21b659bbc59593ae8e08f0192a657bb2028d5efff1453080c878c894461656d2

General

Target

d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe
Size

15KB
MD5

d7edc031b01cd05e9e9e2ec5bb2a653d
SHA1

c3bc79316add683361103d4662ea6c3c903e6d2f
SHA256

21b659bbc59593ae8e08f0192a657bb2028d5efff1453080c878c894461656d2
SHA512

a4324105c1e48ca9a6d9cb903235555d5bb41475b93a3ec2d54c9cbb3195a752ede30d81c930dcd84f946140b0753176d60784c396d2c115ca879869db3dbdd6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/wrW:hDXWipuE+K3/SSHgxm/F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2604	DEM4106.exe
2436	DEM9695.exe
2676	DEMEBF4.exe
2292	DEM4154.exe
596	DEM975F.exe
2276	DEMED6B.exe

Loads dropped DLL 6 IoCs

pid	Process
3048	d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe
2604	DEM4106.exe
2436	DEM9695.exe
2676	DEMEBF4.exe
2292	DEM4154.exe
596	DEM975F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2604	3048	d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2604	3048	d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2604	3048	d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2604	3048	d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2436	2604	DEM4106.exe	33
PID 2604 wrote to memory of 2436	2604	DEM4106.exe	33
PID 2604 wrote to memory of 2436	2604	DEM4106.exe	33
PID 2604 wrote to memory of 2436	2604	DEM4106.exe	33
PID 2436 wrote to memory of 2676	2436	DEM9695.exe	35
PID 2436 wrote to memory of 2676	2436	DEM9695.exe	35
PID 2436 wrote to memory of 2676	2436	DEM9695.exe	35
PID 2436 wrote to memory of 2676	2436	DEM9695.exe	35
PID 2676 wrote to memory of 2292	2676	DEMEBF4.exe	37
PID 2676 wrote to memory of 2292	2676	DEMEBF4.exe	37
PID 2676 wrote to memory of 2292	2676	DEMEBF4.exe	37
PID 2676 wrote to memory of 2292	2676	DEMEBF4.exe	37
PID 2292 wrote to memory of 596	2292	DEM4154.exe	39
PID 2292 wrote to memory of 596	2292	DEM4154.exe	39
PID 2292 wrote to memory of 596	2292	DEM4154.exe	39
PID 2292 wrote to memory of 596	2292	DEM4154.exe	39
PID 596 wrote to memory of 2276	596	DEM975F.exe	41
PID 596 wrote to memory of 2276	596	DEM975F.exe	41
PID 596 wrote to memory of 2276	596	DEM975F.exe	41
PID 596 wrote to memory of 2276	596	DEM975F.exe	41

C:\Users\Admin\AppData\Local\Temp\d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\DEM4106.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4106.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\DEM9695.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9695.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\DEMEBF4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEBF4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Users\Admin\AppData\Local\Temp\DEM4154.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4154.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Users\Admin\AppData\Local\Temp\DEM975F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM975F.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\DEMED6B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMED6B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4154.exe

Filesize
15KB

MD5
ce2a2c617d3f2e54239df32d201038c2

SHA1
e8f73781d8458a7c3d389fbc37f3c6ec7dec41e5

SHA256
700b980c7261173cbf0a61064e1da9d40965ded24c62f23c0a95e96df2223445

SHA512
e3121e70202582e3595ec937b54360c12265f32b7145601e4b45f5f701183d729e738e85f108b6117a7735c34f08c2b1759917af684dad0ca6b127ff0640b32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9695.exe

Filesize
15KB

MD5
d1790da45a5f63540c09646e7818fa83

SHA1
817fd4338bdc17dad7f1ac5fd8f94f9db089c1ae

SHA256
c9bd3fef07adfd5ca6f8ebdd9deebf12cacce5eac538014ded9e04e60e3f497c

SHA512
68b5fea4f33cf8c115d949184c01679cf0ab6800206a68de369580b08f426b41b48fffade8796946820d088b939475f2468812d3a3f341445338f75ead5d7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM975F.exe

Filesize
15KB

MD5
4226ebcc5c151caacf8af150a85f3642

SHA1
5b8f60ab8dede90be9d2f4beb897ac6844bef495

SHA256
4c23c97352ed8588a0d8355d982bfb969324c7d0cd11f4f80fd950ca6e2d2441

SHA512
f49d89ccc5fc0a7ad02cb4d6d9fb749db02a0914224a1fe4e727a55949b1ed7279b92b1b3d1e317b39441c07dc703b028ee8853adbbf0e049a7648954deb1b47

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4106.exe

Filesize
15KB

MD5
2dff6de5fab792dca543f0889cfc27ff

SHA1
1dd2e4ae27122c4674b482e7e130009a071c0e90

SHA256
bbe101c22f1006686f7ef03f9f00f04b22072f594275f5b8a99694f545baf76d

SHA512
799e59ebe67c8e93cec7e9360f96adf60d083f38c0acbf0966993fccd52b4f14713b7f7e91102e01a24179dd45999ba53891a97d79f35bfd98b4073bb99928be

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEBF4.exe

Filesize
15KB

MD5
f985ab42b6dc27743b698bd8ba9ab816

SHA1
c456f85ce3586eb28b08a6a27745ccc9ef0fdb4d

SHA256
a2695c0301a6a9ef355e07b7fd0457d22f1705b9c0801433d9f31f625b95b305

SHA512
03aebca733b10571e45e3bb11e8a3a74f97228c3a5a6633d5bac03cf814d13cb9325ec6f12072ffa356943124b9aa151544b67de6e9bfebc723b69779afb0fbc

Download Submit
\Users\Admin\AppData\Local\Temp\DEMED6B.exe

Filesize
15KB

MD5
8de0c9370c7246bcd67e44ee259ea126

SHA1
c7529c41b4dc435b3e584fe9f4daad56d0b9af53

SHA256
298be030e6eda42c8213d2584b6f628936910027d8570e41a82907ef4334bdec

SHA512
4810e283ff0d60de304786e5d1753445cabd9fbaa1eff6185bd1e2afc0973e28ab690564f4a5551c13f88f386dca3bace08c78ff0958750a7c480e9d97c46956

Download Submit

Analysis

Sharing