1d11d2ce13f507d927522309e4e618a46c7708cbfbe10f6f3a9fe38b2902aeb3

General

Target

dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe
Size

14KB
MD5

dd2f062d812c42e8a40619000f228f44
SHA1

2bd8b306cf27e98a97e32a5d8409f1ea552b999c
SHA256

1d11d2ce13f507d927522309e4e618a46c7708cbfbe10f6f3a9fe38b2902aeb3
SHA512

771eda2cbb5d019c146645c831e01e1a23fe1bf3301c06f0a0bc685601f962a8adbcfd5903ee722f20cd63ceca607fe211463b9acce2ab13be1f47008f59a365
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRl5l:hDXWipuE+K3/SSHgxXl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2084	DEM8B9D.exe
2428	DEME254.exe
1072	DEM388E.exe
2708	DEM8E3B.exe
2232	DEME437.exe
944	DEM3A81.exe

Loads dropped DLL 6 IoCs

pid	Process
1612	dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe
2084	DEM8B9D.exe
2428	DEME254.exe
1072	DEM388E.exe
2708	DEM8E3B.exe
2232	DEME437.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2084	1612	dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe	29
PID 1612 wrote to memory of 2084	1612	dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe	29
PID 1612 wrote to memory of 2084	1612	dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe	29
PID 1612 wrote to memory of 2084	1612	dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe	29
PID 2084 wrote to memory of 2428	2084	DEM8B9D.exe	33
PID 2084 wrote to memory of 2428	2084	DEM8B9D.exe	33
PID 2084 wrote to memory of 2428	2084	DEM8B9D.exe	33
PID 2084 wrote to memory of 2428	2084	DEM8B9D.exe	33
PID 2428 wrote to memory of 1072	2428	DEME254.exe	35
PID 2428 wrote to memory of 1072	2428	DEME254.exe	35
PID 2428 wrote to memory of 1072	2428	DEME254.exe	35
PID 2428 wrote to memory of 1072	2428	DEME254.exe	35
PID 1072 wrote to memory of 2708	1072	DEM388E.exe	37
PID 1072 wrote to memory of 2708	1072	DEM388E.exe	37
PID 1072 wrote to memory of 2708	1072	DEM388E.exe	37
PID 1072 wrote to memory of 2708	1072	DEM388E.exe	37
PID 2708 wrote to memory of 2232	2708	DEM8E3B.exe	39
PID 2708 wrote to memory of 2232	2708	DEM8E3B.exe	39
PID 2708 wrote to memory of 2232	2708	DEM8E3B.exe	39
PID 2708 wrote to memory of 2232	2708	DEM8E3B.exe	39
PID 2232 wrote to memory of 944	2232	DEME437.exe	41
PID 2232 wrote to memory of 944	2232	DEME437.exe	41
PID 2232 wrote to memory of 944	2232	DEME437.exe	41
PID 2232 wrote to memory of 944	2232	DEME437.exe	41

C:\Users\Admin\AppData\Local\Temp\dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\DEM8B9D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8B9D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\DEME254.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME254.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\DEM388E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM388E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Users\Admin\AppData\Local\Temp\DEM8E3B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E3B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Users\Admin\AppData\Local\Temp\DEME437.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME437.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\DEM3A81.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3A81.exe"
        7⤵
        Executes dropped EXE
        
        PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM388E.exe

Filesize
14KB

MD5
39e90f3a86fef5693023b8d0d2c28fa3

SHA1
28b7670d6c7a1d16be261ae7bc39b321a701854f

SHA256
5ad736a23fd334f3b97c974fcad686287942da3590c5d7b680e4d1aa3d26fb30

SHA512
337ffe393db0ef6220482fc390242e70aba99c4c34fed93b4f40c353a566c559040b0d7d6bf2be6fdde43074f21b998afd3ea49483de4495a3aae6c2d1d5bb9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME254.exe

Filesize
14KB

MD5
68818dc48e9ca6f77ea4c29c4885970d

SHA1
5a4db2ef924c5e58fd6bd53b464e0d1d65e19da7

SHA256
370fc2400c1735facace84902a13a968883d0339d0d87c4e750370b8e7cf035b

SHA512
8004b81a0016f3c5b789cd9b43f0191b9e3795a763e18b092d6bb0e77fe456fb32a104cab4e05ed27c097365866e7e860acfd0be79c1578d13d0551b0d1b45df

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3A81.exe

Filesize
14KB

MD5
8f5c7fedb39bbf539181e6966714d2ad

SHA1
4f7684e398a055538663f9bece3e32359cec30f8

SHA256
ddcbb63544f94df8e8e2b8936f565cbe51c9956d07cd0489f663e9bd9cd32fde

SHA512
684ef90919f5800cfe048e972d781f678bed1cd27f1f0c9ac00cc915025728fd280fb6372581de4f6b03867313a277a852f806c079cc6ab7fe74b2f6d4047108

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8B9D.exe

Filesize
14KB

MD5
95d588eacb04e97fb885cd33a91fd8d0

SHA1
9749ef8b214da35fae398bfab5f074a76207c73e

SHA256
3bfbb9d5980b2eaa6f1e9ecf0793c52278189fd068c6b3fe0994a757eebc773b

SHA512
4fe2ef207de8bb26b7484f74d91ad866d5d89f835a1e1775958d09e37a153005429765e4c43335bef3cc4761cb408767ca72603e3e4ba598bd3999b04c518082

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8E3B.exe

Filesize
14KB

MD5
a2d0de09facf09eeb4d351a648e00731

SHA1
1acf54a42567147f3f48ce6807fb0a93cf8c864d

SHA256
c6a99352f2d80adea8ace9e27f477870096888bf8325ed9bf68a86a06f47c204

SHA512
291adf9ce3ff7cca2bf5b649e23a377f280a993a615eca57224428248e1993a584aa1a1e8fb35ad0f269d207a6e6cc719b06ba1b984e0b2479cf6328a10ebe55

Download Submit
\Users\Admin\AppData\Local\Temp\DEME437.exe

Filesize
14KB

MD5
5464f1d6fb7cb1ef4e035d1c818cd79f

SHA1
7e7a878459eb60f981bbd56ae879f28adfdc0fde

SHA256
1b52c4a860fa11cda1589ceb722e4f2c3c2e2ccc5c48c60f820a338aab01c32e

SHA512
24dc8bb7bb1516dd986125669d3897c8cd0c2ae2b70147ec15c11576fea11215b2f518f6745949375e199791ca8ce1bb8d2a75dddb048e485166cb538956d5ef

Download Submit

Analysis

Sharing