d02469d459044ac1b11f27ba6052dd3464a73c96313e1513e2d951123ec94541

General

Target

dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe
Size

15KB
MD5

dfd9a24bc15c97238ce726c079d10e0c
SHA1

419408db9f27d9a071f62a02909167cad4150889
SHA256

d02469d459044ac1b11f27ba6052dd3464a73c96313e1513e2d951123ec94541
SHA512

e2ae7089e42fb177b88ea321bedebef98f6e4fd9301b614b1b0cc45a603acde1db74c25b371bac4f0b4ee5094e3915a33ad4a0ade75cdc3e7ee3b0d5048dac40
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhQ:hDXWipuE+K3/SSHgxzQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2452	DEM3F9F.exe
2420	DEM96F2.exe
1196	DEMEE16.exe
2496	DEM4460.exe
1216	DEM9A3D.exe
2112	DEMF086.exe

Loads dropped DLL 6 IoCs

pid	Process
928	dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe
2452	DEM3F9F.exe
2420	DEM96F2.exe
1196	DEMEE16.exe
2496	DEM4460.exe
1216	DEM9A3D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 2452	928	dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe	29
PID 928 wrote to memory of 2452	928	dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe	29
PID 928 wrote to memory of 2452	928	dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe	29
PID 928 wrote to memory of 2452	928	dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe	29
PID 2452 wrote to memory of 2420	2452	DEM3F9F.exe	33
PID 2452 wrote to memory of 2420	2452	DEM3F9F.exe	33
PID 2452 wrote to memory of 2420	2452	DEM3F9F.exe	33
PID 2452 wrote to memory of 2420	2452	DEM3F9F.exe	33
PID 2420 wrote to memory of 1196	2420	DEM96F2.exe	35
PID 2420 wrote to memory of 1196	2420	DEM96F2.exe	35
PID 2420 wrote to memory of 1196	2420	DEM96F2.exe	35
PID 2420 wrote to memory of 1196	2420	DEM96F2.exe	35
PID 1196 wrote to memory of 2496	1196	DEMEE16.exe	37
PID 1196 wrote to memory of 2496	1196	DEMEE16.exe	37
PID 1196 wrote to memory of 2496	1196	DEMEE16.exe	37
PID 1196 wrote to memory of 2496	1196	DEMEE16.exe	37
PID 2496 wrote to memory of 1216	2496	DEM4460.exe	39
PID 2496 wrote to memory of 1216	2496	DEM4460.exe	39
PID 2496 wrote to memory of 1216	2496	DEM4460.exe	39
PID 2496 wrote to memory of 1216	2496	DEM4460.exe	39
PID 1216 wrote to memory of 2112	1216	DEM9A3D.exe	41
PID 1216 wrote to memory of 2112	1216	DEM9A3D.exe	41
PID 1216 wrote to memory of 2112	1216	DEM9A3D.exe	41
PID 1216 wrote to memory of 2112	1216	DEM9A3D.exe	41

C:\Users\Admin\AppData\Local\Temp\dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928
- C:\Users\Admin\AppData\Local\Temp\DEM3F9F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3F9F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\DEM96F2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM96F2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\DEMEE16.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEE16.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1196
    - - C:\Users\Admin\AppData\Local\Temp\DEM4460.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4460.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Users\Admin\AppData\Local\Temp\DEM9A3D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9A3D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\DEMF086.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF086.exe"
        7⤵
        Executes dropped EXE
        
        PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM96F2.exe

Filesize
15KB

MD5
1912e732ed0421fedc3e06b0efad9207

SHA1
3f73aa28b5e8f0731948c3c23e8c6ad9d42ccb72

SHA256
895f524d248dcb2f537eeb2c42f6fb92d684ccdea89bebc9e93e1934f044ece7

SHA512
cc786e9a89b1d887800109adac80ee5b80f206ff44cd192ad4e7df56f1b1cb63fbc0f486e2f9b086bd2ddc25abe341e2508924ebe3ec709ea1535646a40ba279

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEE16.exe

Filesize
15KB

MD5
e61701aef84a1f5023eb8cbccfe1d164

SHA1
9231345473d8642ea94b14021b667e1dbd9346a3

SHA256
9f5d34aab08e45f3eb75123d034712236b54ba1ab7824b7ae26094789d9b8a67

SHA512
4b08a025675925d1b9a9d2af42c8277c354c3fa8ad74fe5123325b0db8ce845ff0de5fc5e47f991a26f36cbc40d7eb0f969cb354e85ff0245e93c025d925c761

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3F9F.exe

Filesize
15KB

MD5
982bf8b73095e6e57912e32d3f8b658c

SHA1
0599c17485df4bcdd075ab5d8466531e324d30a7

SHA256
2b17f31ee68eb53216f3acb3cf4f2f164e51ede60a1655a43ac39f161dcc1047

SHA512
2f3862985df284ec9be0daa0febe1c104b213c3e9ae4b94a68bd622fd345c8b31dade5574e20a99b26a1837abf25a70340420ab7eea038ab20ef1bdf8ed84bc6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4460.exe

Filesize
15KB

MD5
7fac6b8acb05dc3b9aad6529f239957c

SHA1
948a32d7da24d94a0c00e37cd62ec8debd6eaaec

SHA256
686c6490ad073474a832d703300c45bfd528879f656d0da9eb98521582c5b8e7

SHA512
ec3ef2b9b1fded356bc1f6d713d54248485e38fc90e400ca30e0a03fd12d3216dfafae20f3f6054a81549b7059f3c5f5625d6511cdda894ccfe0d71cbb6d42e1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9A3D.exe

Filesize
15KB

MD5
680582d8c2688289d8cd5b1b2c03006e

SHA1
b0b37b50eaafcf37e6731b11ab78da2ee10b4ee0

SHA256
f40a0654e94e80af87cf0e2d0e4021c125048ab7759ef1e7d17a4b0d8d7f5acd

SHA512
8e9801e23d277a2d8474c07dec4f0b7d10668aead399d1861de13cc988155d9ecf182ba59ba419f7a429250085c3d0174efd54885f0fe23cc3cf563d8b0b1321

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF086.exe

Filesize
15KB

MD5
d54a839837580b802073cfb1e9271c9f

SHA1
d72736f0b041835c960e70b389f433de48d73936

SHA256
4c43d888707303581e57b325ed5002cb2666da7e53183381f821c63bfdc6f4f7

SHA512
e209cfce9c18469180945d7992c8e0d26ddff3d572e3cd25e2f6eb1fb9b1df0cc81726fa1e01d3ed8b62905e38526eeb29ea1289b440779dd4042e11bda3a34f

Download Submit

Analysis

Sharing