3074a2847bb83183bbfc0cfe21e1068b8136978d6924df2175cfc628e0b23bb0

General

Target

d42f067b7420097918c73418e59c04aa_JaffaCakes118.exe
Size

14KB
MD5

d42f067b7420097918c73418e59c04aa
SHA1

139ad15a61e377ae3937ac0e4454884cb228420a
SHA256

3074a2847bb83183bbfc0cfe21e1068b8136978d6924df2175cfc628e0b23bb0
SHA512

2f96320da8e980f54ea353e2f024b73f706071d99093068641fe3850d6b98c7cf92423299dc24819c70c14dce4b9dbedfe7a1968c973846f687c26f69585c8ec
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYDsp1zY:hDXWipuE+K3/SSHgxmgX0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2552	DEM8852.exe
2424	DEME08F.exe
2020	DEM36E8.exe
2168	DEM8E1C.exe
2016	DEME4A4.exe
1752	DEM3AA0.exe

Loads dropped DLL 6 IoCs

pid	Process
1664	d42f067b7420097918c73418e59c04aa_JaffaCakes118.exe
2552	DEM8852.exe
2424	DEME08F.exe
2020	DEM36E8.exe
2168	DEM8E1C.exe
2016	DEME4A4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2552	1664	d42f067b7420097918c73418e59c04aa_JaffaCakes118.exe	29
PID 1664 wrote to memory of 2552	1664	d42f067b7420097918c73418e59c04aa_JaffaCakes118.exe	29
PID 1664 wrote to memory of 2552	1664	d42f067b7420097918c73418e59c04aa_JaffaCakes118.exe	29
PID 1664 wrote to memory of 2552	1664	d42f067b7420097918c73418e59c04aa_JaffaCakes118.exe	29
PID 2552 wrote to memory of 2424	2552	DEM8852.exe	33
PID 2552 wrote to memory of 2424	2552	DEM8852.exe	33
PID 2552 wrote to memory of 2424	2552	DEM8852.exe	33
PID 2552 wrote to memory of 2424	2552	DEM8852.exe	33
PID 2424 wrote to memory of 2020	2424	DEME08F.exe	35
PID 2424 wrote to memory of 2020	2424	DEME08F.exe	35
PID 2424 wrote to memory of 2020	2424	DEME08F.exe	35
PID 2424 wrote to memory of 2020	2424	DEME08F.exe	35
PID 2020 wrote to memory of 2168	2020	DEM36E8.exe	37
PID 2020 wrote to memory of 2168	2020	DEM36E8.exe	37
PID 2020 wrote to memory of 2168	2020	DEM36E8.exe	37
PID 2020 wrote to memory of 2168	2020	DEM36E8.exe	37
PID 2168 wrote to memory of 2016	2168	DEM8E1C.exe	39
PID 2168 wrote to memory of 2016	2168	DEM8E1C.exe	39
PID 2168 wrote to memory of 2016	2168	DEM8E1C.exe	39
PID 2168 wrote to memory of 2016	2168	DEM8E1C.exe	39
PID 2016 wrote to memory of 1752	2016	DEME4A4.exe	41
PID 2016 wrote to memory of 1752	2016	DEME4A4.exe	41
PID 2016 wrote to memory of 1752	2016	DEME4A4.exe	41
PID 2016 wrote to memory of 1752	2016	DEME4A4.exe	41

C:\Users\Admin\AppData\Local\Temp\d42f067b7420097918c73418e59c04aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d42f067b7420097918c73418e59c04aa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\DEM8852.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8852.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\DEME08F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME08F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\DEM36E8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM36E8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Users\Admin\AppData\Local\Temp\DEM8E1C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E1C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Users\Admin\AppData\Local\Temp\DEME4A4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME4A4.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\DEM3AA0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3AA0.exe"
        7⤵
        Executes dropped EXE
        
        PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEME08F.exe

Filesize
14KB

MD5
7e5c9bc6b9d5462afabdd2fcd1c6c0ec

SHA1
fce25435ba78992573e455cdebd1b2d99b4ca39b

SHA256
e9fb9433325008e37d17441031f4d26b0e182cfa1c97532550905017a7926c9c

SHA512
7ac0f0b349aa672e87a971692f74319207a1690ca3cd71d9e082cd3c42259ac760b332e788c94bb257ee7ed8bd6d4c5449bc25c2ca43802d256af2067737fc6d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM36E8.exe

Filesize
14KB

MD5
ed3d3676e7d72946d5f4d5a4d4b6d734

SHA1
6b45365c364512ec7ec074c9acbb18ddca1ae821

SHA256
1cdcc6360d53c037c375b9b1b2cfa2b554803561c2bfdb1b7161ba764f74b3a3

SHA512
519d03899c7bf58e50ee07afe62c93ea366764ecccf725936d3a4b31ed00b8d13a5f3a11cb5c436fb94eed6a7f979224b1efe1fe7d97e1a7c3e156340bfacc35

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3AA0.exe

Filesize
15KB

MD5
a6c0ef0b4313270cb105f296f7077317

SHA1
28cc103959b4994083152975b038a43cf8a9c0b2

SHA256
01f3546c0553152eee403dac56a432e64000bbfa6d85d1ca688ddc7aa8fbdf90

SHA512
95449be624e1452766197761be177d2017df64a8dfb5756d95bbf7490ec9a465ea2c13d30fb9cf93db52647a7dd4b6d61c9bfbbba4e3ad740a86fc114fdc1c22

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8852.exe

Filesize
14KB

MD5
6a5b2093c76c924728a543086c921a92

SHA1
a474e1a806617ea6a11852be194cefbd924db008

SHA256
4338df65513249e8cbbcd143101bccea467560b0293eb7fe692ce97bdb7564e6

SHA512
095ee2f5e91c70c744d91362b7b67117dff270c4cd88488e73761858ef349b4ee4ba564dd9ad782e10a292e9357423d169a2f414e86710c13357e539b547fe24

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8E1C.exe

Filesize
14KB

MD5
72b21f536fe152e4cc0954771281f4b5

SHA1
06413972b69adc216e02ec09ef1482902985edc0

SHA256
42f4fac16322286e42744ff5a06380e8a32b9085ab709d309883bce0dff51020

SHA512
3822c7be4f67896a861221e3de345047b790aebbdb329b1fc8c789bf985ff8d93cb1db1be4ca7bf82407150ee645b7f87810031fac005af022887d0eae0e9b27

Download Submit
\Users\Admin\AppData\Local\Temp\DEME4A4.exe

Filesize
15KB

MD5
412c898a4adbe02fc6a5ff8bbeda6ab8

SHA1
da01ede467120d8c9ce82fbcecff1d99f2dc7222

SHA256
5855318be60c7a28bea572bfb3ae8f98d197c324a347396fd5bd03353e7c8ac2

SHA512
64b7dfcc9a8cf808e0053ac6f988a2469e621976536b4f736b5f26e2a340f31f8f9ba5bdd3567f91300dcc69190817d6be4417ad5ea386cedc6b0485ae3e09ef

Download Submit

Analysis

Sharing