3fc7be74c396fcb970bd6b3504b55ec1bccce50ab0c0b3973513f43d283d0e20

General

Target

f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe
Size

15KB
MD5

f100cd2739e4bb6002798c428d73c83c
SHA1

99b9fe26a5604347532f95523cbd6791abc4c520
SHA256

3fc7be74c396fcb970bd6b3504b55ec1bccce50ab0c0b3973513f43d283d0e20
SHA512

303fb39399b2e37ca81f2a987be2d311aae40db8976b6929e13ab6a2e0d3c70f09ce413867cd36620fc37bbb88609546f25558f59f808dbe6ebbf4e6770f9957
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYLNL:hDXWipuE+K3/SSHgxmLN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2592	DEM17C5.exe
2172	DEM6D44.exe
2844	DEMC320.exe
1628	DEM18AF.exe
1556	DEM6E3D.exe
2572	DEMC38D.exe

Loads dropped DLL 6 IoCs

pid	Process
2952	f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe
2592	DEM17C5.exe
2172	DEM6D44.exe
2844	DEMC320.exe
1628	DEM18AF.exe
1556	DEM6E3D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2592	2952	f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe	29
PID 2952 wrote to memory of 2592	2952	f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe	29
PID 2952 wrote to memory of 2592	2952	f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe	29
PID 2952 wrote to memory of 2592	2952	f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe	29
PID 2592 wrote to memory of 2172	2592	DEM17C5.exe	31
PID 2592 wrote to memory of 2172	2592	DEM17C5.exe	31
PID 2592 wrote to memory of 2172	2592	DEM17C5.exe	31
PID 2592 wrote to memory of 2172	2592	DEM17C5.exe	31
PID 2172 wrote to memory of 2844	2172	DEM6D44.exe	35
PID 2172 wrote to memory of 2844	2172	DEM6D44.exe	35
PID 2172 wrote to memory of 2844	2172	DEM6D44.exe	35
PID 2172 wrote to memory of 2844	2172	DEM6D44.exe	35
PID 2844 wrote to memory of 1628	2844	DEMC320.exe	37
PID 2844 wrote to memory of 1628	2844	DEMC320.exe	37
PID 2844 wrote to memory of 1628	2844	DEMC320.exe	37
PID 2844 wrote to memory of 1628	2844	DEMC320.exe	37
PID 1628 wrote to memory of 1556	1628	DEM18AF.exe	39
PID 1628 wrote to memory of 1556	1628	DEM18AF.exe	39
PID 1628 wrote to memory of 1556	1628	DEM18AF.exe	39
PID 1628 wrote to memory of 1556	1628	DEM18AF.exe	39
PID 1556 wrote to memory of 2572	1556	DEM6E3D.exe	41
PID 1556 wrote to memory of 2572	1556	DEM6E3D.exe	41
PID 1556 wrote to memory of 2572	1556	DEM6E3D.exe	41
PID 1556 wrote to memory of 2572	1556	DEM6E3D.exe	41

C:\Users\Admin\AppData\Local\Temp\f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\DEM17C5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM17C5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\DEM6D44.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6D44.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\DEMC320.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC320.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Users\Admin\AppData\Local\Temp\DEM18AF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM18AF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\DEM6E3D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6E3D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\DEMC38D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC38D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6D44.exe

Filesize
15KB

MD5
2883127e9d29b58e40ca010bf2992ef2

SHA1
3139983cc2468819356c28d83cf6c151d33c791e

SHA256
01bf3ef0f4c43a979ec60df29c5e3d648e6539b73367f278a1723a06dd9c4d02

SHA512
1b2b57a1aa5ff006c5e96af7772315a9a7bd81aebe7756ff04501bc66c64093f7a37198e89c23800090e6c817dcdf3e626e4cc111cb7024656edff6d7a2ae6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC38D.exe

Filesize
15KB

MD5
069eb585a1a5833b2b81348609493c88

SHA1
eb2ba6c8a25735ed265ed56d22e5a80c079cea83

SHA256
f249d5575c473b50a80677104c85847a8f451efaa8c8e28cc65addee5e2a3a3f

SHA512
297bd7bf1439a5fc88538db6407952da8aaf20a8481326a351749a14124f9b06c7882dbeab6f697ff453869466c5ed0337807365418a9bc5d4787c2915160253

Download Submit
\Users\Admin\AppData\Local\Temp\DEM17C5.exe

Filesize
15KB

MD5
6297101022c41380c65ba6de9c061d4b

SHA1
a7c1b06997ea4d6d04b57bff27d3029db0c28a9f

SHA256
660a406ca4fe18c61513d9e116d3e80e0b85715c57f37fea945481f7911c6d34

SHA512
f64cbba07211a21ae9453f44ad19498559b2dbcbc5d0a191c47fb66bb686a74a9effe19ea1527df1b31435565202f9ba40467324efffaeee27fc5eeb6f0080b7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM18AF.exe

Filesize
15KB

MD5
449a0a24b5bff6f6ba9c56038715dbd0

SHA1
25b756291b35c3b48251bd8ba0c3bc81c647eb38

SHA256
4133e2dc326cccb01f6532dbefffc2903f7089caf8f7a269d9462690967d0c4e

SHA512
9097e010f6ef6a95c03845d7b45887ef20393627d6e8ad5f9cc10e6eb09c6a63c1fd7285da29d2bce23592930e2adfdee36a1793801f5cf27e92e49ef6b7d398

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6E3D.exe

Filesize
15KB

MD5
172dab5a6074a41a2f1f8e2e90e68685

SHA1
7d70342e4ae2c81f583cdb6afc2263d5e73970ef

SHA256
c2f0b7d400551b2c86ab09fe47b372de64efe12bf80fd43a94149af254a8dff2

SHA512
85a826740c42e8db82be0f1aabf6adc77ed9dc7c8e524aa335124d23c04ad415d9d5b360df5c825b4ae781f5c4a75d71537647f2cf7aeb795686a511e277224c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC320.exe

Filesize
15KB

MD5
b19db9d8aeb9017c224a8e1854ec7e59

SHA1
fac49211a850e78a9b555faf32bd4ca8d51d3b5e

SHA256
d73ddb5c3638bb3f6599753e09b6b8593db934c5e3a6442a81c7c04bb718a0da

SHA512
7ea52a9621419a7d373d4c601b5c5c31b3b30a894d4ed4ade5459fa9298e32c64feb4afec770ebd9ed55b7c13c172f887de1e11359a97c8e33c0c23ddb521521

Download Submit

Analysis

Sharing