f65441662abc949d200863f5b34c796006a263d9a73a4142c0e58bd794818740

General

Target

d2bba46c4b0834652cfc7a91fecac59f_JaffaCakes118.exe
Size

16KB
MD5

d2bba46c4b0834652cfc7a91fecac59f
SHA1

1b00ba5b06966b84ece5ab1279832a9750f3ae46
SHA256

f65441662abc949d200863f5b34c796006a263d9a73a4142c0e58bd794818740
SHA512

9e1b848e4bdd90e4073fc70c72764492e5f602370e5d0cb09a0cc059464516841e130fa6df52e2ff6996880cda11b1f1d2b4ac00e7b46c25710b3b3e229323ac
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4hKSY:hDXWipuE+K3/SSHgxm3SY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2584	DEM311E.exe
2524	DEM86AD.exe
1588	DEMDC2C.exe
2308	DEM312E.exe
592	DEM8630.exe
2624	DEMDBEE.exe

Loads dropped DLL 6 IoCs

pid	Process
2664	d2bba46c4b0834652cfc7a91fecac59f_JaffaCakes118.exe
2584	DEM311E.exe
2524	DEM86AD.exe
1588	DEMDC2C.exe
2308	DEM312E.exe
592	DEM8630.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2584	2664	d2bba46c4b0834652cfc7a91fecac59f_JaffaCakes118.exe	29
PID 2664 wrote to memory of 2584	2664	d2bba46c4b0834652cfc7a91fecac59f_JaffaCakes118.exe	29
PID 2664 wrote to memory of 2584	2664	d2bba46c4b0834652cfc7a91fecac59f_JaffaCakes118.exe	29
PID 2664 wrote to memory of 2584	2664	d2bba46c4b0834652cfc7a91fecac59f_JaffaCakes118.exe	29
PID 2584 wrote to memory of 2524	2584	DEM311E.exe	33
PID 2584 wrote to memory of 2524	2584	DEM311E.exe	33
PID 2584 wrote to memory of 2524	2584	DEM311E.exe	33
PID 2584 wrote to memory of 2524	2584	DEM311E.exe	33
PID 2524 wrote to memory of 1588	2524	DEM86AD.exe	35
PID 2524 wrote to memory of 1588	2524	DEM86AD.exe	35
PID 2524 wrote to memory of 1588	2524	DEM86AD.exe	35
PID 2524 wrote to memory of 1588	2524	DEM86AD.exe	35
PID 1588 wrote to memory of 2308	1588	DEMDC2C.exe	37
PID 1588 wrote to memory of 2308	1588	DEMDC2C.exe	37
PID 1588 wrote to memory of 2308	1588	DEMDC2C.exe	37
PID 1588 wrote to memory of 2308	1588	DEMDC2C.exe	37
PID 2308 wrote to memory of 592	2308	DEM312E.exe	39
PID 2308 wrote to memory of 592	2308	DEM312E.exe	39
PID 2308 wrote to memory of 592	2308	DEM312E.exe	39
PID 2308 wrote to memory of 592	2308	DEM312E.exe	39
PID 592 wrote to memory of 2624	592	DEM8630.exe	41
PID 592 wrote to memory of 2624	592	DEM8630.exe	41
PID 592 wrote to memory of 2624	592	DEM8630.exe	41
PID 592 wrote to memory of 2624	592	DEM8630.exe	41

C:\Users\Admin\AppData\Local\Temp\d2bba46c4b0834652cfc7a91fecac59f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2bba46c4b0834652cfc7a91fecac59f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\DEM311E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM311E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\DEM86AD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM86AD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\DEMDC2C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDC2C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Users\Admin\AppData\Local\Temp\DEM312E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM312E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - C:\Users\Admin\AppData\Local\Temp\DEM8630.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8630.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\DEMDBEE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDBEE.exe"
        7⤵
        Executes dropped EXE
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM311E.exe

Filesize
16KB

MD5
5025e879dba37a7828109661fa39a997

SHA1
fdff5e4142e45fa11138cab52ab233346bd654f6

SHA256
f3bd00d1fb8757e0678937ce08d42d079876db23393b21898e26c520ae152264

SHA512
990f7a64d56fa494c61570113ab682fefc072901578dddaa8d8c1516c3310a0f15009898652c99020ee11b008c613e698dde849261b40d2aff0fb8ff78ef238c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM312E.exe

Filesize
16KB

MD5
592f30f167f17066346490eb5cb0fcfa

SHA1
9a7bc2ec2f3b1f5e1c96866edb702aaf35d5ce89

SHA256
b53bdc2d7243526538d32a39b1c028c12ade928b99953d2aa8a6e092022676e3

SHA512
b4c0c1ea04cb8b19786545957bd9f9862dbd501d02c43346e49b56cd5d4f5307f269a3c2cd304f33531ffa72ae2e878017b34687a172462c4381b411e5a6c8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM86AD.exe

Filesize
16KB

MD5
17f227638d0b97dc085ec359ac0dd786

SHA1
5dc1c225ef0ccec8606d93bec8a8cf449bb59936

SHA256
6403c53c0491b376337cfd40cd3d6bde82782282cb4c31c62341fb3db5be34d3

SHA512
56b48a7a6a4789c546382a003aeacbf21e13afa895888fac4ce5d929eb308678bb55834f382013d336ec24a8aed3b952d75af28e0041546c0be4b9ac5980c7c7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8630.exe

Filesize
16KB

MD5
b84466a5303bdd8841f90bd7194793ad

SHA1
66c68b8d1d67c9f06c289ecf32c0e00d80a7ab8c

SHA256
18ac4b68f77fe6de9fbfe89f90e8dfac5ec06ead7edf16935b1c2b392edefd5c

SHA512
da8f67f9c1a7b6b786c9923aad9412fedd52eb7b91b55001d3450c3b768e0c469142b38296d6bc26f99d08230c09c574d715eb12ccfbe0618a7f3225c8638df1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDBEE.exe

Filesize
16KB

MD5
fd5941f049fcedafeb056a14072e614e

SHA1
37b837b52eb8dd37c1b0fa6fd4c197b3f84de576

SHA256
b5b9f3072379629f03f83ab4ca7f8b02999a02deaed93d06c84fbf64fff26421

SHA512
d27d55bf50a986e37e5076c2d73bac33c017d2ab759b3bca2958327e8183c5ab2c16fac8d380b76915bbbf9aa18f94b29903e4680998cd8e5d9188913687f5e1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDC2C.exe

Filesize
16KB

MD5
f936424bdc284fadd7d31b080a812ac9

SHA1
a56ec189e0204fc0487b93b94196ee718eed44ba

SHA256
2e083a931bc0ffc2ff44ab229625935a0aa11255990b197107b22a9206aa08a5

SHA512
d955f142ebb286149e0c2a8c9a44399c541ef49ddc2cfc09bfb27020cd4237d791abd901b9da84ba10147f5bad841f1ca322b74ee85cc3a19424c2cd930be116

Download Submit

Analysis

Sharing