2b78280b77d00f17d0ad606906d18056b2a91f040e72e9bd40aba115b59f3959

General

Target

d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe
Size

14KB
MD5

d77c373cce8d458d876716a0c63ae82f
SHA1

ddbea85ae8e706b690f9c10229b4af9dd810ca9b
SHA256

2b78280b77d00f17d0ad606906d18056b2a91f040e72e9bd40aba115b59f3959
SHA512

c184b2803732d60097c79ed92981b15fe4266be878c7ec4b5347f73a94406abbd788d2ff8d69c1161030255cb3aa5d303bd33cc82654c2b800d2b61e0b1faf2b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYsZ:hDXWipuE+K3/SSHgxmq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2688	DEM50CE.exe
3004	DEMA7C4.exe
2908	DEMFDB0.exe
2764	DEM5496.exe
1616	DEMABE9.exe
2188	DEM2AF.exe

Loads dropped DLL 6 IoCs

pid	Process
2244	d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe
2688	DEM50CE.exe
3004	DEMA7C4.exe
2908	DEMFDB0.exe
2764	DEM5496.exe
1616	DEMABE9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2688	2244	d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe	29
PID 2244 wrote to memory of 2688	2244	d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe	29
PID 2244 wrote to memory of 2688	2244	d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe	29
PID 2244 wrote to memory of 2688	2244	d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe	29
PID 2688 wrote to memory of 3004	2688	DEM50CE.exe	33
PID 2688 wrote to memory of 3004	2688	DEM50CE.exe	33
PID 2688 wrote to memory of 3004	2688	DEM50CE.exe	33
PID 2688 wrote to memory of 3004	2688	DEM50CE.exe	33
PID 3004 wrote to memory of 2908	3004	DEMA7C4.exe	35
PID 3004 wrote to memory of 2908	3004	DEMA7C4.exe	35
PID 3004 wrote to memory of 2908	3004	DEMA7C4.exe	35
PID 3004 wrote to memory of 2908	3004	DEMA7C4.exe	35
PID 2908 wrote to memory of 2764	2908	DEMFDB0.exe	37
PID 2908 wrote to memory of 2764	2908	DEMFDB0.exe	37
PID 2908 wrote to memory of 2764	2908	DEMFDB0.exe	37
PID 2908 wrote to memory of 2764	2908	DEMFDB0.exe	37
PID 2764 wrote to memory of 1616	2764	DEM5496.exe	39
PID 2764 wrote to memory of 1616	2764	DEM5496.exe	39
PID 2764 wrote to memory of 1616	2764	DEM5496.exe	39
PID 2764 wrote to memory of 1616	2764	DEM5496.exe	39
PID 1616 wrote to memory of 2188	1616	DEMABE9.exe	41
PID 1616 wrote to memory of 2188	1616	DEMABE9.exe	41
PID 1616 wrote to memory of 2188	1616	DEMABE9.exe	41
PID 1616 wrote to memory of 2188	1616	DEMABE9.exe	41

C:\Users\Admin\AppData\Local\Temp\d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\DEM50CE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM50CE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\DEMA7C4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA7C4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\DEMFDB0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFDB0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Users\Admin\AppData\Local\Temp\DEM5496.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5496.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Users\Admin\AppData\Local\Temp\DEMABE9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMABE9.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\DEM2AF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2AF.exe"
        7⤵
        Executes dropped EXE
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA7C4.exe

Filesize
14KB

MD5
678403942addedc2eb8933e46065af28

SHA1
15f9d3e21b695a5e4b9e655816828a3a58cbdd88

SHA256
16dc97a819f86ee2555bcf8c8b9bcd75f66ddd48929eb0d2d3ffdbd4657638aa

SHA512
c1ca3a00ea881062a11d781170f7084121fc5dad55536ed7045e4b443d7082d3102ea2f06496dc959443ac790a8c6e6c10d9d31e77fb3770f0e9fbc9fe8bc66b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2AF.exe

Filesize
14KB

MD5
e5ffae360f1dc54d43bad32c1561ab46

SHA1
1dd7c5c30b54e1c91b45a44eac8a092eddef6ea3

SHA256
7cde80850b2e4d57311292b65462d16f09b7f60a5b44aac3be601f9ac34e5fc5

SHA512
f3b355a71e9b108e438b6d82fbbdfbbaf72358f5e6dba1a786f30665badc6b7748c97b5592f338265c30e7e59d86e328d263f6d21071d28849311ddb9340d31c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM50CE.exe

Filesize
14KB

MD5
c8c5f226a0db12374f74eace10f3e7fa

SHA1
1c2f5af04c14d55ee724d010a0984dc4cc2c095c

SHA256
0f4896d793f57b747436751be5f8d95fc2b226a7815d3b3a824c81563583700b

SHA512
a3dbed578d7d9e1144c37771443edad136b8112a4b18d3724aee4d084724dcf3c15620cd06c7d9f1728c2b0d45e743aba64d921b02f3c430d0a9c96fe43a89d5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5496.exe

Filesize
14KB

MD5
fb43ff9a2ef94071ffbb7d0dc7b7c04f

SHA1
931c6e943f2b316fe47e02fcbfc3711b04015046

SHA256
2bbeb1e7e50cb7d6652b89dd413496b4ccb1a02e4585bee6ff25f4cfe414aa58

SHA512
63b158e1a27fa93e7d08c2551b0a1eb6ce9f8a036b75e2f37b54de915de235abbdd530a2e2571d65d105569421130b6213819cf8e24fbd64564a34e3130602e5

Download Submit
\Users\Admin\AppData\Local\Temp\DEMABE9.exe

Filesize
14KB

MD5
599b4f7cd648555c3281dd3bc630fb2f

SHA1
4c8d8ea79ca7e97cd4e7d7410817ced5a7c949a5

SHA256
841cace685fd794f39ab22e5f880aa10b97e56cc4f5a209f90207671d7345a8b

SHA512
4a3ba7485dedab100b346e5cd8baefb5fe235f0d57b47a110e61a8bc8bec9569d6285d569ca956b3817cfec92ac38a3c1a6ef29c09c2a87ab2bddeba1e30f2aa

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFDB0.exe

Filesize
14KB

MD5
c703ebe41e2d62093667bfb01849ac84

SHA1
ba64d8211042df1605a6181559c7d29e7d83b8a8

SHA256
3b559aec32bd4cb79c361e4f7d8655713424fd160f5afd414181ca52c2ea1c8d

SHA512
d5e73852890dcc587dfb8128a018bc313a123b97ab96921000454c409310071dc21ca3560112164664af2c80ac3a6d780783c81bd1fe9cd9160b92da7405a9f1

Download Submit

Analysis

Sharing