39978f09d36bd77af452bbac65b5842f0d67cb17cb80390e2c834de2e32d5a47

General

Target

d40d3bf0334520dce0c75e871c396ee7_JaffaCakes118.exe
Size

15KB
MD5

d40d3bf0334520dce0c75e871c396ee7
SHA1

7a03e71aa8a5e4a6b4a02de85fc4b45076f80c67
SHA256

39978f09d36bd77af452bbac65b5842f0d67cb17cb80390e2c834de2e32d5a47
SHA512

d6e2f14bf5a29a93a532fcf05d60dc12b26aa186534665be221823dc489945785bbb15fee4803b64ce1ce04072c07016f8e09f1daae4686a40e149c0a06edc66
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4y:hDXWipuE+K3/SSHgxmv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2840	DEM1258.exe
2672	DEM6873.exe
2748	DEMBD85.exe
2284	DEM1333.exe
2776	DEM6893.exe
2188	DEMBDD3.exe

Loads dropped DLL 6 IoCs

pid	Process
2088	d40d3bf0334520dce0c75e871c396ee7_JaffaCakes118.exe
2840	DEM1258.exe
2672	DEM6873.exe
2748	DEMBD85.exe
2284	DEM1333.exe
2776	DEM6893.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2840	2088	d40d3bf0334520dce0c75e871c396ee7_JaffaCakes118.exe	29
PID 2088 wrote to memory of 2840	2088	d40d3bf0334520dce0c75e871c396ee7_JaffaCakes118.exe	29
PID 2088 wrote to memory of 2840	2088	d40d3bf0334520dce0c75e871c396ee7_JaffaCakes118.exe	29
PID 2088 wrote to memory of 2840	2088	d40d3bf0334520dce0c75e871c396ee7_JaffaCakes118.exe	29
PID 2840 wrote to memory of 2672	2840	DEM1258.exe	31
PID 2840 wrote to memory of 2672	2840	DEM1258.exe	31
PID 2840 wrote to memory of 2672	2840	DEM1258.exe	31
PID 2840 wrote to memory of 2672	2840	DEM1258.exe	31
PID 2672 wrote to memory of 2748	2672	DEM6873.exe	35
PID 2672 wrote to memory of 2748	2672	DEM6873.exe	35
PID 2672 wrote to memory of 2748	2672	DEM6873.exe	35
PID 2672 wrote to memory of 2748	2672	DEM6873.exe	35
PID 2748 wrote to memory of 2284	2748	DEMBD85.exe	37
PID 2748 wrote to memory of 2284	2748	DEMBD85.exe	37
PID 2748 wrote to memory of 2284	2748	DEMBD85.exe	37
PID 2748 wrote to memory of 2284	2748	DEMBD85.exe	37
PID 2284 wrote to memory of 2776	2284	DEM1333.exe	39
PID 2284 wrote to memory of 2776	2284	DEM1333.exe	39
PID 2284 wrote to memory of 2776	2284	DEM1333.exe	39
PID 2284 wrote to memory of 2776	2284	DEM1333.exe	39
PID 2776 wrote to memory of 2188	2776	DEM6893.exe	41
PID 2776 wrote to memory of 2188	2776	DEM6893.exe	41
PID 2776 wrote to memory of 2188	2776	DEM6893.exe	41
PID 2776 wrote to memory of 2188	2776	DEM6893.exe	41

C:\Users\Admin\AppData\Local\Temp\d40d3bf0334520dce0c75e871c396ee7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d40d3bf0334520dce0c75e871c396ee7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\DEM1258.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1258.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\DEM6873.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6873.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\DEMBD85.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBD85.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\DEM1333.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1333.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Users\Admin\AppData\Local\Temp\DEM6893.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6893.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\DEMBDD3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBDD3.exe"
        7⤵
        Executes dropped EXE
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6873.exe

Filesize
15KB

MD5
fda6f8c04d3cc193956989b9622c5a93

SHA1
a44988712a3f00d62bc0b03ad4ab8f00607c7e6a

SHA256
412464b9ef0b259b003796e5233595a285e9d24e00e38e12dcdece3ca66609ca

SHA512
01399fea5ed0696dc1d3686ec03749fcc5cb5f66f1705856229defcb4ccb8ac9c6e2af79494c7a26b66c0b75c7fd261ee46801fdd96997a34bedb5aa383ac2d0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1258.exe

Filesize
15KB

MD5
f3114505fcb9a82d7ae9736c3684eac8

SHA1
5b9008af446c845d484d9f405380802f5a469ffb

SHA256
36dfa1251cc914c5e0fa89dfd03c4f1356ccab859c16d17689c60c9d64e9d656

SHA512
279206534824b6081e6e7dc74e3627a7faa8ba8d04bb6d3de0db44554160b299e0ba0bc2cc7a898eb65ab3bc082dbe07667d768c20659b8804781be540f92a3a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1333.exe

Filesize
15KB

MD5
789472f481eedfc271b73e701fbea76b

SHA1
189a31e6832c89455abd8a674032ff6e0ae4f1bd

SHA256
dced899bc4e7028a8ca4b224474f6750d16973c4487bd5c921ecbe167f9b14b4

SHA512
aa786960eca61157a61d33892a808b8d18d506bd4bf0c9fee52369e7f4df3724b2142cca7d4a69eb48cdd1d5f0d12ab04e44b740108cf68c40728be57b15e9e4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6893.exe

Filesize
15KB

MD5
7b7463612386501890cb19c2fd38ca00

SHA1
4a62aefa8abeeb4866fe6001c1be08c1f363e38b

SHA256
8dc346a4523cfc11b3f32bcb4e33ba09f4119822edc8233774c3c809c1a43a0e

SHA512
d6f999f17dbed2c59d573de162ab53c83547effb42233daec616e860ca6f2cab836c99e35da3b0ae111bdc5bd722b34a8a5828630c311275ea41ae11c9ec086a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBD85.exe

Filesize
15KB

MD5
2a11666a92f1c5799a80766b77b7fefb

SHA1
0bd660c82613be049ab78c1af83c86a7f8ccdbee

SHA256
8389cf62e160a984a77eb7c0b7344fa15974d39b7c56e9e47060e4e950905c63

SHA512
71f4609cbbe22a6cbf3ed2f62afa3adbea8b7b37fceb44d16cfd1919a1e83e8fc772e3c11cef9e8da73a3414d4505df71ef44d6ea29904ebd4e64ee9409d48e9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBDD3.exe

Filesize
15KB

MD5
2708a7d546baea1589b7bffc887c781a

SHA1
46d438acdf3d41f70dd43f2714f968a8c59e0f01

SHA256
45459d82f05aae9ca4e891f85150d0da242d32e40814b4aa56f25f5445a2021a

SHA512
b5576d8a470353646db5a2772b7a9f0f6ad2cc8fa6403da53f0f5870c12b33dfe500a6b752f54ea75f375ff3d203f04d651cd44d1e0686bdf8d7a9d482f51715

Download Submit

Analysis

Sharing