b5a3bc1ccfb072c5f73967f0c507b7d66594912bb002e28df0efa2143a53fde9

General

Target

d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe
Size

15KB
MD5

d24d403152e422b4ec7bcd4f8ce37e59
SHA1

18dfd2cdb03de3c2aa4944e6e80342abad2ffd7c
SHA256

b5a3bc1ccfb072c5f73967f0c507b7d66594912bb002e28df0efa2143a53fde9
SHA512

8836c260981a5ebeaa764a57c1574513859e79c0d80d9cf0d1a124dd2f0dad4623ba7731266f3a9195c1bead37a08b2adab6bff0a6402a9199b7a1b6c2c926e4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4lCj:hDXWipuE+K3/SSHgxmF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2568	DEM5D3D.exe
2400	DEMB2FA.exe
2736	DEM1140.exe
1872	DEM66AF.exe
284	DEMBC7C.exe
2252	DEM1297.exe

Loads dropped DLL 6 IoCs

pid	Process
1048	d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe
2568	DEM5D3D.exe
2400	DEMB2FA.exe
2736	DEM1140.exe
1872	DEM66AF.exe
284	DEMBC7C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2568	1048	d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe	29
PID 1048 wrote to memory of 2568	1048	d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe	29
PID 1048 wrote to memory of 2568	1048	d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe	29
PID 1048 wrote to memory of 2568	1048	d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe	29
PID 2568 wrote to memory of 2400	2568	DEM5D3D.exe	33
PID 2568 wrote to memory of 2400	2568	DEM5D3D.exe	33
PID 2568 wrote to memory of 2400	2568	DEM5D3D.exe	33
PID 2568 wrote to memory of 2400	2568	DEM5D3D.exe	33
PID 2400 wrote to memory of 2736	2400	DEMB2FA.exe	35
PID 2400 wrote to memory of 2736	2400	DEMB2FA.exe	35
PID 2400 wrote to memory of 2736	2400	DEMB2FA.exe	35
PID 2400 wrote to memory of 2736	2400	DEMB2FA.exe	35
PID 2736 wrote to memory of 1872	2736	DEM1140.exe	37
PID 2736 wrote to memory of 1872	2736	DEM1140.exe	37
PID 2736 wrote to memory of 1872	2736	DEM1140.exe	37
PID 2736 wrote to memory of 1872	2736	DEM1140.exe	37
PID 1872 wrote to memory of 284	1872	DEM66AF.exe	39
PID 1872 wrote to memory of 284	1872	DEM66AF.exe	39
PID 1872 wrote to memory of 284	1872	DEM66AF.exe	39
PID 1872 wrote to memory of 284	1872	DEM66AF.exe	39
PID 284 wrote to memory of 2252	284	DEMBC7C.exe	41
PID 284 wrote to memory of 2252	284	DEMBC7C.exe	41
PID 284 wrote to memory of 2252	284	DEMBC7C.exe	41
PID 284 wrote to memory of 2252	284	DEMBC7C.exe	41

C:\Users\Admin\AppData\Local\Temp\d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\DEM5D3D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5D3D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\DEMB2FA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB2FA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\DEM1140.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1140.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\DEM66AF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM66AF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Users\Admin\AppData\Local\Temp\DEMBC7C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBC7C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\DEM1297.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1297.exe"
        7⤵
        Executes dropped EXE
        
        PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1140.exe

Filesize
15KB

MD5
02c2317765b092256553eb42937eba7d

SHA1
9c74b11ea214d729f1dac081ae5af38ae1483425

SHA256
2597a37c2276285c2326184213d654af3b4c7a389388fa7e50526e5fa42a4b55

SHA512
b39fadb5aa2fc3fbe95de300df9c4b68f61484cadeac2970430cb2cadfd2305c7cb6f82e296a3c5c8c03e2e129f28f46b361c5d6d0154faf30950c06b8cbd3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5D3D.exe

Filesize
15KB

MD5
1e1ebcd3e554736d5ab4af34b69c802a

SHA1
49dac494bdb63acf5d416cd8b2d2e3ca9123e8f8

SHA256
50c4ff75657a6afb45fceede5b43824d173ab1f84f0b3a33e99d1bb1e493c48c

SHA512
faf360133ba05395eb0e2da048883aa65320c303384460e07900fc729ded5b4feb8972637ee60229f5cd0c68f616f1d59bec460e47bed0519888e9c92e4fef2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM66AF.exe

Filesize
15KB

MD5
c6ccf24619df599fdf029131ca740cd5

SHA1
aaf1b5b98c482cc1a155adc3a8a8f4f1f16785a0

SHA256
da16ef83cb694b754b35f5533f1886cf40f8aaaae0e82bc7312ac1d424addcd3

SHA512
47da01e96aa7290800986405dcca7c9060ae5868306afc131d5598deb7d8dc6f3cd1c392a005af42453a961bc708e1f3cf9f1e87d866eb91280315decab7da01

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB2FA.exe

Filesize
15KB

MD5
3e984e01cbe611975038ca0a8f1dda86

SHA1
656d4c767e3cbd943d3e91a4c4779fba19aedde7

SHA256
814ce66984ab594601effd8ad771c8660f3a7e835f44883162518378e504c837

SHA512
b7d0c3f2c0a6b1a55c2f06cb939b9863a8556754767a77e4e1f063fec670589697a49a823e760abc96fb9624903222e76773d37423f230b2234cf8bd5a1c352d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1297.exe

Filesize
15KB

MD5
f738bfcaa34b1e00806bc281be77af24

SHA1
3cb1b7736874e63aab7696a30b0b4be578fc11c4

SHA256
bd06b48f29d6a7768dcba9c2518c8b68c6ff50242c35c034ae4e3636752d119d

SHA512
5f579e4012f317d41d1b2d4687d3714060793e13e9c148ea28b705485e666848eca81085f80b3ebf91bc0bcb6724914a359bdba6dab11cd0c4c37ce39fcddeb2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBC7C.exe

Filesize
15KB

MD5
fac1649460b2d988cde522f2e13982aa

SHA1
c7553c73b3596852881e8d00ec1da5d325c08d8e

SHA256
c20a5f6a567ec5ef071ae00d89a5c1e832b4b2a245336963beec5e397ff953b6

SHA512
cb4ad9bb31269751631a3556a8b70b428b51bc0bf08ac0738a2ad084d2d91c5cd0a5ce54d183a39f90f42af3239be81545d4318fa7828785657c1498aea5a0bb

Download Submit

Analysis

Sharing