ed1724d3a81924534da2d3fd310a23331b86ceb973737418692c63676e165ea9

General

Target

f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe
Size

16KB
MD5

f12dae9f32fa3e1498fa08e4dbfce7d2
SHA1

9b4320acbbe4ec6faa42a307a1774f224d15ac96
SHA256

ed1724d3a81924534da2d3fd310a23331b86ceb973737418692c63676e165ea9
SHA512

84a7f164da30b886829d5062eb2746f9037f23257ea17faedf8fcebdb45e4dfb9fdc0130ded20f6c9c7f13f51a3206a734c421cbdf3047de718a058debdc2550
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+Lc:hDXWipuE+K3/SSHgxmHt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2728	DEM1989.exe
2656	DEM6F47.exe
1440	DEMC487.exe
2028	DEM1A16.exe
1648	DEM6FB4.exe
2928	DEMC561.exe

Loads dropped DLL 6 IoCs

pid	Process
2204	f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe
2728	DEM1989.exe
2656	DEM6F47.exe
1440	DEMC487.exe
2028	DEM1A16.exe
1648	DEM6FB4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2728	2204	f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2728	2204	f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2728	2204	f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2728	2204	f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe	29
PID 2728 wrote to memory of 2656	2728	DEM1989.exe	31
PID 2728 wrote to memory of 2656	2728	DEM1989.exe	31
PID 2728 wrote to memory of 2656	2728	DEM1989.exe	31
PID 2728 wrote to memory of 2656	2728	DEM1989.exe	31
PID 2656 wrote to memory of 1440	2656	DEM6F47.exe	35
PID 2656 wrote to memory of 1440	2656	DEM6F47.exe	35
PID 2656 wrote to memory of 1440	2656	DEM6F47.exe	35
PID 2656 wrote to memory of 1440	2656	DEM6F47.exe	35
PID 1440 wrote to memory of 2028	1440	DEMC487.exe	37
PID 1440 wrote to memory of 2028	1440	DEMC487.exe	37
PID 1440 wrote to memory of 2028	1440	DEMC487.exe	37
PID 1440 wrote to memory of 2028	1440	DEMC487.exe	37
PID 2028 wrote to memory of 1648	2028	DEM1A16.exe	39
PID 2028 wrote to memory of 1648	2028	DEM1A16.exe	39
PID 2028 wrote to memory of 1648	2028	DEM1A16.exe	39
PID 2028 wrote to memory of 1648	2028	DEM1A16.exe	39
PID 1648 wrote to memory of 2928	1648	DEM6FB4.exe	41
PID 1648 wrote to memory of 2928	1648	DEM6FB4.exe	41
PID 1648 wrote to memory of 2928	1648	DEM6FB4.exe	41
PID 1648 wrote to memory of 2928	1648	DEM6FB4.exe	41

C:\Users\Admin\AppData\Local\Temp\f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\DEM1989.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1989.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\DEM6F47.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6F47.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\DEMC487.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC487.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\Users\Admin\AppData\Local\Temp\DEM1A16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1A16.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Users\Admin\AppData\Local\Temp\DEM6FB4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6FB4.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\DEMC561.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC561.exe"
        7⤵
        Executes dropped EXE
        
        PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6F47.exe

Filesize
16KB

MD5
c4872ff113d161eac078ad6faa624d69

SHA1
77e0765be9767bdab4881a29927325a43e329afc

SHA256
09d109f31a74d735699abfdaeda5b0d4faf4e86fda4ae9b0b1a88a2aeb39dbc3

SHA512
ad4e84184b5e2685fe2231e1da41fda2e609e960b22071edfe62822963c821bcedf4cf40d5a53a40c3e1b6b7bbb795d9b9542f4c82095fbfb502d5552f745e87

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1989.exe

Filesize
16KB

MD5
922757dd448d3c6d97d1a8f155b172f7

SHA1
6558219852a1819652cc290fc065d033e5d49413

SHA256
05527c1a327c1bd20c590842310f9c4d779210f37f5cff8f0d3e605aa827b8c3

SHA512
fd19af489079fb48d85d2e1630095afbe71386d2ef037654109dfd31b0d6b4ff642e6698448a7974c6bbdbd8e887b4401c7a66691450b7bd5606459021b1f90c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1A16.exe

Filesize
16KB

MD5
ee7f88af091f799b5c49bda06c15b321

SHA1
b624471f87d21c91472efbd216314202bef8a84a

SHA256
72791cf5d1ffb61c04b35bf7333a81c978de5ea5aa022bc39472b82b2fe089d1

SHA512
1343c7d0a8e69db2aef28e9836f3dc902f8e73ada131ea1d53d913e2d9ca523c3802362ab082a56314535363b97e2611ccbc0737c00362288efd1f79663f6f10

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6FB4.exe

Filesize
16KB

MD5
ae61c1932dd6198fe36bb4d35722c83d

SHA1
8404c09aadf02dc6fa4f3dfb11eaed62e540a5c5

SHA256
d8b328fe61be175c5bc63b5e01dfe151f0e25a2dbc6ae78da5a2c1222cbbbfec

SHA512
05cd4ca7db4bad3716d2d991b10a8eb1dd0e4e7fa61f26481e74273711d3d3cb32c1c455a1e0b790db6127832722ff6b79c81ac71e409d020142b58452484e9a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC487.exe

Filesize
16KB

MD5
1756f755572449d5ef0910e215bcb9ba

SHA1
52be58f6944d5bbc9d1a2b07bbefac2778ce0a3e

SHA256
fa19b95cfc537d75db8abc9c8ccc28af793147c9990e09e091ca7887af10065b

SHA512
c2eac340627a8b826032e3565c57a3186664cfd7e298aab675a168cfd987a9eb117d43bd552068006b43e0e0009cf1db5c86a514a55cdd2f237702f076ed1b5a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC561.exe

Filesize
16KB

MD5
815bea35f07991c0ea98fc6240c4aeaf

SHA1
6424b87b76b0dcf4ad88aa10f5db7d97f0eee9da

SHA256
9139fae9edde9aeba117c7ab36a3379c1dc4ff7129058c30aa9f15fec18e24e5

SHA512
b818fdbc817666fb4c3833da10361b15a2b7747e29f270c11cd8db7b4f7f14b05fe9068cf1730421558a32581852dc085d5b3dbd82ffee889c172a6461fc63f1

Download Submit

Analysis

Sharing