5820ab1637c7a68693e24b710f84dfe2b4e575fccd67a0f04ee8a43fb150bcc4

General

Target

dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe
Size

16KB
MD5

dc87015f80636a6cd7259697680e2b38
SHA1

d58507c85d7c6c8ef94412342b4cdcf24fddceab
SHA256

5820ab1637c7a68693e24b710f84dfe2b4e575fccd67a0f04ee8a43fb150bcc4
SHA512

e85d2ca09b646b17bc15785a1ca1a404f26e6601272b9751192c53daeb4b7ab1e926bec6d7d7f1c92214779d7f864ffcaee8c469a794babeffd5de8a3b14eb98
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYHzd6L:hDXWipuE+K3/SSHgxmHZ2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2620	DEM4116.exe
2436	DEM9721.exe
2676	DEMEC62.exe
2040	DEM42EA.exe
2840	DEM98D6.exe
2020	DEMEF3F.exe

Loads dropped DLL 6 IoCs

pid	Process
1968	dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe
2620	DEM4116.exe
2436	DEM9721.exe
2676	DEMEC62.exe
2040	DEM42EA.exe
2840	DEM98D6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2620	1968	dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe	29
PID 1968 wrote to memory of 2620	1968	dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe	29
PID 1968 wrote to memory of 2620	1968	dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe	29
PID 1968 wrote to memory of 2620	1968	dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe	29
PID 2620 wrote to memory of 2436	2620	DEM4116.exe	33
PID 2620 wrote to memory of 2436	2620	DEM4116.exe	33
PID 2620 wrote to memory of 2436	2620	DEM4116.exe	33
PID 2620 wrote to memory of 2436	2620	DEM4116.exe	33
PID 2436 wrote to memory of 2676	2436	DEM9721.exe	35
PID 2436 wrote to memory of 2676	2436	DEM9721.exe	35
PID 2436 wrote to memory of 2676	2436	DEM9721.exe	35
PID 2436 wrote to memory of 2676	2436	DEM9721.exe	35
PID 2676 wrote to memory of 2040	2676	DEMEC62.exe	37
PID 2676 wrote to memory of 2040	2676	DEMEC62.exe	37
PID 2676 wrote to memory of 2040	2676	DEMEC62.exe	37
PID 2676 wrote to memory of 2040	2676	DEMEC62.exe	37
PID 2040 wrote to memory of 2840	2040	DEM42EA.exe	39
PID 2040 wrote to memory of 2840	2040	DEM42EA.exe	39
PID 2040 wrote to memory of 2840	2040	DEM42EA.exe	39
PID 2040 wrote to memory of 2840	2040	DEM42EA.exe	39
PID 2840 wrote to memory of 2020	2840	DEM98D6.exe	41
PID 2840 wrote to memory of 2020	2840	DEM98D6.exe	41
PID 2840 wrote to memory of 2020	2840	DEM98D6.exe	41
PID 2840 wrote to memory of 2020	2840	DEM98D6.exe	41

C:\Users\Admin\AppData\Local\Temp\dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\DEM4116.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4116.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\DEM9721.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9721.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\DEMEC62.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEC62.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Users\Admin\AppData\Local\Temp\DEM42EA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM42EA.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Users\Admin\AppData\Local\Temp\DEM98D6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM98D6.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\DEMEF3F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEF3F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4116.exe

Filesize
16KB

MD5
513d73dd771baa116ecd22283aaa7677

SHA1
c6ef3c55a7670784c72bea224965ec2d594f751b

SHA256
bc321333c659813a481109469888494912a84a116164d32cc4ae33bff43ded8b

SHA512
7fbea1c4219e99d829bde48bac693e8d3a2c37483af845d73d33d9c4bca9f8239efa907f7d9d4f6dd9cb652cfdd2a0929f5da53e7172295f6489f0ea84e64999

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM42EA.exe

Filesize
16KB

MD5
8b6aeeb6fb9be14cd4d9e75c020f9e87

SHA1
cb49756b06dc29cfe981ac9d45a4b1e6154f010f

SHA256
2291a8e8e420796e1ff704aa3db3c2f7c5cd4598eb57d4c2dd2e615092ba9295

SHA512
959d0afbe27746fcaaf55c2e827c597c42d9038a93d2b3ad75410952430a5688df18832fad76fb96fce8d2244e0887bfafc499413cf0330668615d8ba7671c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9721.exe

Filesize
16KB

MD5
29d07647a62e31d2ad5f3e9428f98428

SHA1
a5963b9dd0cb54fdd22afbd74cd7c09e216340e5

SHA256
fae880c25f7b3201f0c3f1be09bd5c18d5e0bffcaea362efd6c89227241ef21c

SHA512
9ded72958bb3a9707bf26516b064ab6e71a0a399cdf86f6b68d511e2ae142cdcc82d871c06bd0a1471f45c4f2430e486b86133192339918572043cc6b5c0161b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEF3F.exe

Filesize
16KB

MD5
b21468abeeadcb86c0e1107850b1fd77

SHA1
a7f51f4068d7c7d80ec493fe8e9ab1a4881377b3

SHA256
464ca3b6e8038033b8588555fad9d24d3af57d2382d6dfa0df65db05584e6e7f

SHA512
8c09e9a80a6f04781bca4c4e21524a2da0c1f029780a2dd0fc9bd41ae9e9790f29650ca10bce268c32bc86a2c9a5dd927d8a57900bac9a02cbbc7f630a116346

Download Submit
\Users\Admin\AppData\Local\Temp\DEM98D6.exe

Filesize
16KB

MD5
9e78e5aea76e3ba7b5dba75e13dd8f36

SHA1
b1d6a9f8a9de04d7be53f4a1a9c794418594c88b

SHA256
0c49eea9f57bd6ca4061715a2e249453cb674f68c633accf83f2c1de2c5ac9b5

SHA512
c0c3ac1852ef3f46d9ba1184711eee0c1f95d8f8170dd4615ea332049ee1b1b45339d76e28709de36807fa16842ccf0c7d486c52e9146be816e41275e7aedf51

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEC62.exe

Filesize
16KB

MD5
e0076f5f2eb99fb11da01e0acb5027d3

SHA1
89f0e91944985344f01e9cd9e6ac05bba44c963f

SHA256
73b0701f2bc45866ad57d76af1b11ea01a688abadcc5a81dca2dad469de44144

SHA512
9b1bc3d14ea5b86a0f2f646294abdf3781d2cc2f38b8f46ddbc16d784cce4a968a517f6835169f85410cd66aa8e6d6c00c2b0390c2957077c9a983b7fff2891c

Download Submit

Analysis

Sharing