM58BB.exe 2712 DEMAE49.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2684 2200 d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe 29 PID 2200 wrote to memory of 2684 2200 d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe 29 PID 2200 wrote to memory of 2684 2200 d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe 29 PID 2200 wrote to memory of 2684 2200 d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe 29 PID 2684 wrote to memory of 2976 2684 DEM56E6.exe 33 PID 2684 wrote to memory of 2976 2684 DEM56E6.exe 33 PID 2684 wrote to memory of 2976 2684 DEM56E6.exe 33 PID 2684 wrote to memory of 2976 2684 DEM56E6.exe 33 PID 2976 wrote to memory of 992 2976 DEMACE2.exe 35 PID 2976 wrote to memory of 992 2976 DEMACE2.exe 35 PID 2976 wrote to memory of 992 2976 DEMACE2.exe 35 PID 2976 wrote to memory of 992 2976 DEMACE2.exe 35 PID 992 wrote to memory of 2540 992 DEM2FD.exe 37 PID 992 wrote to memory of 2540 992 DEM2FD.exe 37 PID 992 wrote to memory of 2540 992 DEM2FD.exe 37 PID 992 wrote to memory of 2540 992 DEM2FD.exe 37 PID 2540 wrote to memory of 2712 2540 DEM58BB.exe 39 PID 2540 wrote to memory of 2712 2540 DEM58BB.exe 39 PID 2540 wrote to memory of 2712 2540 DEM58BB.exe 39 PID 2540 wrote to memory of 2712 2540 DEM58BB.exe 39 PID 2712 wrote to memory of 1608 2712 DEMAE49.exe 41 PID 2712 wrote to memory of 1608 2712 DEMAE49.exe 41 PID 2712 wrote to memory of 1608 2712 DEMAE49.exe 41 PID 2712 wrote to memory of 1608 2712 DEMAE49.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\DEM56E6.exe"C:\Users\Admin\AppData\Local\Temp\DEM56E6.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\DEMACE2.exe"C:\Users\Admin\AppData\Local\Temp\DEMACE2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\DEM2FD.exe"C:\Users\Admin\AppData\Local\Temp\DEM2FD.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Local\Temp\DEM58BB.exe"C:\Users\Admin\AppData\Local\Temp\DEM58BB.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\DEMAE49.exe"C:\Users\Admin\AppData\Local\Temp\DEMAE49.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\DEM426.exe"C:\Users\Admin\AppData\Local\Temp\DEM426.exe"7⤵
- Executes dropped EXE
PID:1608
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD50e5eb2de006201f9f626b46488829a93
SHA1b2e2e8f88982b434f0fff96eaa817bfeeef423e3
SHA2566b0097656ab7307cb077895d263dd5615d02b5b535bb9a21ff12b3d31104ffe4
SHA51291273d62efca6659a901fe8cb9eb238e62831f3ff31125e4d40b49e8b57a38dbbb469af8fcf6f09ee24dd79b481dc2e3545e51e476928441b518e07231df6053
-
Filesize
16KB
MD525d163867f0e6cf59352870407812ed7
SHA175438fb873015674b2dedeeafe0a212cdb6de306
SHA2563035990a8deb64d5917bdaac4b6e6e41a218c57472d2cfb7169559abcda73ed3
SHA512998b5ab1c9245a18ab798aa059280b961b1093aca8949de6a6fbda3dbcb4891876997d3fecb57f26d638d9ac621bb07b18cda401ac5ed7a49e8977856ef78673
-
Filesize
16KB
MD5ec3857a7484c70ebdc5cfb6574fa92d6
SHA1e8e8601f51c241bf7129d2b0024936fd729861f3
SHA256540f8d193a782524caabeca62a8a2060fd23550663a55a3d8dba824f0ddd86b6
SHA5121f67a755d14dffb50575c5a37258b1c13f9b189f1e0fe1b12a1bc4d69111032ebee1f9225523d1aaae36e88c91f362bbf69973a575af93e3de6c4795e05c07e3
-
Filesize
16KB
MD557dbf6dd60e7d7c7b03f3d6609498bdb
SHA12775e8355b6b41be0aae629da0975440bab4a42d
SHA25628f16254bd701ff60da0cc9386e878e8234dc107eea44cff4c627bf9bf247144
SHA512fc679f2d04b0804085364aad0daf3fa42429a3946c9e62edec508bd3d671f60f6fb039c811d73a4ef7f11a14513d986539d297e258aba5edb1b12c68d1fee29a
-
Filesize
16KB
MD5e5c9929487a9649b346a58a5fd33dfb8
SHA1763afaa15910315f335cae39e8e11562d9b163f1
SHA256e0a39c229490b3826c2da6f5805e1c20fd70c7511b5a661fa71efa01e47319d2
SHA5120685c8df0961c7bf652b3c17863b27f2db67522424c0887ae2551642af0124efff2a94acb8391e43581769e11261ab3fd110a3ad51caa37755260878378e2932
-
Filesize
16KB
MD57e44342857d4f54830a2fc9a464fc43f
SHA19594231a87304da360921550e8f7aaef06e8985c
SHA256f230a6cd7280a28cec9c88d946f2354ac3a3c384ab4b2daa7455e8ebf2749284
SHA5125f8b93de3ba4966919134b9c58376d13aa1f793c32a7e6c9114e5114c556e10d39e0f971b554d645f8ce622ddf7f9c3cb603916fee794073715440d37bdeba48