3aefd51b1160b33f8266af5b59d22c76b8668fcf789907373b18a124f0b09408

General

Target

ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe
Size

14KB
MD5

ed98fc7fcc0a7b9ea592d0580eb63335
SHA1

9d084ee742a1a0283e9faeee839178242f85395d
SHA256

3aefd51b1160b33f8266af5b59d22c76b8668fcf789907373b18a124f0b09408
SHA512

1274f01e7d83b2a91c831d3a4e894e2df27269fb40c90b563f676b224e490b8f05d3bbd687528350384ef3d23fb59b2d92949134bc133bae5535bf04dad93393
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYq44S:hDXWipuE+K3/SSHgxmq44S

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2720	DEM92AE.exe
2676	DEME917.exe
1120	DEM3F80.exe
2208	DEM95D9.exe
2288	DEMECA0.exe
2136	DEM427C.exe

Loads dropped DLL 6 IoCs

pid	Process
1772	ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe
2720	DEM92AE.exe
2676	DEME917.exe
1120	DEM3F80.exe
2208	DEM95D9.exe
2288	DEMECA0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2720	1772	ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe	31
PID 1772 wrote to memory of 2720	1772	ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe	31
PID 1772 wrote to memory of 2720	1772	ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe	31
PID 1772 wrote to memory of 2720	1772	ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2676	2720	DEM92AE.exe	33
PID 2720 wrote to memory of 2676	2720	DEM92AE.exe	33
PID 2720 wrote to memory of 2676	2720	DEM92AE.exe	33
PID 2720 wrote to memory of 2676	2720	DEM92AE.exe	33
PID 2676 wrote to memory of 1120	2676	DEME917.exe	35
PID 2676 wrote to memory of 1120	2676	DEME917.exe	35
PID 2676 wrote to memory of 1120	2676	DEME917.exe	35
PID 2676 wrote to memory of 1120	2676	DEME917.exe	35
PID 1120 wrote to memory of 2208	1120	DEM3F80.exe	37
PID 1120 wrote to memory of 2208	1120	DEM3F80.exe	37
PID 1120 wrote to memory of 2208	1120	DEM3F80.exe	37
PID 1120 wrote to memory of 2208	1120	DEM3F80.exe	37
PID 2208 wrote to memory of 2288	2208	DEM95D9.exe	39
PID 2208 wrote to memory of 2288	2208	DEM95D9.exe	39
PID 2208 wrote to memory of 2288	2208	DEM95D9.exe	39
PID 2208 wrote to memory of 2288	2208	DEM95D9.exe	39
PID 2288 wrote to memory of 2136	2288	DEMECA0.exe	41
PID 2288 wrote to memory of 2136	2288	DEMECA0.exe	41
PID 2288 wrote to memory of 2136	2288	DEMECA0.exe	41
PID 2288 wrote to memory of 2136	2288	DEMECA0.exe	41

C:\Users\Admin\AppData\Local\Temp\ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\DEM92AE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM92AE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\DEME917.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME917.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\DEM3F80.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3F80.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Users\Admin\AppData\Local\Temp\DEM95D9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM95D9.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Users\Admin\AppData\Local\Temp\DEMECA0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMECA0.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\DEM427C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM427C.exe"
        7⤵
        Executes dropped EXE
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3F80.exe

Filesize
14KB

MD5
284b4c92e527064d1f0849591075dd92

SHA1
5130467765a9d950c09b4be01fa36e5a16f0e07a

SHA256
c472575b30f008894dccedddbae08e6b0ec9c175c22c1004813f886d5534830e

SHA512
b998db1c83e5cf2a759aa16e9a477d762d15ab5a1804d9737f7d43dbdee4531fb10baa05841624099c056550ff9eacbac08e413a909a5dd6fdb2e8ebd5e05cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM427C.exe

Filesize
14KB

MD5
b9ea26c4e36d2b6246418e36f686f3e8

SHA1
1c24c4aa2246c8dd86c48ff14e85e99ae1d3f206

SHA256
764f234ad48f2d2751dcbdfb7e5f7e22bdcfae137ce2d40d85733866651beb0d

SHA512
dc25c8e44bc709e8115042249b8b03914e8c6edbc8b3488c1e7a23c9e18f93d235229b34312af2d5237c9153241f5f7a2a9aa003779a379b4d72ace6904ad8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM92AE.exe

Filesize
14KB

MD5
f9a284d5e2f286ad7d4f7c0188b0c670

SHA1
4cb15272eb5a3ed8ed912b7728c097884d5e72a6

SHA256
1419eb4a43ff1affff235c4b438d744b26ddd21e935e3cb7135dabb0bb389745

SHA512
25f80d2b64dbab9a9a550b47cfb7efd94fbc3c37fd5fe90dccfd4554c7a921b45456fab01a00f0e3e0b0ae1a1965e475feef77afa91a14330dcd45e432bb4f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM95D9.exe

Filesize
14KB

MD5
f9782f29cca46f3a0dd672e4e5dffa40

SHA1
265b8e158465ded83b3a8e9211e63de4f6815f51

SHA256
7d79f6958d4d1a6112745223ea9f28bda27efa43aa809703d8ea5f3260428a45

SHA512
c1311622683fc4cd3e028031c0fdaa6112180b75c6a2e353bd041e8c9a6d128797e4aa4d4fd4c2b2b75fa9bc3a666c77248a78efd427f0b6c8c8b5d84527717b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME917.exe

Filesize
14KB

MD5
6b27162b8057e1ae476240b2716183ed

SHA1
74e5c2debcb5e50867e2998fed968a8ab55c8cb7

SHA256
ab13a627d4bbdc0dfc09d8031ae799c18c63b66a076635e26233c443c56db631

SHA512
945940352ed22666471d15364aceb4afbb3fb6e51cc82f0223c59f5d45a3ae246ab9773f284d80e9ed7c233a0b348d8b14139882c68abd093412b1ff09f47f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMECA0.exe

Filesize
14KB

MD5
d4282ac1b2f5404d8cda3950ebc07fe6

SHA1
410860489461836e52e109841853486572fdee31

SHA256
fb61a8012ed9a46e04c487f38bc03b8a802b8dc0e2796fb70dc29796e346739f

SHA512
cacf1f7da841f9bffc1eaddf995fd1e94219049fe5b3e26bbd869983bd0b3f0e9f9b7f500fa3884b1bd6682dd6dca784bbffff41811a456cbcb8c64c360f5070

Download Submit

Analysis

Sharing