05a4984b51df62026ee4de460a6aeadc8d2ef6e983f4cbc7d4258cb78446eb6c

General

Target

d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe
Size

15KB
MD5

d46b3d5df7559b6f99a05e51ac83d4ee
SHA1

0691d60fd9575a57c93ef822693b7c2c89e13a5b
SHA256

05a4984b51df62026ee4de460a6aeadc8d2ef6e983f4cbc7d4258cb78446eb6c
SHA512

14da3f7b804cc220e15f23c4f52174d65c137502a8e90bb157af57910a13ec3b132f276f2b753eb9cc72feee5f5db94adbf3a2df30ba02698f65739c711f1d13
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhHcLB5:hDXWipuE+K3/SSHgxzHW/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2560	DEM1CF3.exe
2712	DEM72B0.exe
2424	DEMC800.exe
1808	DEM1D60.exe
2232	DEM72DF.exe
2768	DEMC89C.exe

Loads dropped DLL 6 IoCs

pid	Process
2076	d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe
2560	DEM1CF3.exe
2712	DEM72B0.exe
2424	DEMC800.exe
1808	DEM1D60.exe
2232	DEM72DF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2560	2076	d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe	29
PID 2076 wrote to memory of 2560	2076	d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe	29
PID 2076 wrote to memory of 2560	2076	d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe	29
PID 2076 wrote to memory of 2560	2076	d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe	29
PID 2560 wrote to memory of 2712	2560	DEM1CF3.exe	31
PID 2560 wrote to memory of 2712	2560	DEM1CF3.exe	31
PID 2560 wrote to memory of 2712	2560	DEM1CF3.exe	31
PID 2560 wrote to memory of 2712	2560	DEM1CF3.exe	31
PID 2712 wrote to memory of 2424	2712	DEM72B0.exe	35
PID 2712 wrote to memory of 2424	2712	DEM72B0.exe	35
PID 2712 wrote to memory of 2424	2712	DEM72B0.exe	35
PID 2712 wrote to memory of 2424	2712	DEM72B0.exe	35
PID 2424 wrote to memory of 1808	2424	DEMC800.exe	37
PID 2424 wrote to memory of 1808	2424	DEMC800.exe	37
PID 2424 wrote to memory of 1808	2424	DEMC800.exe	37
PID 2424 wrote to memory of 1808	2424	DEMC800.exe	37
PID 1808 wrote to memory of 2232	1808	DEM1D60.exe	39
PID 1808 wrote to memory of 2232	1808	DEM1D60.exe	39
PID 1808 wrote to memory of 2232	1808	DEM1D60.exe	39
PID 1808 wrote to memory of 2232	1808	DEM1D60.exe	39
PID 2232 wrote to memory of 2768	2232	DEM72DF.exe	41
PID 2232 wrote to memory of 2768	2232	DEM72DF.exe	41
PID 2232 wrote to memory of 2768	2232	DEM72DF.exe	41
PID 2232 wrote to memory of 2768	2232	DEM72DF.exe	41

C:\Users\Admin\AppData\Local\Temp\d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\DEM1CF3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1CF3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\DEM72B0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM72B0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\DEMC800.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC800.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Users\Admin\AppData\Local\Temp\DEM1D60.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1D60.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Users\Admin\AppData\Local\Temp\DEM72DF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM72DF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe"
        7⤵
        Executes dropped EXE
        
        PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1D60.exe

Filesize
15KB

MD5
cca5a63aa683b061c4dde0b3a1915086

SHA1
1c933ddf8e7de1755742365ddcbf5b3fe48e5f32

SHA256
b4634ff2b6defc2747791972445dfacb9209a773b595b67fd012a3fdd132e213

SHA512
c83c1294667d6da3b1315f9a9b011dfb47f8e3765fe33ce197daff19545cb3cf7044d7b8e009ec44f34e1b6934234f1a4b4bc3969cf133838fe487396e09fbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM72B0.exe

Filesize
15KB

MD5
592eeb392f47e6b4506d1af8e3a87632

SHA1
5e4140dc6757e3769745672281d405a2011caa4d

SHA256
0b59ab274baee5e2be059a3e23cc731d60760afb7078608510511670d311c92b

SHA512
47886b9b1a6551ba74a02aa489aa86175ba6e424f1698300899a027a6ab3907c1a763e41bf3de956a3f4283b455ac61f53dedbcbb1905f052e2ef0d31d2e0847

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM72DF.exe

Filesize
15KB

MD5
dc2e414ba5c31e7f9737bcd03352def3

SHA1
315c4b3af891c401b3d2914212b6ddb014711b9d

SHA256
e7a78e7f46719e325d10656df7d508102b190c736ac68cc1dc8659134ceb679c

SHA512
9bcb219afee1c9ef04dc74329c95a91fa64e3f41171b2c0bb1e00f079de874bb07bafaf4fc2bff7cad5ff179657679fce0c42a79b1658d4d64aa002197eb848b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC800.exe

Filesize
15KB

MD5
1cf126efe05b00a732d51d518337235f

SHA1
f9d79d9c23c5581a98f8366510da5aab41831dfd

SHA256
18ee5fee756ea323ffdef95c1f08a636f86f9ceffe3f78523f0114a313d789f9

SHA512
572fdc36fe16468b5a6d35e02ccd2a5e50092115ff3db9917fbce7ddcf5e5e5d348331ccd64421a268108f9f1c80feec9de7d1369c9c6c0bf9038cfd58e01926

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1CF3.exe

Filesize
15KB

MD5
ee1c8eebf6d494f7a02322d68ea0447f

SHA1
c0fc9dc66eb81b91e0441ebe825197167d38cea4

SHA256
6c4e642ea789578139ce3dbbd9c5355706fd2ad865013d2c07e68ff803603c66

SHA512
2dfc5348c7eef1f4f47bfe42e0b08d8679afb90572ba7b54a71951375886675266919fb6c9ae03b4aad973df13a4a7504a543312b064cad32eaf3ce87710ebcd

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC89C.exe

Filesize
15KB

MD5
289318ae503cfc6fb5fdfc672782fac6

SHA1
8cfc387e8e81c70ac306e8a5fd7d8c694471c624

SHA256
a7d782d43e92723247a9ebd1ac1d8c9a50e4db6e87e9d96c7e5d15c37e0c5d8e

SHA512
a0e7cbd1083db967831a169daf87867c7127f2a51081f93fd42836c8e9179b6d3a92f7452d5a35a4afdf9350d4bfe6852e2286877dd484c3ff12fc79560bc2c4

Download Submit

Analysis

Sharing