53d479fc636c9fbc7e454bb9c02efdfb2f34414720b6c298a97712edabee437e

General

Target

d296737b282fc34d2ae529291dbf3a91_JaffaCakes118.exe
Size

14KB
MD5

d296737b282fc34d2ae529291dbf3a91
SHA1

71905840caa3bef9785c182c487277d55264dc0a
SHA256

53d479fc636c9fbc7e454bb9c02efdfb2f34414720b6c298a97712edabee437e
SHA512

cd6cc60f9aab443308f3f82835e76dadf68ec5558c9618561e89d4911c26c64b9f77daa49a4dfbb92c668ac4ae0351ee928dda1d61f9b5975ea26b3537ec322f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhh+:hDXWipuE+K3/SSHgxz+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2596	DEM2829.exe
2464	DEM7DE7.exe
2884	DEMD317.exe
2664	DEM2839.exe
540	DEM7D5A.exe
2112	DEMD2D9.exe

Loads dropped DLL 6 IoCs

pid	Process
2004	d296737b282fc34d2ae529291dbf3a91_JaffaCakes118.exe
2596	DEM2829.exe
2464	DEM7DE7.exe
2884	DEMD317.exe
2664	DEM2839.exe
540	DEM7D5A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2596	2004	d296737b282fc34d2ae529291dbf3a91_JaffaCakes118.exe	29
PID 2004 wrote to memory of 2596	2004	d296737b282fc34d2ae529291dbf3a91_JaffaCakes118.exe	29
PID 2004 wrote to memory of 2596	2004	d296737b282fc34d2ae529291dbf3a91_JaffaCakes118.exe	29
PID 2004 wrote to memory of 2596	2004	d296737b282fc34d2ae529291dbf3a91_JaffaCakes118.exe	29
PID 2596 wrote to memory of 2464	2596	DEM2829.exe	33
PID 2596 wrote to memory of 2464	2596	DEM2829.exe	33
PID 2596 wrote to memory of 2464	2596	DEM2829.exe	33
PID 2596 wrote to memory of 2464	2596	DEM2829.exe	33
PID 2464 wrote to memory of 2884	2464	DEM7DE7.exe	35
PID 2464 wrote to memory of 2884	2464	DEM7DE7.exe	35
PID 2464 wrote to memory of 2884	2464	DEM7DE7.exe	35
PID 2464 wrote to memory of 2884	2464	DEM7DE7.exe	35
PID 2884 wrote to memory of 2664	2884	DEMD317.exe	37
PID 2884 wrote to memory of 2664	2884	DEMD317.exe	37
PID 2884 wrote to memory of 2664	2884	DEMD317.exe	37
PID 2884 wrote to memory of 2664	2884	DEMD317.exe	37
PID 2664 wrote to memory of 540	2664	DEM2839.exe	39
PID 2664 wrote to memory of 540	2664	DEM2839.exe	39
PID 2664 wrote to memory of 540	2664	DEM2839.exe	39
PID 2664 wrote to memory of 540	2664	DEM2839.exe	39
PID 540 wrote to memory of 2112	540	DEM7D5A.exe	41
PID 540 wrote to memory of 2112	540	DEM7D5A.exe	41
PID 540 wrote to memory of 2112	540	DEM7D5A.exe	41
PID 540 wrote to memory of 2112	540	DEM7D5A.exe	41

C:\Users\Admin\AppData\Local\Temp\d296737b282fc34d2ae529291dbf3a91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d296737b282fc34d2ae529291dbf3a91_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\DEM2829.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2829.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\DEM7DE7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7DE7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\DEMD317.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD317.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Users\Admin\AppData\Local\Temp\DEM2839.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2839.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Users\Admin\AppData\Local\Temp\DEM7D5A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7D5A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\DEMD2D9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD2D9.exe"
        7⤵
        Executes dropped EXE
        
        PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2839.exe

Filesize
15KB

MD5
f2e8b83211bac278da917592cc7fee24

SHA1
66c6864971845f78173c36a33ff2a8b6950d7427

SHA256
f23066ab17bb1303266ecfd3bbaa61bd9bb3e3092bc8e7da88860fd1d1c9fe14

SHA512
22e1bc3740539ec69ca0ce10a967be0b74b3ae472fcd56700cc0bafe9f6298e5a74cb85f4cd95bc3b6f5037c2454e285ea54a7ecc7c48708233b45839b39d3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7D5A.exe

Filesize
15KB

MD5
3c4839920504eafd70da4426ff8f96ee

SHA1
7d919935c7afbdda967c3ca4376b523427568ef2

SHA256
789a3b3ca1eafe4b576c5e84ae5d7b25a86d25b56e9cb37065ad017715b44253

SHA512
0c3c7cfaa85cb151265b328fbd8378fb90b5042c1e9cc6ad2acb90b13ced387deb47a737b63b9fbfa31ab56ceb8a1ada93093775e4c2694264fb3c33a719d0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7DE7.exe

Filesize
15KB

MD5
e4047486353e9883b590d68be13f6c3b

SHA1
e48c5a2a42c1ea5de6f7e9e837166ecb4c485c03

SHA256
befe4d9bd39f9e6359812b8e19c396f4991a86a0ad0d115d69b6b36908a3c24f

SHA512
eea459b97fa4c853fd7b5adcf94cd9b2d38225d8334edf2c1fe94765c5299d37f22021c301bb4a2f22a68bbb6815fc3b3f6189271b01778423942f36530c93b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD2D9.exe

Filesize
15KB

MD5
b3a0afd91b201ea1682d538a652f9d1f

SHA1
1e0fc8097113a01393ba10e5bf2604e0b6eb9e18

SHA256
650ce669e4a4233a391462f2830beb7b9a614b4321c7073c631eec3812e7bb80

SHA512
58d16f22cfde4ed6bff3e51b9c566ceb0cbf46e3ce941adf05c677105585a7aa13f9fe43f8a97556b0471684b53d14c4f11ded0fb1f873ee40e13b4d4bd7e34f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2829.exe

Filesize
14KB

MD5
9e16be41c35a6cda4168eae52f71a96f

SHA1
f85f50282c21c889cfff85f7c3525216a88a740b

SHA256
d73a88c4028c02030ec8d74d58b3e72b5b7e0bec4cd66761c2bc43db10a64461

SHA512
b9a3428ae10bcc631ad142e6cfc84e4ab2d680579712543fa4006253b5d4131f36410a85113bcda29de2e7edef2c0ef7659d76d2f3772d523a5bea867a99b221

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD317.exe

Filesize
15KB

MD5
e74d53d732aa62e2608b61126f099534

SHA1
8da9e60488212169ebc4b71a3bf2816231b81af7

SHA256
663e5d4bd112affc80d9191016cc48f2e9a555a326f648760ad37bd89cbee970

SHA512
0e0cfec2e6219d2c22ac7ecf21840a10f6305508418bc99f73d154f8eb964f78b868856b4bffed37240afacaee7ac2e2cec6d707b75d95d56325da4d2e0b0203

Download Submit

Analysis

Sharing