1a87b6b5bd69cfa0ffadee1f307e781f3ef920666eb3471c52669959ebb9df3a

General

Target

da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe
Size

14KB
MD5

da817119a499aa5ac19a21f571a5476d
SHA1

63d869b0a630fe64e2f3ac257a73a480f3011221
SHA256

1a87b6b5bd69cfa0ffadee1f307e781f3ef920666eb3471c52669959ebb9df3a
SHA512

62c79461d4c68069bea229a2253a9a4508b52188c809768841afb42d4eb87cfffc8dae456ccc9ff2621546a828e32643748e9a6519b9130ea5b84b49ef19360f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0JU:hDXWipuE+K3/SSHgx46

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2908	DEM29DE.exe
2832	DEM80B4.exe
2416	DEMD6B0.exe
1992	DEM2D28.exe
1056	DEM8334.exe
1248	DEMD920.exe

Loads dropped DLL 6 IoCs

pid	Process
2884	da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe
2908	DEM29DE.exe
2832	DEM80B4.exe
2416	DEMD6B0.exe
1992	DEM2D28.exe
1056	DEM8334.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2908	2884	da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe	29
PID 2884 wrote to memory of 2908	2884	da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe	29
PID 2884 wrote to memory of 2908	2884	da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe	29
PID 2884 wrote to memory of 2908	2884	da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe	29
PID 2908 wrote to memory of 2832	2908	DEM29DE.exe	31
PID 2908 wrote to memory of 2832	2908	DEM29DE.exe	31
PID 2908 wrote to memory of 2832	2908	DEM29DE.exe	31
PID 2908 wrote to memory of 2832	2908	DEM29DE.exe	31
PID 2832 wrote to memory of 2416	2832	DEM80B4.exe	35
PID 2832 wrote to memory of 2416	2832	DEM80B4.exe	35
PID 2832 wrote to memory of 2416	2832	DEM80B4.exe	35
PID 2832 wrote to memory of 2416	2832	DEM80B4.exe	35
PID 2416 wrote to memory of 1992	2416	DEMD6B0.exe	37
PID 2416 wrote to memory of 1992	2416	DEMD6B0.exe	37
PID 2416 wrote to memory of 1992	2416	DEMD6B0.exe	37
PID 2416 wrote to memory of 1992	2416	DEMD6B0.exe	37
PID 1992 wrote to memory of 1056	1992	DEM2D28.exe	39
PID 1992 wrote to memory of 1056	1992	DEM2D28.exe	39
PID 1992 wrote to memory of 1056	1992	DEM2D28.exe	39
PID 1992 wrote to memory of 1056	1992	DEM2D28.exe	39
PID 1056 wrote to memory of 1248	1056	DEM8334.exe	41
PID 1056 wrote to memory of 1248	1056	DEM8334.exe	41
PID 1056 wrote to memory of 1248	1056	DEM8334.exe	41
PID 1056 wrote to memory of 1248	1056	DEM8334.exe	41

C:\Users\Admin\AppData\Local\Temp\da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\DEM29DE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM29DE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\DEM80B4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM80B4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\DEMD6B0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD6B0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\DEM2D28.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2D28.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Users\Admin\AppData\Local\Temp\DEM8334.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8334.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\DEMD920.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD920.exe"
        7⤵
        Executes dropped EXE
        
        PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM80B4.exe

Filesize
14KB

MD5
67848bb901a62757aefc31ec760b1d1d

SHA1
b4d6486809506cbe701c899ac98807a696888ba5

SHA256
d95915306b4a8c472894d05d44b9a888cfcbdf314b82e6dc12ad640b31c03c4c

SHA512
0d6320a100894545f4013ba35088c6bfed0ba9a7fdf7ddce74f543baf5dfb3adab7b56899fdb04d5a6283591ccdddf877e6ed9a9e6038eac869a6fb9fa05324b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8334.exe

Filesize
14KB

MD5
bd1bc207bbc3306280f5df864998cfbc

SHA1
987ec839279766a6535749643aab869af998e097

SHA256
7e876b535f2cf8d937bc2f75c29855f0fef48d14cd73d1f036d4741377782604

SHA512
04a8ee0621bf93740b5c529bed4d30d38e8bdd6c8d2e84fabd44b0e2e55d8cb79cfa32bc9bc68fa2bbf722e8361ad4a5a12ff4952a2d033e69a6bb0553eb8f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD920.exe

Filesize
14KB

MD5
f5c67ddacd0bf1f5b7d0514876593dd5

SHA1
4ca82edce0a1a8ef56b08de036871ca15ae8a090

SHA256
bc669cf3053f0130dba8c8f8d77e14102288b7f0ce8952ed1ad451ba0a4fd839

SHA512
d1aa711f49176a45ee38dec70d14b56f7285a7412956c7228fbdf597ea223e8f04d256ec7e28d2aafa5dcaf9b04644ecb4c83e3600fd7d1ca9973f2881271ff1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM29DE.exe

Filesize
14KB

MD5
b7a312d1f13650f672d82a8af421f7d0

SHA1
5293af4d3db0acd91768c9c9085127ddc8e5b943

SHA256
37a53ab807f167c3a3d000ac7108605482f2f715f0d7708e3a50e2176fbadecc

SHA512
5934b7026131611e8cdcb948f3de16dd07a7ae13a8c6d2d885ccd6d07dbd0085911e87f84abba58f970a8cf4b3833a4090160c0661b88f5432825fdbb903ec17

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2D28.exe

Filesize
14KB

MD5
e2e56ec4793d2e29f4d7d47c4456f741

SHA1
090cd5a2f8f97c45dba4a97ccdc1e5377ae218aa

SHA256
3335a218a4e9b20ef9cafd64368b9a70b04c411a152fb581bffe1ea7e7ab5556

SHA512
3211f418ccaef8a4f556e4895cc5970e23416defc2097db7bde0bf6ac8839c90868f34fa63b9aac01372eb8ff5fadb306533356d1169b85eb1c131170591dcc9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD6B0.exe

Filesize
14KB

MD5
690a15386ba640d9305b3ea7b271171d

SHA1
66a262d515b7800f263b105621e4e10dd3fa7825

SHA256
923a171d2a49f79d70930bc58253e5cf1be6aa32e6c7de1b5aa12ecc9340dcb8

SHA512
406bcb4f45a0d8b0c740b17b0faa7fd44c26fa99daaee59223744a96dbb8ba7fc39527fd728d899c4e4a3727dfa27c04244861c7a8d9d7c057f034d0bbeb4226

Download Submit

Analysis

Sharing