e2201e28ccda76d68bdbb39c80bf1479cf0ed95d04ee14accc607e474e958191

General

Target

d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe
Size

14KB
MD5

d9ff59836649af5710c2746eda8893b9
SHA1

10af06349e619e77fcc51f23f5c21e3236ceaee7
SHA256

e2201e28ccda76d68bdbb39c80bf1479cf0ed95d04ee14accc607e474e958191
SHA512

aa336adb61e84067ce838f3005a8d5fcd2778ab7562c4b9a4879e00a8141bbda9a353206f4bde436f34783e967c317891aaf6b87d0fed55b16b519f97b3ba191
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlU:hDXWipuE+K3/SSHgxmlU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2600	DEM4CD8.exe
2488	DEMA2D4.exe
792	DEMF8B1.exe
1680	DEM4E6E.exe
1092	DEMA46A.exe
2956	DEMFA75.exe

Loads dropped DLL 6 IoCs

pid	Process
2788	d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe
2600	DEM4CD8.exe
2488	DEMA2D4.exe
792	DEMF8B1.exe
1680	DEM4E6E.exe
1092	DEMA46A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2600	2788	d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2600	2788	d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2600	2788	d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2600	2788	d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe	29
PID 2600 wrote to memory of 2488	2600	DEM4CD8.exe	33
PID 2600 wrote to memory of 2488	2600	DEM4CD8.exe	33
PID 2600 wrote to memory of 2488	2600	DEM4CD8.exe	33
PID 2600 wrote to memory of 2488	2600	DEM4CD8.exe	33
PID 2488 wrote to memory of 792	2488	DEMA2D4.exe	35
PID 2488 wrote to memory of 792	2488	DEMA2D4.exe	35
PID 2488 wrote to memory of 792	2488	DEMA2D4.exe	35
PID 2488 wrote to memory of 792	2488	DEMA2D4.exe	35
PID 792 wrote to memory of 1680	792	DEMF8B1.exe	37
PID 792 wrote to memory of 1680	792	DEMF8B1.exe	37
PID 792 wrote to memory of 1680	792	DEMF8B1.exe	37
PID 792 wrote to memory of 1680	792	DEMF8B1.exe	37
PID 1680 wrote to memory of 1092	1680	DEM4E6E.exe	39
PID 1680 wrote to memory of 1092	1680	DEM4E6E.exe	39
PID 1680 wrote to memory of 1092	1680	DEM4E6E.exe	39
PID 1680 wrote to memory of 1092	1680	DEM4E6E.exe	39
PID 1092 wrote to memory of 2956	1092	DEMA46A.exe	41
PID 1092 wrote to memory of 2956	1092	DEMA46A.exe	41
PID 1092 wrote to memory of 2956	1092	DEMA46A.exe	41
PID 1092 wrote to memory of 2956	1092	DEMA46A.exe	41

C:\Users\Admin\AppData\Local\Temp\d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\DEM4CD8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4CD8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\DEMA2D4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA2D4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\DEMF8B1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF8B1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:792
    - - C:\Users\Admin\AppData\Local\Temp\DEM4E6E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4E6E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Users\Admin\AppData\Local\Temp\DEMA46A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA46A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\DEMFA75.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFA75.exe"
        7⤵
        Executes dropped EXE
        
        PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4CD8.exe

Filesize
14KB

MD5
dc8013751c1a7aed69c1fc4c3a7af45e

SHA1
ea0085c237a4d056bd6ea0569bfbd4b644ae873b

SHA256
6061105b1a95fa91e4e407c9b6cb21fc8afe98b8e1230885e570c7a0235963b2

SHA512
72d22d9aa5e5e62646003d18fb20fcc47690d44f0adda2f326fde9928254c548586aab48399d7692ced837b38717c1f77d3fbe0957cb438030f76f77abf08efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4E6E.exe

Filesize
14KB

MD5
d4e7d3dc3cc478930e8950c0bd931731

SHA1
7912088287ff4573fa414b2f987eb07a13138e0c

SHA256
e7832fcb350966c8a5137d412e8c00a10b8e28cb91af32d934b452b5cc40eb3f

SHA512
6fa612890226752da90a9be423eee8d8ec2d74092248c74f56bb678637a119c913ccef114e462c2cdf262ec5bca1c1e937670ad3f8ec77134a55c1ecc90f078b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA2D4.exe

Filesize
14KB

MD5
1c4c8db05b917838ca0214b6f5f6e826

SHA1
77a8268aa9b37163eb805fd36376f45b5e29fe21

SHA256
b1fe8f822c03f16c60dccc49f773c629865a354a4dd3afe0b1d87e36c73f2a94

SHA512
c101112a59f18e58a03ca10fad854d184a669f7580fa3854444fe90c32489bde363ba80089faa7273602b2a28fcae5339a8c35f5399dc614b4346d2597aec15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFA75.exe

Filesize
14KB

MD5
d0a1c07e150b5242587ce5803be8f014

SHA1
118a93b4c626d11bd7a7f1dd30b0a4871a84d26a

SHA256
0e6ed759834e80843df03e54621ce5b36bb0e9e6cc348a2c686a7ace298149bc

SHA512
b51334a4c222f0fed282baf06031d5adefe646045cddedb035b8ff6b4fd60eb9bb896e3b956998f0071e5a1b2bb04b87005ebb48367bec4f724bb1f6369aef21

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA46A.exe

Filesize
14KB

MD5
ee1e0e9be8dfb3959a0d8082ec6c25fa

SHA1
b38f44589aa0564fcc14ffcfd4d8fe47e86d0493

SHA256
8cca5a2d9ce5c9da0f6e45a1ace50e9655fa204d4484ad02b42986ce967355d1

SHA512
2b5ed0156585cd7b86d14ac029fdbcbc98ce1b7cfe8ce18dc38b1826aef264c9e7d7523cab584f08a865b7189e1489bc9ae449f0235a3b8c437fb17aac813dc0

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF8B1.exe

Filesize
14KB

MD5
996faf931c03dd904ed9b962ecc18080

SHA1
16e59c0f84bcf058cd2cab15037318fdec46ff14

SHA256
5539996cf762ea52457cdaef0f0b8001be784ab78a35c9ab0cffb97982ddb6cf

SHA512
da0be80dcba963b0d817b4227d6167fee1d48f316b2d1b7cd7312f1390db45e45ad4104e000654ceace188c85f3eb317b15f536eb832716c00b6e087aa083cb6

Download Submit

Analysis

Sharing