20734b7174f83fb2160010e93bcf48ced19dcc708a7a8d94ab7ba9abf820b137

General

Target

d075eb8d3b79c571564c3988aa7ffba0_JaffaCakes118.exe
Size

15KB
MD5

d075eb8d3b79c571564c3988aa7ffba0
SHA1

857fc0d5a7c044aa9cd0a83129c376c9d50d346f
SHA256

20734b7174f83fb2160010e93bcf48ced19dcc708a7a8d94ab7ba9abf820b137
SHA512

9918b9055c6f508032a6a1b9fe8d0ff790eef08a33c8d3e16c12ed37c9546ef3e1ece8085544888dcbc5c7674833cf9b5dd7d5a7b4c1124d7c19dd522755c89c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8nz:hDXWipuE+K3/SSHgxm8z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2268	DEM7BE.exe
2480	DEM5D9A.exe
1748	DEMB2FA.exe
1068	DEM898.exe
1728	DEM5E75.exe
2384	DEMB3A6.exe

Loads dropped DLL 6 IoCs

pid	Process
1720	d075eb8d3b79c571564c3988aa7ffba0_JaffaCakes118.exe
2268	DEM7BE.exe
2480	DEM5D9A.exe
1748	DEMB2FA.exe
1068	DEM898.exe
1728	DEM5E75.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2268	1720	d075eb8d3b79c571564c3988aa7ffba0_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2268	1720	d075eb8d3b79c571564c3988aa7ffba0_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2268	1720	d075eb8d3b79c571564c3988aa7ffba0_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2268	1720	d075eb8d3b79c571564c3988aa7ffba0_JaffaCakes118.exe	29
PID 2268 wrote to memory of 2480	2268	DEM7BE.exe	31
PID 2268 wrote to memory of 2480	2268	DEM7BE.exe	31
PID 2268 wrote to memory of 2480	2268	DEM7BE.exe	31
PID 2268 wrote to memory of 2480	2268	DEM7BE.exe	31
PID 2480 wrote to memory of 1748	2480	DEM5D9A.exe	35
PID 2480 wrote to memory of 1748	2480	DEM5D9A.exe	35
PID 2480 wrote to memory of 1748	2480	DEM5D9A.exe	35
PID 2480 wrote to memory of 1748	2480	DEM5D9A.exe	35
PID 1748 wrote to memory of 1068	1748	DEMB2FA.exe	37
PID 1748 wrote to memory of 1068	1748	DEMB2FA.exe	37
PID 1748 wrote to memory of 1068	1748	DEMB2FA.exe	37
PID 1748 wrote to memory of 1068	1748	DEMB2FA.exe	37
PID 1068 wrote to memory of 1728	1068	DEM898.exe	39
PID 1068 wrote to memory of 1728	1068	DEM898.exe	39
PID 1068 wrote to memory of 1728	1068	DEM898.exe	39
PID 1068 wrote to memory of 1728	1068	DEM898.exe	39
PID 1728 wrote to memory of 2384	1728	DEM5E75.exe	41
PID 1728 wrote to memory of 2384	1728	DEM5E75.exe	41
PID 1728 wrote to memory of 2384	1728	DEM5E75.exe	41
PID 1728 wrote to memory of 2384	1728	DEM5E75.exe	41

C:\Users\Admin\AppData\Local\Temp\d075eb8d3b79c571564c3988aa7ffba0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d075eb8d3b79c571564c3988aa7ffba0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\DEM7BE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7BE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\DEM5D9A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5D9A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\DEMB2FA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB2FA.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\DEM898.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM898.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Users\Admin\AppData\Local\Temp\DEM5E75.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5E75.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\DEMB3A6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB3A6.exe"
        7⤵
        Executes dropped EXE
        
        PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5D9A.exe

Filesize
16KB

MD5
c42176fe2bf7f3b38caa291960203b2b

SHA1
3deaec33a028f38c4a7bdb2c05b6718461931a02

SHA256
8430e89d9db861a3c93c652355bdac9573585b689aaf7991fba083fa120ae4d8

SHA512
352e11ca1307eaf9713eea15a44a092c2b83c5826f0b833e40f918e35b4e261fe6da852cddf30b70147954115bf096ad2741c861171d3ad0d9280be80265d462

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5E75.exe

Filesize
16KB

MD5
f63bf0f975f735f54cbb7283bfbb58e7

SHA1
8e7697c72cb59129fa45db81118d0eb3adf31187

SHA256
721758beb0f83159e374db7e7451edf96547c2a501dc0d4a8aa295c42a5fe764

SHA512
54bd4a2e4aa6c2705e1c7e354186bb71f9dbbfa53ae78b46d10e12019b613e5992764b6e67563bc0bbd2823a48d2c8fb50b1af9f126c4207b973b095c10800c7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7BE.exe

Filesize
16KB

MD5
2eb55d518f321ca9d3180ffb4f3d16c6

SHA1
a215b27283f0440045474b9941d176ed59408feb

SHA256
9e18a226bfd844c2da51660dbf0124b88f4b2b81e51f617d840a7cbf99689054

SHA512
e9492389cbf9d84ae57bfd7c23f99347098fe634b7e00f89d4c6d986f05cc1c2066e61cbcb47abf1f04852b9fe446920b2fb432f36a7627b4d23c580c97eaf5c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM898.exe

Filesize
16KB

MD5
2816852f5113ea6f046b62ad88dfdd6a

SHA1
4b2f4765f3dc7973ba1ead66190760083bb976f3

SHA256
1386d02c67469f60d5c268a70490895f3ff46efa68379b96c10b72c6db0bbcea

SHA512
fa534214e543366a97ba762cbce9e85b48b8f765b7fb653f4fdccea6ad6266e88bf8a5d315ba8a2a958df6c4694a46442f28cddd5eb79d03e649475c760bc1a8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB2FA.exe

Filesize
16KB

MD5
b773695669e6c97e18503c9e29da5061

SHA1
fe1f7f37a004db919484a61ba89d4bf3521c1be2

SHA256
b599aa9ddb4c85338cb592f5cb2f37bda703505e4c39d36affd08f7b8a179eee

SHA512
94164e5d2c65c34cab9946883a7717e2a2f61a8d55c47233c07e3f1b6fb0c7c91f947118b3c36ed5558371ebe3b0dd6c299e154e2ac20a0c792cae176194cd80

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB3A6.exe

Filesize
16KB

MD5
1ec5aacd0c0c4d6fc7a88da0a99394af

SHA1
ce8a2edac9a9482303415203d5b2c6b1db75507c

SHA256
dc0a3e146ceb39e125560d12207dda3d33ac7dd9129ea2f0cdabad0a514248d7

SHA512
50d55ab5ba16cdf68b72be8da9f3ffe83d4b5d2657e8a202262642dd5499ad5e80fb387cf30e4981836821ebacdb194137c03faadb187b52f9d2eb7424ac5b38

Download Submit

Analysis

Sharing