a9b30e46208c5cb49687bbe8ac0d21eb9db836d25fe55ebe8a5c4cd97e5d6955

General

Target

df9cf5986a5f4d7e70b3a5619aa30b5d_JaffaCakes118.exe
Size

20KB
MD5

df9cf5986a5f4d7e70b3a5619aa30b5d
SHA1

06cbe8f57ed03786340b11c2807d2bff00b62031
SHA256

a9b30e46208c5cb49687bbe8ac0d21eb9db836d25fe55ebe8a5c4cd97e5d6955
SHA512

82fdca53ef59562d22f384650c175efd3acb82fd169a7af0527b7fc6c934ad6a867691f24c4e2c44acf6f789578a8b32c5e5b11884c28e79d739de3711dad3f4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4B:hDXWipuE+K3/SSHgxmHZB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2560	DEM8778.exe
2424	DEMDDF0.exe
1700	DEM32D3.exe
2660	DEM88A0.exe
2316	DEMDE3E.exe
1644	DEM33BD.exe

Loads dropped DLL 6 IoCs

pid	Process
2232	df9cf5986a5f4d7e70b3a5619aa30b5d_JaffaCakes118.exe
2560	DEM8778.exe
2424	DEMDDF0.exe
1700	DEM32D3.exe
2660	DEM88A0.exe
2316	DEMDE3E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2560	2232	df9cf5986a5f4d7e70b3a5619aa30b5d_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2560	2232	df9cf5986a5f4d7e70b3a5619aa30b5d_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2560	2232	df9cf5986a5f4d7e70b3a5619aa30b5d_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2560	2232	df9cf5986a5f4d7e70b3a5619aa30b5d_JaffaCakes118.exe	29
PID 2560 wrote to memory of 2424	2560	DEM8778.exe	33
PID 2560 wrote to memory of 2424	2560	DEM8778.exe	33
PID 2560 wrote to memory of 2424	2560	DEM8778.exe	33
PID 2560 wrote to memory of 2424	2560	DEM8778.exe	33
PID 2424 wrote to memory of 1700	2424	DEMDDF0.exe	35
PID 2424 wrote to memory of 1700	2424	DEMDDF0.exe	35
PID 2424 wrote to memory of 1700	2424	DEMDDF0.exe	35
PID 2424 wrote to memory of 1700	2424	DEMDDF0.exe	35
PID 1700 wrote to memory of 2660	1700	DEM32D3.exe	37
PID 1700 wrote to memory of 2660	1700	DEM32D3.exe	37
PID 1700 wrote to memory of 2660	1700	DEM32D3.exe	37
PID 1700 wrote to memory of 2660	1700	DEM32D3.exe	37
PID 2660 wrote to memory of 2316	2660	DEM88A0.exe	39
PID 2660 wrote to memory of 2316	2660	DEM88A0.exe	39
PID 2660 wrote to memory of 2316	2660	DEM88A0.exe	39
PID 2660 wrote to memory of 2316	2660	DEM88A0.exe	39
PID 2316 wrote to memory of 1644	2316	DEMDE3E.exe	41
PID 2316 wrote to memory of 1644	2316	DEMDE3E.exe	41
PID 2316 wrote to memory of 1644	2316	DEMDE3E.exe	41
PID 2316 wrote to memory of 1644	2316	DEMDE3E.exe	41

C:\Users\Admin\AppData\Local\Temp\df9cf5986a5f4d7e70b3a5619aa30b5d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df9cf5986a5f4d7e70b3a5619aa30b5d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\DEM8778.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8778.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\DEMDDF0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDDF0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\DEM32D3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM32D3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\DEM88A0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM88A0.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Users\Admin\AppData\Local\Temp\DEMDE3E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDE3E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\DEM33BD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM33BD.exe"
        7⤵
        Executes dropped EXE
        
        PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM32D3.exe

Filesize
20KB

MD5
f48919695009459b907cfd6386e99ba7

SHA1
332fb752d4abaa4d149af524aabc01085a64c250

SHA256
47cd8f11c07ec01a09985ff137b2d930862473ea6d05692dca97c9d507a6ecf0

SHA512
dea4b64a1599732da272641b13ab31f2c1c0cefdffa15ba1a515c4e2a8e8376ece6f9f5ae1dbdd3c8011d68972f31fa962ff3277ddce675b345ede84c154b36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDDF0.exe

Filesize
20KB

MD5
cdc49995405bd0daea03df5a733d736b

SHA1
42290b6a6e9cf5a387d4b63c7034fa91f7f43df6

SHA256
32d2c925e5ba6492ac3266734ea8b1ca0c184051ec9cece75c740c3ded55fe1a

SHA512
1d39c230c9d964697c41163e1ea36bd571616d8c38ad244739a7dae7217cd76ae05a3f2818fd69ba8acc5fd26d43943aecf38178770da4172a742185500517e8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM33BD.exe

Filesize
20KB

MD5
758a43e82d166e59f1431480823b1902

SHA1
fddce6dd5628d33d526546843e21f92e5c201456

SHA256
1bc9cf057a6170c6ec5311fe22c5df2860ef3f7f6b5b6530214e397a7664842e

SHA512
f777dc3c3e5240dae99e86654eced217f6f560a82ea3f5833c7d1f94c458bdc781fd6a25ba2b536e654522d46b28e82c3410a6f40d4920daa45df4bf93f89512

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8778.exe

Filesize
20KB

MD5
3ddd0686eb56d5c4f03f5e328cd69cf0

SHA1
09871cac90ff1522e31b425ae750ef8d759d1bf2

SHA256
cdb4f44d83b1e7f24824a38ccb2c569b585ee14b258f1c5fd38b6ac7d4bf1243

SHA512
e2c237a4210a14acdaf58147eb772f12e0f3db33daa052d1e9aa447f21fde7600a26cc16ff881f67e10e8c9563291288dc9e9f0e1acb3346e020ab9924cdb822

Download Submit
\Users\Admin\AppData\Local\Temp\DEM88A0.exe

Filesize
20KB

MD5
c7a1f287a16e419193087e7919dd6d5b

SHA1
0dcad0142eee0d297a8dcf8cc29901b2c217c56c

SHA256
97cc4af912f85f548c416ebcaf551dad98a440540f75d79777bc599400762560

SHA512
23afa541b229f64fbd0b7e7fded24a7cb1f8b8163a59686674c692e46f4b80d7137f5529caa2abf3bd6084833b5a6e85a706fafc3a61ef122e1bc8191a5eefbd

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDE3E.exe

Filesize
20KB

MD5
dfc5fdc376f855f1c5b7cc597ca61b86

SHA1
43b5014e5d46f06ce47f9329bb34c02203064ddc

SHA256
9dbceb61f5ccb5de3ad50e376cc96fbbc048d1dd94afdf3bd2eeb651eb47e9a5

SHA512
19e0ab28d5c0e32c4f0b3da7a23338453f0fb2c2bd169f19dc289f0e4ec8f29cdc2689a0aa242dc94e5e9acc0a8ac4f4f9cd6bdb6655e0d772ca1c6d53e0e7c5

Download Submit

Analysis

Sharing