7ef03457f2bb46ef83081dbc7cbc344b96d5c884d192c3a94e522018786ae36c

General

Target

ec02d628cc11bdc711b5c3defb8baedc_JaffaCakes118.exe
Size

16KB
MD5

ec02d628cc11bdc711b5c3defb8baedc
SHA1

8d7722513eb37d73c703a035b161ba9482af9372
SHA256

7ef03457f2bb46ef83081dbc7cbc344b96d5c884d192c3a94e522018786ae36c
SHA512

9c2ff815aabb16df186adeade6a60287dfaa34c8f5d7da5bc780d7db81c9d8c8261103dd6ff75473e88dc3a790fae1603345d91af3190be8ee99a0f0652bf814
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/w9U4xk:hDXWipuE+K3/SSHgxm/KU7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2720	DEM22AD.exe
2544	DEM77CF.exe
1676	DEMCCE0.exe
880	DEM21F2.exe
560	DEM7713.exe
1784	DEMCC25.exe

Loads dropped DLL 6 IoCs

pid	Process
2076	ec02d628cc11bdc711b5c3defb8baedc_JaffaCakes118.exe
2720	DEM22AD.exe
2544	DEM77CF.exe
1676	DEMCCE0.exe
880	DEM21F2.exe
560	DEM7713.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2720	2076	ec02d628cc11bdc711b5c3defb8baedc_JaffaCakes118.exe	29
PID 2076 wrote to memory of 2720	2076	ec02d628cc11bdc711b5c3defb8baedc_JaffaCakes118.exe	29
PID 2076 wrote to memory of 2720	2076	ec02d628cc11bdc711b5c3defb8baedc_JaffaCakes118.exe	29
PID 2076 wrote to memory of 2720	2076	ec02d628cc11bdc711b5c3defb8baedc_JaffaCakes118.exe	29
PID 2720 wrote to memory of 2544	2720	DEM22AD.exe	33
PID 2720 wrote to memory of 2544	2720	DEM22AD.exe	33
PID 2720 wrote to memory of 2544	2720	DEM22AD.exe	33
PID 2720 wrote to memory of 2544	2720	DEM22AD.exe	33
PID 2544 wrote to memory of 1676	2544	DEM77CF.exe	35
PID 2544 wrote to memory of 1676	2544	DEM77CF.exe	35
PID 2544 wrote to memory of 1676	2544	DEM77CF.exe	35
PID 2544 wrote to memory of 1676	2544	DEM77CF.exe	35
PID 1676 wrote to memory of 880	1676	DEMCCE0.exe	37
PID 1676 wrote to memory of 880	1676	DEMCCE0.exe	37
PID 1676 wrote to memory of 880	1676	DEMCCE0.exe	37
PID 1676 wrote to memory of 880	1676	DEMCCE0.exe	37
PID 880 wrote to memory of 560	880	DEM21F2.exe	39
PID 880 wrote to memory of 560	880	DEM21F2.exe	39
PID 880 wrote to memory of 560	880	DEM21F2.exe	39
PID 880 wrote to memory of 560	880	DEM21F2.exe	39
PID 560 wrote to memory of 1784	560	DEM7713.exe	41
PID 560 wrote to memory of 1784	560	DEM7713.exe	41
PID 560 wrote to memory of 1784	560	DEM7713.exe	41
PID 560 wrote to memory of 1784	560	DEM7713.exe	41

C:\Users\Admin\AppData\Local\Temp\ec02d628cc11bdc711b5c3defb8baedc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec02d628cc11bdc711b5c3defb8baedc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\DEM22AD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM22AD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\DEM77CF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM77CF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\DEMCCE0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCCE0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Users\Admin\AppData\Local\Temp\DEM21F2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM21F2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:880
      - C:\Users\Admin\AppData\Local\Temp\DEM7713.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7713.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\DEMCC25.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCC25.exe"
        7⤵
        Executes dropped EXE
        
        PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM22AD.exe

Filesize
16KB

MD5
a6f889b1aeb2acf3538dd74c99418c38

SHA1
ac51c92f7617fcb874bca1d2036cf9e071d535ff

SHA256
09a3391c49c2dc598fb01a1644dcf88c107ae0987d22f8c7ad7279f5dabe3d6f

SHA512
6b6a41a55eb41bf46e38ec4c24088c789373daae8216f552a7012ca0c8b1c82d01b1af23bdcc1ff5b5498445ec97c3408797e15711eb820963a91e0dc173e9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM77CF.exe

Filesize
16KB

MD5
a4183c6dd1bf8bf7871baede6a354df4

SHA1
a5d7af839129b2f7243c5c79e6580014e23187b7

SHA256
119e40975b956ac537531bc29bf9abf1c5bbaa4e931846c5f0927ce72e97d02a

SHA512
f10cc3ce6c2db972f368e9aa0dbdf47604584fe94af55c7414a9706d76fdc6dc082bfe768140424e1c03e58fc5cbe21715a98c97d58d68c36bc466162fcb0ee2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM21F2.exe

Filesize
16KB

MD5
b71bd3674dcf2d8197334214dc6e35fe

SHA1
2f28c084005131ebe238c6f2beb5d94d49e9ac12

SHA256
f8d3b91eda79efcbb08830d8148d9eceef48f11e431a96e8e67a55b5b497fc48

SHA512
3d2e14203f8647cf6c8285b05b95083a201be438bd60b405ab029569c5ca3d5cf0e5d2c5b54e8d09d7ad3cd82ad51af7801abe7d88c7c402e63e6170c7ccbe29

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7713.exe

Filesize
16KB

MD5
b3cb8e98366a73113edb58824fa375e2

SHA1
f92069de7df1553f2631128053fa67aab53953eb

SHA256
bd6aacb0281bf8acec88b5dc7486ab3bdc85040656afb5e5827e130a06d4ed28

SHA512
3ac54b970d8bf1b9402d0af9222eeed02365706d8b5fa790375a55126193371077689a0976f844896578835183bd661e3ae5f402dad0f22f1fd2222be63a42a6

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCC25.exe

Filesize
16KB

MD5
adfd3ca13d1448ee740203b13a9b690b

SHA1
e72ddda094bf3e42be058164ed511e686d80cf6e

SHA256
0ddd843ec5bdfcef21cc39c0df54bce5a49da8f85bafd364d7481d5a71375828

SHA512
c920d0c087c8b748105fdf84ea7266e48fce925667cb2b31bf400c096f2536d8740980ccead060c7f5c8b6a4bfc5d7654d7a12d53e5d5aae02472ba3985e7462

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCCE0.exe

Filesize
16KB

MD5
a6c164158bf77621081cd13302d77c5e

SHA1
b57db842d4b5a39e1bedc901b9e17925182602a6

SHA256
ecab3ded8b224da1fe16c734a416a0080b05f8bbb8b5fbe2efbb72eb7e7265db

SHA512
7405501d82047326460f06475be16008116fab2afb6f072586c9f295e3f617acc935cedd369e195e54951343de89ffc0dbc08fa71c6fdf9958f63ce5f7c2d77e

Download Submit

Analysis

Sharing