a56235728ba2871b53b27ea41139b183c4a5d11a76f3187beaca63730df5b560

General

Target

d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe
Size

15KB
MD5

d68c702351756d970a4f81c64823fd4b
SHA1

f42d712a0a5e05209462fc7ce0f4eb8e250d8f6e
SHA256

a56235728ba2871b53b27ea41139b183c4a5d11a76f3187beaca63730df5b560
SHA512

cdae8b5720d96b1d2c3f7f0146f06c97cca1bc18f3d53aabd4ba4260727071a24016f9dc9d2badd9fe7c67e175ac666f165b2b12561386dd33baf6abc1f02f7c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJdS:hDXWipuE+K3/SSHgxhS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2680	DEM25AA.exe
2924	DEM7C03.exe
2720	DEMD134.exe
1556	DEM2684.exe
2156	DEM7BB5.exe
2236	DEMD105.exe

Loads dropped DLL 6 IoCs

pid	Process
2700	d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe
2680	DEM25AA.exe
2924	DEM7C03.exe
2720	DEMD134.exe
1556	DEM2684.exe
2156	DEM7BB5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2680	2700	d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe	29
PID 2700 wrote to memory of 2680	2700	d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe	29
PID 2700 wrote to memory of 2680	2700	d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe	29
PID 2700 wrote to memory of 2680	2700	d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe	29
PID 2680 wrote to memory of 2924	2680	DEM25AA.exe	33
PID 2680 wrote to memory of 2924	2680	DEM25AA.exe	33
PID 2680 wrote to memory of 2924	2680	DEM25AA.exe	33
PID 2680 wrote to memory of 2924	2680	DEM25AA.exe	33
PID 2924 wrote to memory of 2720	2924	DEM7C03.exe	35
PID 2924 wrote to memory of 2720	2924	DEM7C03.exe	35
PID 2924 wrote to memory of 2720	2924	DEM7C03.exe	35
PID 2924 wrote to memory of 2720	2924	DEM7C03.exe	35
PID 2720 wrote to memory of 1556	2720	DEMD134.exe	37
PID 2720 wrote to memory of 1556	2720	DEMD134.exe	37
PID 2720 wrote to memory of 1556	2720	DEMD134.exe	37
PID 2720 wrote to memory of 1556	2720	DEMD134.exe	37
PID 1556 wrote to memory of 2156	1556	DEM2684.exe	39
PID 1556 wrote to memory of 2156	1556	DEM2684.exe	39
PID 1556 wrote to memory of 2156	1556	DEM2684.exe	39
PID 1556 wrote to memory of 2156	1556	DEM2684.exe	39
PID 2156 wrote to memory of 2236	2156	DEM7BB5.exe	41
PID 2156 wrote to memory of 2236	2156	DEM7BB5.exe	41
PID 2156 wrote to memory of 2236	2156	DEM7BB5.exe	41
PID 2156 wrote to memory of 2236	2156	DEM7BB5.exe	41

C:\Users\Admin\AppData\Local\Temp\d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\DEM25AA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM25AA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\DEM7C03.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7C03.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\DEMD134.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD134.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\DEM2684.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2684.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Users\Admin\AppData\Local\Temp\DEM7BB5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7BB5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\DEMD105.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD105.exe"
        7⤵
        Executes dropped EXE
        
        PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7C03.exe

Filesize
15KB

MD5
7832d13ce418bdafdbfde53423c1d36d

SHA1
80725325160ffb22b9db59b04c5990a331828527

SHA256
7682e16772628115a1a34ecb9b28ce97bcfcfd50e3e76d3c8f44bcccd2e4e2ab

SHA512
7e945585e263dc503c4508d01c76847868850ec3a557cba4a9444451dce6098556991d34bc3609ce79d230195274872a0424e8fc135fad1b1370c40aa21cd543

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD134.exe

Filesize
15KB

MD5
2de2036c50a221e2f37bd705da546d4e

SHA1
342e300032753fa297ab2114f552bdcd6a09ef39

SHA256
b08651ab379d29824ae7771226716cebcfec2f6bf494298b2f223dd6b9f32a90

SHA512
5afaaa3f8f76db93ad3bf58da1f1e063ec08e47a6f0c15c89901500146f8010aa99d77a987115a8039a5b2c8cfbfb6aba4598e67c8152cf56fed83f7f4faeadf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM25AA.exe

Filesize
15KB

MD5
9926bee87bf9eab9af63ea28c13b7767

SHA1
f3a9f55a9476190bced7ee66a740d5a73c24b614

SHA256
5cdedfb2868fac53e371a97acb26f1c1921a78f8ad4790acb82386f68328c3d4

SHA512
ee0c2a925a6347a0a4a1bf17a8e0d381168a328fc080ba357f5dc45c352bc0c8343f88e23b19ec6fc97996a9844bdb2183de313dddb20c95d359a70460cdd235

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2684.exe

Filesize
15KB

MD5
690a8eb417e321ead031418143b23696

SHA1
4dc4db58b256216b4303da240e1157dcc1a1ab98

SHA256
fccb6f42bf936f7bdd678e3f616502b8d7a08fe5427ac8391125a0f4b3592084

SHA512
e26650009daa67b510b6013dc1c08fceb9bba0cf977d4399b45cbcd95d5167ee4678e5805c0227552e32517530106ced0f2159a871e4e8d264b8562712b625b0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7BB5.exe

Filesize
15KB

MD5
1d6b14ff3a52bd22fcee2e88cd87f86f

SHA1
13d1516851ea9db3230efa298f468400e84050fa

SHA256
cbb26e5ed57f06077bf352eed1771febe60b1395b0446e2ccca7d8d8d2b7dd62

SHA512
5ef59b2443644a2e07ef0fc3f3da97ca3d869d1b434f9b918805f6c74c020045d124f28ce6f2925cb95f5bff595b565f54bb5c3abbc3c0bb5c0184e7c8b3b632

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD105.exe

Filesize
15KB

MD5
b73b757c8980926ed81951793eb23806

SHA1
83e32e70306f48a940043f0d118338b362e7688e

SHA256
928d40de0d930fe7ddb9d5f88f2d08ad0a310febe8f2b8bd221ac8ce949b9fab

SHA512
9aab49e5111cece1efef3b2cb3004fc470b2f2d9b873c2dd8b7542cb4dd144c0d8308b64c8736b7ac250551f8c5ded114a774f377d051cfcde038aeae7011179

Download Submit

Analysis

Sharing