a1ed9a7f00adb679311f80ea29f3496af9e1982a7fc5215f1d905229ec773e82

General

Target

da850b7679920442ef3192c6f6874343_JaffaCakes118.exe
Size

14KB
MD5

da850b7679920442ef3192c6f6874343
SHA1

aca8750c681cee78f9be95b09892f5b169a32c02
SHA256

a1ed9a7f00adb679311f80ea29f3496af9e1982a7fc5215f1d905229ec773e82
SHA512

c9c8aad3d0163ab992ed4595e66b91e66b3b54580973e728301d783f52c226c1709368dd4d2b6c115a54560790668be543887816a789526dd696368769e424e5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0z:hDXWipuE+K3/SSHgx4z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2664	DEM4EAC.exe
2980	DEMB22F.exe
2820	DEM85A.exe
2704	DEM5F5F.exe
2736	DEMB693.exe
1728	DEMD1B.exe

Loads dropped DLL 6 IoCs

pid	Process
2936	da850b7679920442ef3192c6f6874343_JaffaCakes118.exe
2664	DEM4EAC.exe
2980	DEMB22F.exe
2820	DEM85A.exe
2704	DEM5F5F.exe
2736	DEMB693.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2664	2936	da850b7679920442ef3192c6f6874343_JaffaCakes118.exe	29
PID 2936 wrote to memory of 2664	2936	da850b7679920442ef3192c6f6874343_JaffaCakes118.exe	29
PID 2936 wrote to memory of 2664	2936	da850b7679920442ef3192c6f6874343_JaffaCakes118.exe	29
PID 2936 wrote to memory of 2664	2936	da850b7679920442ef3192c6f6874343_JaffaCakes118.exe	29
PID 2664 wrote to memory of 2980	2664	DEM4EAC.exe	33
PID 2664 wrote to memory of 2980	2664	DEM4EAC.exe	33
PID 2664 wrote to memory of 2980	2664	DEM4EAC.exe	33
PID 2664 wrote to memory of 2980	2664	DEM4EAC.exe	33
PID 2980 wrote to memory of 2820	2980	DEMB22F.exe	35
PID 2980 wrote to memory of 2820	2980	DEMB22F.exe	35
PID 2980 wrote to memory of 2820	2980	DEMB22F.exe	35
PID 2980 wrote to memory of 2820	2980	DEMB22F.exe	35
PID 2820 wrote to memory of 2704	2820	DEM85A.exe	37
PID 2820 wrote to memory of 2704	2820	DEM85A.exe	37
PID 2820 wrote to memory of 2704	2820	DEM85A.exe	37
PID 2820 wrote to memory of 2704	2820	DEM85A.exe	37
PID 2704 wrote to memory of 2736	2704	DEM5F5F.exe	39
PID 2704 wrote to memory of 2736	2704	DEM5F5F.exe	39
PID 2704 wrote to memory of 2736	2704	DEM5F5F.exe	39
PID 2704 wrote to memory of 2736	2704	DEM5F5F.exe	39
PID 2736 wrote to memory of 1728	2736	DEMB693.exe	41
PID 2736 wrote to memory of 1728	2736	DEMB693.exe	41
PID 2736 wrote to memory of 1728	2736	DEMB693.exe	41
PID 2736 wrote to memory of 1728	2736	DEMB693.exe	41

C:\Users\Admin\AppData\Local\Temp\da850b7679920442ef3192c6f6874343_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da850b7679920442ef3192c6f6874343_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\DEM4EAC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4EAC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\DEMB22F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB22F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\DEM85A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM85A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\DEM5F5F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5F5F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Users\Admin\AppData\Local\Temp\DEMB693.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB693.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\DEMD1B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD1B.exe"
        7⤵
        Executes dropped EXE
        
        PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMB22F.exe

Filesize
14KB

MD5
bbbc9528d4ed0750df925a429398958e

SHA1
232532e581f762833f414ad870e444ed87dd77ef

SHA256
67234355563d93bc1302c11a35bb75ff0ec5969a4bbbd7adff9560579c16faae

SHA512
18b84cea6004ceae697593ec23979baffd93e17ca63d435c1667586d8be9414b6f1481024f80e0c8f60afc4ff472231c3f6d4a9ced00b2497e0bfa09e3b56bff

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4EAC.exe

Filesize
14KB

MD5
04252d88eb3fe33d4c8e61cd3fd385cb

SHA1
bda679b1d067721a9c2f89ee29d626fa2c458c4d

SHA256
d5e1ffe65c39e0837979df5378ba93e22d0fe221ef4cbdb4b410054e6f9fade5

SHA512
41456796d4a99c19bf2d240088ddd7ab9a0913403292c2d7f480297c86651693ad0f16e6a38c15970eb1870c44f21de4edf623ab87e95c468f8e4314f2d1470e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5F5F.exe

Filesize
14KB

MD5
39e4c050715b8039c7e62a7d2fadfeee

SHA1
9255bdec2729476ff8e23c47f7abe39eb250836e

SHA256
4a34eab9b5ef3a75eec159d4938ddf0b1c881bf06e15cdacb0af9b4cc847c48b

SHA512
5c86df9191907762c3cdd7e15ff40b0928e27d1e7979d8356d21c2d9045f571e31d9330dfd9a953d3258f6daa6b5d5bcbc78e25d83dfc85673353ce5faf20b71

Download Submit
\Users\Admin\AppData\Local\Temp\DEM85A.exe

Filesize
14KB

MD5
65708bbc4d1f707cb90033ab328b37df

SHA1
ee6f44be7e92c174480c932773a90cb3964d685e

SHA256
4b4a1b4ff574c4d4226c47dafda28689a4f3b9a03cb642bc10ba74dd6c56c8e2

SHA512
afbbb89cef482f24059261d9b19f5632f923cc0f3f59459eca93b062e66ac2668509641345ca8ca252ef642d749d13c0cc6551b7439b6cce823cc7e7ff2b983c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB693.exe

Filesize
14KB

MD5
fe9847f8fa2795a7b2999bb9cc3ebebc

SHA1
aa8172642693255d17f72de90f34f2558a3be7de

SHA256
63fef5e9a661697e06e8a04887d5c5d94a3f33f2d25f0af107d8f3be1707b969

SHA512
f69bc176ce468e76c26caf80b4c54b3f9e3b42dc979cc3a13c6cf21bd8649b5643c5dd3eb906512bf52f167767068108e68480e731ec9455431eb50d49698d91

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD1B.exe

Filesize
14KB

MD5
8815ae3032d1800ac13a7e018244ce63

SHA1
04818a1b72d02ee53921b6b250eda4b557fcc246

SHA256
98924656aea7eb8f7f2598d29bd123edb7261a14bee6b20097064e958af9b2c3

SHA512
a7ba2d702caf49446a4886e2bb55de3cf6b0c0a10bd51149f98ffee1f76ef44a71f78cff8e5ecfe9f091c3e70166c892283babe34fe10801d95fb19099d69bc8

Download Submit

Analysis

Sharing