dcc1a2c289df3190fb94ba87c05d79178882c08b410d333b8e4c3d79745dbabd

General

Target

d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe
Size

20KB
MD5

d11f8a8b4687e40493fb9be94efb401f
SHA1

7523c6c53d85bc5714352a5445c53bf8102be324
SHA256

dcc1a2c289df3190fb94ba87c05d79178882c08b410d333b8e4c3d79745dbabd
SHA512

2c9a056aed15fc6c102014cb05e498bcf5d9a2f93d3aba85abf92cfaeb07ebc99f4072fe52b13905348fcb401cf23dd5b445e0b3cb88fb9d10cac61c0e81a221
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxX1pH:hDXWipuE+K3/SSHgxmH9v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2116	DEMA1E.exe
2488	DEM5FEB.exe
3000	DEMB52C.exe
2760	DEMA3E.exe
3004	DEM600B.exe
2904	DEMB55B.exe

Loads dropped DLL 6 IoCs

pid	Process
2276	d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe
2116	DEMA1E.exe
2488	DEM5FEB.exe
3000	DEMB52C.exe
2760	DEMA3E.exe
3004	DEM600B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2116	2276	d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2116	2276	d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2116	2276	d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2116	2276	d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe	29
PID 2116 wrote to memory of 2488	2116	DEMA1E.exe	31
PID 2116 wrote to memory of 2488	2116	DEMA1E.exe	31
PID 2116 wrote to memory of 2488	2116	DEMA1E.exe	31
PID 2116 wrote to memory of 2488	2116	DEMA1E.exe	31
PID 2488 wrote to memory of 3000	2488	DEM5FEB.exe	35
PID 2488 wrote to memory of 3000	2488	DEM5FEB.exe	35
PID 2488 wrote to memory of 3000	2488	DEM5FEB.exe	35
PID 2488 wrote to memory of 3000	2488	DEM5FEB.exe	35
PID 3000 wrote to memory of 2760	3000	DEMB52C.exe	37
PID 3000 wrote to memory of 2760	3000	DEMB52C.exe	37
PID 3000 wrote to memory of 2760	3000	DEMB52C.exe	37
PID 3000 wrote to memory of 2760	3000	DEMB52C.exe	37
PID 2760 wrote to memory of 3004	2760	DEMA3E.exe	39
PID 2760 wrote to memory of 3004	2760	DEMA3E.exe	39
PID 2760 wrote to memory of 3004	2760	DEMA3E.exe	39
PID 2760 wrote to memory of 3004	2760	DEMA3E.exe	39
PID 3004 wrote to memory of 2904	3004	DEM600B.exe	41
PID 3004 wrote to memory of 2904	3004	DEM600B.exe	41
PID 3004 wrote to memory of 2904	3004	DEM600B.exe	41
PID 3004 wrote to memory of 2904	3004	DEM600B.exe	41

C:\Users\Admin\AppData\Local\Temp\d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\DEMA1E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA1E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\DEM5FEB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5FEB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\DEMB52C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB52C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Users\Admin\AppData\Local\Temp\DEMA3E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA3E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Users\Admin\AppData\Local\Temp\DEM600B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM600B.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\DEMB55B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB55B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5FEB.exe

Filesize
20KB

MD5
3a4ad14af9e7f61db5d17b9489623c1e

SHA1
5b346790f6208ea7d4c90a2ba5ec172a16a0972d

SHA256
bdb2b7ed498a5c03f564ae569fb77177280a181e1f735184dadf76f45a8990cc

SHA512
ff3edc1a5513d63dd94fd0f53b32bccc836d82999647c2aff3b8bf25340f330c43f422feb767fc6010b8d708f579f561dfd46dce62fa14816c3300baddd6b4c6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM600B.exe

Filesize
20KB

MD5
0e0a4bbdd0a356bf5f374cbb4eda5f91

SHA1
4019adfa21fd96c2e04afab89f1975c5c709af87

SHA256
73f71812009ebd29da7ee0552572714c50e8164a666de731a044712724f72291

SHA512
b298865492ebc7082dcc0b4bffb7f0f120ddec267b3157958a5ad62ac459f2004264d2e081feef3bec8d687df5b1316c4a3c3d0a9cc2da3165d81108276274d1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA1E.exe

Filesize
20KB

MD5
40c628b7d10460ec4d377c8cd1d8dfb7

SHA1
c78379832d32dc4077beb377b64abacb961ecb05

SHA256
979624e1765e61df2ab792e41d1880efff59287028a341172344db70749a3cc4

SHA512
fbc5c2f17c95b36124951d4019a573d703910da5bd1fbad5844df381611a20f4b2e9177536aaaef9a9e5cc941aae008e909129cfd2b78411bb9bbee044c74117

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA3E.exe

Filesize
20KB

MD5
343f56db89de990739aab05adcf9eb10

SHA1
66b9472a87614a61b11bb3405df071998e74e4f4

SHA256
77abe2088eba043b379d88835fc594cd256b0811fba5dad1ecccd066d1fe9cd9

SHA512
488a7b01ca5d06a282bc8eb9898b126ec01318cbbc166cd5493da4664ac33619c89ed5b2440b79d972ee06af106637e04af825792dc7a2c1bb72df9c7cdf49a3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB52C.exe

Filesize
20KB

MD5
e235139bbd28f4398f7664b9ffbd0a09

SHA1
c3311aea6fb55366e0aef7253f7593c0fbb0ef3b

SHA256
bf16551deaca2519f026eb63f7ba055199a746851c48a561032152034fdeee7d

SHA512
69c41496bd5b99ea258325adb0547432eea105125ed7b47579a9b1eecad71f5d9af2ad7a4c22a729fcb502dbc555b13fb9a050b868bb6b4044e82c001546c07c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB55B.exe

Filesize
20KB

MD5
9632362feedcadc8579d4ae4a2855944

SHA1
9a15e94ca8d68981265d74085d941a75aa2e9f6c

SHA256
89a5fcbc23a7cd07029a7e59adc8b66c4ae67c46be6b692cf48350b1ff1ff11c

SHA512
16a555e877153c7d607ebbd7f60784e704219db5be63c9db0f8f0c24b945a19a9bcf557f85e2b6ab0967f1c2fb37d47b2dad738da083634666d20a78b567a88c

Download Submit

Analysis

Sharing