503c792e8a1045b0b522e7eb53c4453f89577e54b5dcd591ffc6e8fc9d463d53

General

Target

d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe
Size

14KB
MD5

d860e55a2586cd2b8659dfa853d4aa03
SHA1

cc37f985718e35c3c61e395030b1505136c84470
SHA256

503c792e8a1045b0b522e7eb53c4453f89577e54b5dcd591ffc6e8fc9d463d53
SHA512

3a91a791c30ac7d45af1fc9dde0263d787533522381633366b1ae799199b232fbe59584df1a70392083a585c6ec1907d678059532d275bf2a61b8ab1ab3a2846
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRl5T:hDXWipuE+K3/SSHgxXT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2612	DEM1A16.exe
2436	DEM7021.exe
1844	DEMC590.exe
1308	DEM1B0F.exe
2948	DEM7050.exe
2064	DEMC60D.exe

Loads dropped DLL 6 IoCs

pid	Process
1032	d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe
2612	DEM1A16.exe
2436	DEM7021.exe
1844	DEMC590.exe
1308	DEM1B0F.exe
2948	DEM7050.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2612	1032	d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe	29
PID 1032 wrote to memory of 2612	1032	d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe	29
PID 1032 wrote to memory of 2612	1032	d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe	29
PID 1032 wrote to memory of 2612	1032	d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe	29
PID 2612 wrote to memory of 2436	2612	DEM1A16.exe	31
PID 2612 wrote to memory of 2436	2612	DEM1A16.exe	31
PID 2612 wrote to memory of 2436	2612	DEM1A16.exe	31
PID 2612 wrote to memory of 2436	2612	DEM1A16.exe	31
PID 2436 wrote to memory of 1844	2436	DEM7021.exe	35
PID 2436 wrote to memory of 1844	2436	DEM7021.exe	35
PID 2436 wrote to memory of 1844	2436	DEM7021.exe	35
PID 2436 wrote to memory of 1844	2436	DEM7021.exe	35
PID 1844 wrote to memory of 1308	1844	DEMC590.exe	37
PID 1844 wrote to memory of 1308	1844	DEMC590.exe	37
PID 1844 wrote to memory of 1308	1844	DEMC590.exe	37
PID 1844 wrote to memory of 1308	1844	DEMC590.exe	37
PID 1308 wrote to memory of 2948	1308	DEM1B0F.exe	39
PID 1308 wrote to memory of 2948	1308	DEM1B0F.exe	39
PID 1308 wrote to memory of 2948	1308	DEM1B0F.exe	39
PID 1308 wrote to memory of 2948	1308	DEM1B0F.exe	39
PID 2948 wrote to memory of 2064	2948	DEM7050.exe	41
PID 2948 wrote to memory of 2064	2948	DEM7050.exe	41
PID 2948 wrote to memory of 2064	2948	DEM7050.exe	41
PID 2948 wrote to memory of 2064	2948	DEM7050.exe	41

C:\Users\Admin\AppData\Local\Temp\d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\DEM1A16.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1A16.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\DEM7021.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7021.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\DEMC590.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC590.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\DEM1B0F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1B0F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1308
      - C:\Users\Admin\AppData\Local\Temp\DEM7050.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7050.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\DEMC60D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC60D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7021.exe

Filesize
14KB

MD5
b6aacc0673398e6d4603c2e82910b8c8

SHA1
5231f0f9d74b5dab5d4000ebf7be7f5fc2465d9b

SHA256
35c4ff71b4be3e204e0c65c8490eebc10ac2a343bb53f71a7cf78d52e18ff7d3

SHA512
92896011d0dfd5fc5986b34340587632518d05bca320f6c9b54717bcbc8de5dc815454348a1b10f6e198769e192601df6f9d94fe8402867f008955e6e5be2923

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7050.exe

Filesize
14KB

MD5
8c4057cc6952349118956674e7af84f9

SHA1
7b6bb70a7e04402bfc722843baa455220c4b04a5

SHA256
26bfb9ba306b08e7d6a5a8eac5bab66a2cfecd5f04c8dcd675ea628307893ee5

SHA512
279ea0ab3d2e2d957fd3c11f047bd57c17ef8c268630eacb88e113405541202dd022dbd0cc42b45ced8ceda9c781b9919a36ecc418b47af9037ce5dcc577295f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1A16.exe

Filesize
14KB

MD5
4fa90f3e53e579ed03b673ab24f54d5b

SHA1
98783b907848b8cf070b1ca1c3ecbb91e1fc5954

SHA256
207c93a68c68c7a1c82413942d7b6b66fc4d91b79817b8c7f2b3517d8223c59f

SHA512
31ea5cc50e736df5c38c4f54e229572a16e116c612482eb991284700b4526c56da69192261ed87dd79278f0ccb99858cd5c5fb8aeab8bf364694bf112421e091

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1B0F.exe

Filesize
14KB

MD5
baee4bd2c9487594927816c6d28f1d51

SHA1
d410179c46ec9731ea29d597a52c8a7d59f7af29

SHA256
46e39e3f78ff1ddedb943b8b6318cceb78295a86cdd8995d35da0b6f923da4c9

SHA512
d9bb64054c1412ad6e0c09bdfa6606e54a53dbc96794ede5979a06b9bb4870644e112c5a100bf799835bd66e3b7dd129640dd0a397e1312e71b1d2f321ccc79a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC590.exe

Filesize
14KB

MD5
d592949c6723a0b3f10f76c80ff3dc6b

SHA1
ea731a60f8c49130fe21b6779d0e7e9e76bfbe75

SHA256
210cccc344680e34ff95fba739d07d552867b444cababf38ec9826bbf65f86e2

SHA512
6366fdbe9b27396220dc023b6d00e9fed9f69ea49428f9a6bede4f903e26d4fb4be3fa40d06f43ef43a6ccef3f3db8e77e624583c054c633e9ceabb6a7bd13bb

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC60D.exe

Filesize
14KB

MD5
a1728c1fbe1f8fab3065d25b677e3f6a

SHA1
f3ffae785f7f61d6f3b259ad9ee3f8a03fc59b89

SHA256
f7a910777226085c82bc0d585f9cce8e37e262a95b95935eebf2c4b5ff453875

SHA512
9694909122198b82cad65587a5651f3dbb4ff8005859f101ee0a6d1c4a5456ab8b2ece838ec55c7801acd32b906223396b8cbb50df21fccb3560cb5dc79aade8

Download Submit

Analysis

Sharing