1f01918a8a4f6e89e60ab22fde9e41ca595965b8c276b598462cb11c8c72fa0c

General

Target

ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe
Size

20KB
MD5

ec695b94d7b312233fd6420ea5ea6552
SHA1

27c93452ded149b2a5f528ba325ef6e9a7178a68
SHA256

1f01918a8a4f6e89e60ab22fde9e41ca595965b8c276b598462cb11c8c72fa0c
SHA512

52153252f7cef83ff1307acf79e272d505463855a0bbfe42744e18931954d6f2375e9eaf053cbbd3784643c03db27f74aa6175899eaef044d19dc96d22f5ec1a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4Pn:hDXWipuE+K3/SSHgxmHZPn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2168	DEMC40.exe
2656	DEM620D.exe
2200	DEMB75D.exe
2496	DEMCBD.exe
340	DEM622D.exe
1984	DEMB7AB.exe

Loads dropped DLL 6 IoCs

pid	Process
1652	ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe
2168	DEMC40.exe
2656	DEM620D.exe
2200	DEMB75D.exe
2496	DEMCBD.exe
340	DEM622D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2168	1652	ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe	29
PID 1652 wrote to memory of 2168	1652	ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe	29
PID 1652 wrote to memory of 2168	1652	ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe	29
PID 1652 wrote to memory of 2168	1652	ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe	29
PID 2168 wrote to memory of 2656	2168	DEMC40.exe	31
PID 2168 wrote to memory of 2656	2168	DEMC40.exe	31
PID 2168 wrote to memory of 2656	2168	DEMC40.exe	31
PID 2168 wrote to memory of 2656	2168	DEMC40.exe	31
PID 2656 wrote to memory of 2200	2656	DEM620D.exe	35
PID 2656 wrote to memory of 2200	2656	DEM620D.exe	35
PID 2656 wrote to memory of 2200	2656	DEM620D.exe	35
PID 2656 wrote to memory of 2200	2656	DEM620D.exe	35
PID 2200 wrote to memory of 2496	2200	DEMB75D.exe	37
PID 2200 wrote to memory of 2496	2200	DEMB75D.exe	37
PID 2200 wrote to memory of 2496	2200	DEMB75D.exe	37
PID 2200 wrote to memory of 2496	2200	DEMB75D.exe	37
PID 2496 wrote to memory of 340	2496	DEMCBD.exe	39
PID 2496 wrote to memory of 340	2496	DEMCBD.exe	39
PID 2496 wrote to memory of 340	2496	DEMCBD.exe	39
PID 2496 wrote to memory of 340	2496	DEMCBD.exe	39
PID 340 wrote to memory of 1984	340	DEM622D.exe	41
PID 340 wrote to memory of 1984	340	DEM622D.exe	41
PID 340 wrote to memory of 1984	340	DEM622D.exe	41
PID 340 wrote to memory of 1984	340	DEM622D.exe	41

C:\Users\Admin\AppData\Local\Temp\ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\DEMC40.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC40.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\DEM620D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM620D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\DEMB75D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB75D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Users\Admin\AppData\Local\Temp\DEMCBD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCBD.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Users\Admin\AppData\Local\Temp\DEM622D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM622D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\DEMB7AB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB7AB.exe"
        7⤵
        Executes dropped EXE
        
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM620D.exe

Filesize
20KB

MD5
23252203db81f3f4a4fa7b094d24bf0f

SHA1
9aad0db3f16cef8abb637e031a2d8b3ebc661d6f

SHA256
2402482d67cf0ca4ad31f54c288ac8e8ae8a35a3a185143c42b5eff5fdd0f381

SHA512
35d5c5215f746350631fc123a28558d4af3f40095d93dcfa5b0109ebb842bb1d81096748e402d27b22ed87ca46d3ceb7c5bfa9d7d63c244d775f39556a2e9a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB75D.exe

Filesize
20KB

MD5
0ae0adbad70aa755036086e5f85301b5

SHA1
26c6efb80ae4ecd94cbcdf3122578ffeb0ce02bf

SHA256
41848c791e9d472fefceb677b65daa57bafa9465f234b4b1c4edc89d0a0a0f67

SHA512
25e821b4b656aba3da46d9332034b11fd57fbdbf1541d5e61dca22fcffa0b3a80486ca642548de07f63b71727c4386bda78c9ffc154a1d4799e8d0d8ea4833c9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM622D.exe

Filesize
20KB

MD5
14c746d4d2451c22ff2f40868c87a078

SHA1
30ed3ea3c3511b21735b236f971b2a66cb69d562

SHA256
96902b55c87f4555adeea6b64b444d476b47bc70dbbd444ebbeddb28b2cc3d31

SHA512
145c5ec6c6b81c1fbee38e0a9d9cd7bd62f45db292d61e404fa3483e1ba02dbcf3ae57e4054d5ee7b6947a5623f2bb7fa2d903c6be59d695f3db7f15c56feac0

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB7AB.exe

Filesize
20KB

MD5
1dd554ca43a2bbf9f79c00208e407513

SHA1
68e0d185906ebf451f8e41749c256e443f15986a

SHA256
54703c76da00da41e2247dece0ce3face0c4d0943d5e8b62ec66796001ba1b51

SHA512
4ca3ceaa2a2d5af1930ee9f6b975e81be5fbdb4a952eaa5dd126b5dce462ef9e2589b3dd5ee62d99ad3b7def1a07078489e3a756e4d341241625bb8044f364f7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC40.exe

Filesize
20KB

MD5
ad5c947b6fdff01b3734ff979239ff2d

SHA1
c540fd20b0755fa0b2f37d71b297a97115788467

SHA256
26f3855bff375555da93673796710bf06e7372b1ecad5866d3ce5d0c4e0ce9d2

SHA512
5f97167943670f7164f7a6604006be7ee368e7579e65fb3ab4cbd9273df2ea9aa7efc0fbc9902e97e9d36ba40faf73fda0008129805afb8084fe2b7ebc35f8e6

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCBD.exe

Filesize
20KB

MD5
198f1e9da3e41f8626a7e26b8db02d11

SHA1
2fe452fd2b278f2a6f2eb85ca5553c54664bfc45

SHA256
7aa6ca5e9ff752eb0c918d84b6a45e61dccf4931c243da44af85a0edd666c3fc

SHA512
b0e7697082fc8c0b6a3f47dd842e4eba70f2400ddd19ee5e7699e574e3942acce536dca573dd0fac4cdf656b9b34d219087ef80331980de8f3dbdeb96d24501c

Download Submit

Analysis

Sharing