8d2244e78774ea22c4f94fa1bf0f47cce548947bf679384fadd125688285795d

General

Target

e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe
Size

14KB
MD5

e1f8c135af66e974e07ab3f188301325
SHA1

058b12a9072d88b20358e9a8efc8c3ad82e11b22
SHA256

8d2244e78774ea22c4f94fa1bf0f47cce548947bf679384fadd125688285795d
SHA512

4c6d875ac16ce0f025cb080bebfec1248d6d23affcf71e3365cdc59d13e050614f94a3637b14836891b91610117cabda93a92d4f12bd1b5d034adda828986b13
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhIFidPc:hDXWipuE+K3/SSHgxyFWc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2548	DEM7530.exe
2248	DEMCADD.exe
1856	DEM205C.exe
1048	DEM759D.exe
2180	DEMCB6A.exe
584	DEM22BD.exe

Loads dropped DLL 6 IoCs

pid	Process
2876	e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe
2548	DEM7530.exe
2248	DEMCADD.exe
1856	DEM205C.exe
1048	DEM759D.exe
2180	DEMCB6A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2548	2876	e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe	29
PID 2876 wrote to memory of 2548	2876	e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe	29
PID 2876 wrote to memory of 2548	2876	e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe	29
PID 2876 wrote to memory of 2548	2876	e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2248	2548	DEM7530.exe	33
PID 2548 wrote to memory of 2248	2548	DEM7530.exe	33
PID 2548 wrote to memory of 2248	2548	DEM7530.exe	33
PID 2548 wrote to memory of 2248	2548	DEM7530.exe	33
PID 2248 wrote to memory of 1856	2248	DEMCADD.exe	35
PID 2248 wrote to memory of 1856	2248	DEMCADD.exe	35
PID 2248 wrote to memory of 1856	2248	DEMCADD.exe	35
PID 2248 wrote to memory of 1856	2248	DEMCADD.exe	35
PID 1856 wrote to memory of 1048	1856	DEM205C.exe	37
PID 1856 wrote to memory of 1048	1856	DEM205C.exe	37
PID 1856 wrote to memory of 1048	1856	DEM205C.exe	37
PID 1856 wrote to memory of 1048	1856	DEM205C.exe	37
PID 1048 wrote to memory of 2180	1048	DEM759D.exe	39
PID 1048 wrote to memory of 2180	1048	DEM759D.exe	39
PID 1048 wrote to memory of 2180	1048	DEM759D.exe	39
PID 1048 wrote to memory of 2180	1048	DEM759D.exe	39
PID 2180 wrote to memory of 584	2180	DEMCB6A.exe	41
PID 2180 wrote to memory of 584	2180	DEMCB6A.exe	41
PID 2180 wrote to memory of 584	2180	DEMCB6A.exe	41
PID 2180 wrote to memory of 584	2180	DEMCB6A.exe	41

C:\Users\Admin\AppData\Local\Temp\e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\DEM7530.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7530.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\DEMCADD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCADD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\DEM205C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM205C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Users\Admin\AppData\Local\Temp\DEM759D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM759D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Users\Admin\AppData\Local\Temp\DEMCB6A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCB6A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\DEM22BD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM22BD.exe"
        7⤵
        Executes dropped EXE
        
        PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMCADD.exe

Filesize
14KB

MD5
05b8ca0cb22ee8c70358cef7f0a1bad2

SHA1
3579e4247a9d82f134703eb02a452e2ebe4e37cd

SHA256
e4fe230735b05192f5f428347717571187106e88bd42be6486ff2c80e48affc2

SHA512
171002eda2b869df02279869b6761ba0e5ed099b6f3b0934f51d1dd77d6d4e98d3755968436ff4d1109ee8360640e8026f7ca2769dd5b520f1b77fea879ba1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCB6A.exe

Filesize
14KB

MD5
6169b13099b16a77d9e27b4e610968c0

SHA1
a91a170f8dfcb2dde6b19069f1b8c965e35e26a7

SHA256
45ad6cb70b75904572091edff2c4d0955b8a6da63e68d3273351dc7635f52189

SHA512
8f953d5413ee413138450384a28efd45821396976dafaf815dd8c65bb016e64ed0d9fc4719d62bc42e34d5e8290b5f4cc6eba2731f25f8dff4289ff27717afd0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM205C.exe

Filesize
14KB

MD5
db66f442f1902786f7aaaea8739513a7

SHA1
638666eb43e94d39ac589cd30eded204b92f82a0

SHA256
ba70626dd91a6e7345c560f0745cf759beb2111c4dbe65dd0d4ad1f331e1e643

SHA512
3a3d928e0268092a3a9c3222994d916c47e9001ad01f64b66e32f86c0304e0aad2e6d667d3aaa61a48bbebc5d1355d35b0b827017cc7caea7b351b7b455599b4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM22BD.exe

Filesize
14KB

MD5
24738263b4cb80199b6166c775a06069

SHA1
4f2b360c87210ecfff48359e0f5e874593b1efbd

SHA256
d0e73d7299d45fc8667f45875e0688e4e9c2ab919c5c3a4788118913894cfdd9

SHA512
5dc5fa7ea9120658d25826aacf563b6109cf2c9d4ebca5e03e27e1f0a68457a95118971b584dc073aff9ffc13b9c41b41c0ca6ff0d44283960c2e307d367322b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7530.exe

Filesize
14KB

MD5
280fd2e27176fefd43586cfba48b8c13

SHA1
1d9fd299566d42cd1418491743e0664106cb9035

SHA256
2b8226fa139b2b6fe85e1c1d0c74204cf7bdfcf2b5ddb7e787f22123bdb9d861

SHA512
419a4dbfe7888d61dc8a9fc2c21d5bc413a94b9f13b0778e384308710eded1fba1984ed8fb30f1feb16713903270ff7761832b9d0bc14882582240168032315d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM759D.exe

Filesize
14KB

MD5
079d4aa921cd2ee1b6ae14e598205cad

SHA1
0291e7e6faee529e381eb23f59d56eb0a743efd9

SHA256
d24c9dbb7939a6c852e48e8d4463f0297c90a271b354650a58ae8b2c28699e32

SHA512
9489329bc3a43b00e799a9c2bd0444f3e859448a2ecb0bf6d3f068d95c14b61ae8ef9a2b4ef354c0beb4def87419069ba2904d4987a2b2be1040b5bb642bf4c9

Download Submit

Analysis

Sharing