fc3d8b2d3be457943649a6880c6bf11eb280bca9170510c3528d66d856695e8e

General

Target

d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe
Size

16KB
MD5

d4c7ed7a36abf914ebce6cbb4d4eea50
SHA1

d5c5bbdd00a1f6e92cc75125695b9079d43cd417
SHA256

fc3d8b2d3be457943649a6880c6bf11eb280bca9170510c3528d66d856695e8e
SHA512

2adce04e99636145ee0f8ea52315bef5ea6afab2625cf6c04d448b063a4b2647c74f900177bcadc2c4961da970b0f6f74b5058f1c28d915523f825d4c12c11ca
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5Jo:hDXWipuE+K3/SSHgxl5i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2032	DEM27DB.exe
2452	DEM7E54.exe
2664	DEMD3C3.exe
1296	DEM2942.exe
712	DEM7EFF.exe
936	DEMD4AD.exe

Loads dropped DLL 6 IoCs

pid	Process
2128	d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe
2032	DEM27DB.exe
2452	DEM7E54.exe
2664	DEMD3C3.exe
1296	DEM2942.exe
712	DEM7EFF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2032	2128	d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe	29
PID 2128 wrote to memory of 2032	2128	d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe	29
PID 2128 wrote to memory of 2032	2128	d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe	29
PID 2128 wrote to memory of 2032	2128	d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe	29
PID 2032 wrote to memory of 2452	2032	DEM27DB.exe	33
PID 2032 wrote to memory of 2452	2032	DEM27DB.exe	33
PID 2032 wrote to memory of 2452	2032	DEM27DB.exe	33
PID 2032 wrote to memory of 2452	2032	DEM27DB.exe	33
PID 2452 wrote to memory of 2664	2452	DEM7E54.exe	35
PID 2452 wrote to memory of 2664	2452	DEM7E54.exe	35
PID 2452 wrote to memory of 2664	2452	DEM7E54.exe	35
PID 2452 wrote to memory of 2664	2452	DEM7E54.exe	35
PID 2664 wrote to memory of 1296	2664	DEMD3C3.exe	37
PID 2664 wrote to memory of 1296	2664	DEMD3C3.exe	37
PID 2664 wrote to memory of 1296	2664	DEMD3C3.exe	37
PID 2664 wrote to memory of 1296	2664	DEMD3C3.exe	37
PID 1296 wrote to memory of 712	1296	DEM2942.exe	39
PID 1296 wrote to memory of 712	1296	DEM2942.exe	39
PID 1296 wrote to memory of 712	1296	DEM2942.exe	39
PID 1296 wrote to memory of 712	1296	DEM2942.exe	39
PID 712 wrote to memory of 936	712	DEM7EFF.exe	41
PID 712 wrote to memory of 936	712	DEM7EFF.exe	41
PID 712 wrote to memory of 936	712	DEM7EFF.exe	41
PID 712 wrote to memory of 936	712	DEM7EFF.exe	41

C:\Users\Admin\AppData\Local\Temp\d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\DEM27DB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM27DB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\DEM7E54.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7E54.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\DEMD3C3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD3C3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\DEM2942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2942.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1296
      - C:\Users\Admin\AppData\Local\Temp\DEM7EFF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7EFF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\DEMD4AD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD4AD.exe"
        7⤵
        Executes dropped EXE
        
        PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7E54.exe

Filesize
16KB

MD5
548fff73d4ed26577b14847edcfb707d

SHA1
2f09791a1a4fcdcd8c8a085b66b629a6a669c9b3

SHA256
a54d6b84843b692f0a9e4459ac98cd4f6b8fff44642a58e761df3290e778de50

SHA512
d47efa79f998367e675a51ce48d0ddfdab0e88d10087ac79eaf41d9157ca78ed26dcdfac375ee4409644be2989058a22440e0e52d52b769367ede9c3a98d21df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD3C3.exe

Filesize
16KB

MD5
43294b5b299ac514f95125b5ad11d99c

SHA1
fc5bb374103115a2e6acd7846e48c6a7c61aa04f

SHA256
62d7e8dc78def2ef23c95dc0d39a40d930c9f3a7f5674643c7de62dfdb65e896

SHA512
69919e8f973a97c2b48746735ea64570c67fdaac3991669952765181a80ce268920eb7cd86a0cc9f03ec096e35d37d8ccf2c48c7d6fa3c4b9cc3bd2165cb26e9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM27DB.exe

Filesize
16KB

MD5
bb0a4117583e7a7066d2ba318ea9f064

SHA1
ba1b07d6f286a18eb4ac7fac3ff9c6a06a16b89a

SHA256
34b13fbbd4adb8023cfe0eeea9ccf595acabab0801b9ff5fc6914abd02d6251c

SHA512
75ecb4ea6ab8eca572d275397711230a1ae456621d226c752ca02a491b4ba53bc900017072c1936f39c40bfab4eefec864322a8d4756c81195db6dcbf9ec15e4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2942.exe

Filesize
16KB

MD5
89fe87f8413274590fbf682b3b0afee0

SHA1
b859742cea9909dbbc8eb139bfc8e93887f60b02

SHA256
1376e2fa289d77f663fd9a0c244ac01ccea23c8af6f4b3f1d955182a83a3d69e

SHA512
080ef78bc3b3f381ca065ceef41614e4000eb740864b67e33a8c5f6b32f4b91a104116093c5f027fc911fc5fb0c772b666ed715c6f167ce525e5b5de9bfd030b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7EFF.exe

Filesize
16KB

MD5
1829ceba50de5db0d7b90aa3da36a3b6

SHA1
88887ab12e997446d6b64261a5604aa0d2a21bd7

SHA256
7a8f612c13c60f167cc3ae3122bfb8094416c5f782ae1f79476a5e5bb536ee51

SHA512
20cc3a8258c26e46ccb06a526f805a3c4dea9aecdfe646b6682b1772e6a33feaf89cab831ec2d5d47650ea02868e615a6d692da72f24b25282d381aa739bc43a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD4AD.exe

Filesize
16KB

MD5
4a4eb43afcf4f025df4abe12ac7a119a

SHA1
e10a94bb7eaa2da0eb145b1d3c7703f05162cee8

SHA256
a094dede79200dcb1520a28a6c6cc69656b1305ce062855bb68b0e51e7211133

SHA512
50a44a29f77acadf3bdcac7b5746ed19c9113c72c03958bc916a989d6cbba75996292fadc7e70b77f454ebd0005f3eb7009a38c56344d841f1c07df28e37dfaa

Download Submit

Analysis

Sharing