1a49ffd275da8d53f46b00f227a56a4a65f1bd72cb94f354dbed4b9922c20a50

General

Target

d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe
Size

15KB
MD5

d6821f0144fb2cc300d39173a2247b14
SHA1

636370ab5731df90a580c7e945def8a1d2fe577f
SHA256

1a49ffd275da8d53f46b00f227a56a4a65f1bd72cb94f354dbed4b9922c20a50
SHA512

0bca3159a377a505e67c74e207ce69987124a07b677ad10638a3f68127506d28e6a78a8bd0528b7c9ecff735d301d9e8de709680a580642198c98e688e8c4178
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5Xr:hDXWipuE+K3/SSHgxmF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2244	DEM57C1.exe
2424	DEMAD6F.exe
2728	DEM2DE.exe
1720	DEM588C.exe
576	DEMAE0B.exe
2312	DEM416.exe

Loads dropped DLL 6 IoCs

pid	Process
2760	d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe
2244	DEM57C1.exe
2424	DEMAD6F.exe
2728	DEM2DE.exe
1720	DEM588C.exe
576	DEMAE0B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2244	2760	d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe	29
PID 2760 wrote to memory of 2244	2760	d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe	29
PID 2760 wrote to memory of 2244	2760	d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe	29
PID 2760 wrote to memory of 2244	2760	d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe	29
PID 2244 wrote to memory of 2424	2244	DEM57C1.exe	33
PID 2244 wrote to memory of 2424	2244	DEM57C1.exe	33
PID 2244 wrote to memory of 2424	2244	DEM57C1.exe	33
PID 2244 wrote to memory of 2424	2244	DEM57C1.exe	33
PID 2424 wrote to memory of 2728	2424	DEMAD6F.exe	35
PID 2424 wrote to memory of 2728	2424	DEMAD6F.exe	35
PID 2424 wrote to memory of 2728	2424	DEMAD6F.exe	35
PID 2424 wrote to memory of 2728	2424	DEMAD6F.exe	35
PID 2728 wrote to memory of 1720	2728	DEM2DE.exe	37
PID 2728 wrote to memory of 1720	2728	DEM2DE.exe	37
PID 2728 wrote to memory of 1720	2728	DEM2DE.exe	37
PID 2728 wrote to memory of 1720	2728	DEM2DE.exe	37
PID 1720 wrote to memory of 576	1720	DEM588C.exe	39
PID 1720 wrote to memory of 576	1720	DEM588C.exe	39
PID 1720 wrote to memory of 576	1720	DEM588C.exe	39
PID 1720 wrote to memory of 576	1720	DEM588C.exe	39
PID 576 wrote to memory of 2312	576	DEMAE0B.exe	41
PID 576 wrote to memory of 2312	576	DEMAE0B.exe	41
PID 576 wrote to memory of 2312	576	DEMAE0B.exe	41
PID 576 wrote to memory of 2312	576	DEMAE0B.exe	41

C:\Users\Admin\AppData\Local\Temp\d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\DEM57C1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM57C1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\DEMAD6F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAD6F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\DEM2DE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2DE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\DEM588C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM588C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\Users\Admin\AppData\Local\Temp\DEMAE0B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAE0B.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\DEM416.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM416.exe"
        7⤵
        Executes dropped EXE
        
        PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM416.exe

Filesize
15KB

MD5
b6b6276baeac9eff63466e9503f325f4

SHA1
301a1ef1ce9533a990c4913a46853f6f8c31487b

SHA256
a7f89f5ed5a88c9c40d4e7dac0c1cfc33b0d2d67adda9a0167d54c8ed3219ca3

SHA512
17a923eb90cf22a74a6e841264bf134dce9cdf707e4011a8babbb57fadda0d8857a00ae841d27a245763ff88aff68bf63c390846cdb836a866098ddf345f689e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM57C1.exe

Filesize
15KB

MD5
f0dbb7f29bf728beb4e5ec4a33cdd99c

SHA1
8be4b0cd205ca83ddffa3d0a6ea722b3e2855bb3

SHA256
b50af4dfc866bf9a1e1ddca0bf05f93142539b7edaab604978892dff7642e8ac

SHA512
c926cdb7807842c3a8dd0a90a29553195c35fa988b3011c278441da2ffe3936c1ef04090a42722153ea6c8fab032d109281d2ad94ea3d2a6688a471c54a0a74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAD6F.exe

Filesize
15KB

MD5
787c2b2780c740fd1565adbb9a309d7a

SHA1
5d17400e78c61dcef95f4db077204e3ab5c7bda9

SHA256
c4f54dfa0439bf80e5c72d8a44cd494e6b643e398559d4a5485c9492c056fa19

SHA512
a3801d970e66c4bd282c55373978bc8213d1c205e1f9a2ec5f803f797421f7fc7b024adb751c8a50886dfea46647649cadb5c780a18b3f67bd258659d1cf174f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2DE.exe

Filesize
15KB

MD5
6b0e40924329d687be616a26304dcca8

SHA1
1b8a963e43f8d48827c0421386a0b90280999cf5

SHA256
9c3a9723693948d6365614e832ef1855e25da7a017602e82a851aa886011c00f

SHA512
3866cf0a3d212d1b67570a93936f9315faf6f9cee797db7be649304ecd63e82fe4c95dbb2e1c5835bd77f5f39c6f02b276fc70dc24a38cbc810361517e0ec5f4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM588C.exe

Filesize
15KB

MD5
030212f59f45a58a1e7ed09b41dcb2f3

SHA1
d59b518f10babf31106ad8a92fb5cf09d2d6ef03

SHA256
e13bc21a64729da444506dd6c3b030e42f463ca7830e1e0fcb9a069e5416f422

SHA512
5ed0489bafae5dfac1363f84a76423b8c711f70d4e7f7563cfbce58de3a198b1d8857512e22fe3b63428d50fc0f97e68ebd3f9a46c18fdf7bdc15eacd2a34584

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAE0B.exe

Filesize
15KB

MD5
3137cf197882b30fdfbc2c9b1c7b3611

SHA1
1630d1078a45eee08657df00f2ae868960a22309

SHA256
4ceb961bd607efdfe685dcd0426553338b68ffb6bad2d2bfe45a67642eee910d

SHA512
38489b30b9b1d6d2accc9f73bdd557eee688bf3b5a8a64709e8e3d4d4d412fd24eba94f2465aa72534736a6185e0b63a10cba83698b7b35ebdf94b6313dc737d

Download Submit

Analysis

Sharing