81b20134ef8bbd42de4d5f0a584c8ef719fd5bd44929444a3b3a04aa4ffeafab

General

Target

d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe
Size

14KB
MD5

d862237b3256fdf5f89d0ce6a1d706f9
SHA1

86d3a6f746747807e69f1556a66d87f008850a29
SHA256

81b20134ef8bbd42de4d5f0a584c8ef719fd5bd44929444a3b3a04aa4ffeafab
SHA512

1df8575972617c074fcad80b2b3a5df876664ba4e541ef990d8b8388824de6eb795a8c8752a441e230a0d2cd5eb45acf09926a9f8d54a34e30545a9eb69cc5d4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYq5:hDXWipuE+K3/SSHgxmq5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2628	DEM1FA1.exe
2548	DEM74E2.exe
1444	DEMCA41.exe
240	DEM1F63.exe
844	DEM7494.exe
1968	DEMC996.exe

Loads dropped DLL 6 IoCs

pid	Process
3040	d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe
2628	DEM1FA1.exe
2548	DEM74E2.exe
1444	DEMCA41.exe
240	DEM1F63.exe
844	DEM7494.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2628	3040	d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe	29
PID 3040 wrote to memory of 2628	3040	d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe	29
PID 3040 wrote to memory of 2628	3040	d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe	29
PID 3040 wrote to memory of 2628	3040	d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe	29
PID 2628 wrote to memory of 2548	2628	DEM1FA1.exe	31
PID 2628 wrote to memory of 2548	2628	DEM1FA1.exe	31
PID 2628 wrote to memory of 2548	2628	DEM1FA1.exe	31
PID 2628 wrote to memory of 2548	2628	DEM1FA1.exe	31
PID 2548 wrote to memory of 1444	2548	DEM74E2.exe	35
PID 2548 wrote to memory of 1444	2548	DEM74E2.exe	35
PID 2548 wrote to memory of 1444	2548	DEM74E2.exe	35
PID 2548 wrote to memory of 1444	2548	DEM74E2.exe	35
PID 1444 wrote to memory of 240	1444	DEMCA41.exe	37
PID 1444 wrote to memory of 240	1444	DEMCA41.exe	37
PID 1444 wrote to memory of 240	1444	DEMCA41.exe	37
PID 1444 wrote to memory of 240	1444	DEMCA41.exe	37
PID 240 wrote to memory of 844	240	DEM1F63.exe	39
PID 240 wrote to memory of 844	240	DEM1F63.exe	39
PID 240 wrote to memory of 844	240	DEM1F63.exe	39
PID 240 wrote to memory of 844	240	DEM1F63.exe	39
PID 844 wrote to memory of 1968	844	DEM7494.exe	41
PID 844 wrote to memory of 1968	844	DEM7494.exe	41
PID 844 wrote to memory of 1968	844	DEM7494.exe	41
PID 844 wrote to memory of 1968	844	DEM7494.exe	41

C:\Users\Admin\AppData\Local\Temp\d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\DEM1FA1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1FA1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\DEM74E2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM74E2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\DEMCA41.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCA41.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Users\Admin\AppData\Local\Temp\DEM1F63.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1F63.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:240
      - C:\Users\Admin\AppData\Local\Temp\DEM7494.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7494.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\DEMC996.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC996.exe"
        7⤵
        Executes dropped EXE
        
        PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1F63.exe

Filesize
14KB

MD5
c90c43700be47fc3268eaabff7d629b2

SHA1
083323db94a9994a3840a7ea1903dba6ee8f3c99

SHA256
e6d5404b9c7a8454000ad28bf7cc1585c6bd71e954611f352dc2b4d6fd73f22d

SHA512
6a307d264f31c2b834a510f432c5921c111c7942e89192b4be2c8dbe9c9d1d000f2acba10fd43d252eb5bb7e0250d500a59a4d928c00acceb6436cb25738df58

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM74E2.exe

Filesize
14KB

MD5
29d6b913963ce228f59494f3f0610784

SHA1
27aaa10fc199f9dfb9937b8757ea31bf157e7847

SHA256
b49782273ef05f151df5eba49d0d1c629ac519501e61be5615974397a89dc4d1

SHA512
71efebc3ab0238fc09fd15fcf5c2b4623c7d4a63f88f157b6210dd48ca1e98374d0e0ea19abf434c01bb328e8bd0337789d2724ff2ff45678f5eac4a58701df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCA41.exe

Filesize
14KB

MD5
0f291071da55617d36bb2e3bc4499926

SHA1
e4f88ed4b6019c3750875eec0c9389257a1c2a77

SHA256
f0344300668bb59a8d04e22ece4ea680e0efc0607f91a310e19d09be26f60bda

SHA512
27866ab3089853d10267b635311f86afb37cc5824dd3d8718a51ed12d38e31f55c4ae6624a39b43944b400571e9ee9ff735539b40aa63910b40e11df2194bf9a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1FA1.exe

Filesize
14KB

MD5
2e3c41febda09359579b9e8c1a1793f2

SHA1
0fa4790a6ee30de5a4bac5080d67b653e85c02da

SHA256
6c18aa0c3b373ca6b1e41ff3b1c6716a85daea03b858c93cb0fbdfd59738817d

SHA512
1552548b5d279eec9f0da080a73e8ccfcbeb16cbf8aae45382dbc1601041ba6b5b0a6e262228f8611508f56963ffd863bc0b59a03d55702b53bb759d141dbece

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7494.exe

Filesize
14KB

MD5
c8837de68bd8d9bb3fc9eb0b990b1229

SHA1
413e7a750bdcd766d64288ecbedd62ba3e60ed20

SHA256
50f79586f606e95771c0d9014fa6ab6fc3f9470830a233720d7200d6b4f26856

SHA512
b08e7f73a04d5f669627b687eee7ffaf20ad79c1313ffef6cfb2ca06ae5b8fbf216b83491af4d38b723f71943898262b162c93b3684b77643fb4d8f5fe712255

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC996.exe

Filesize
14KB

MD5
5f1e18801e3c9b2072a867522c5a49f5

SHA1
896a02c5d6c2b07ab2f6bd6f2a76e40205dc3958

SHA256
6c71e8ca4ca07d212e2ee867a25f8a34602e3782482d3d225d920fc09d3035ba

SHA512
07755fd004e3c98a4f01d7f4ff0829a8cb1af76f23fdbdf48971bc12ea28e68f25ccf981292d6a4caa858e259ed9b748f90b99b4a362fa8522ad0abc0a803f8c

Download Submit

Analysis

Sharing