028ff9a295822cbd3b14fed347403939e2924574c4e2dcb13ce20b29527ae523

General

Target

f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe
Size

14KB
MD5

f4618480bd40d38c80c13339097ed22d
SHA1

4056027b84ac2360146164c654dd2473964b451f
SHA256

028ff9a295822cbd3b14fed347403939e2924574c4e2dcb13ce20b29527ae523
SHA512

5606bcf23605f4b7fa7f7ab54eb6f6bbe9779a29c3b4f5ff263a2ef0d2b39a266ce08b5d29c89faef674e51ae3df772083612ff83472cb10e8f7ff2c00588eae
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5idv:hDXWipuE+K3/SSHgxl5idv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2588	DEM8FC1.exe
2420	DEME6A7.exe
584	DEM3C45.exe
2396	DEM9379.exe
2184	DEMEACC.exe
2060	DEM4144.exe

Loads dropped DLL 6 IoCs

pid	Process
640	f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe
2588	DEM8FC1.exe
2420	DEME6A7.exe
584	DEM3C45.exe
2396	DEM9379.exe
2184	DEMEACC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2588	640	f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe	30
PID 640 wrote to memory of 2588	640	f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe	30
PID 640 wrote to memory of 2588	640	f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe	30
PID 640 wrote to memory of 2588	640	f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe	30
PID 2588 wrote to memory of 2420	2588	DEM8FC1.exe	33
PID 2588 wrote to memory of 2420	2588	DEM8FC1.exe	33
PID 2588 wrote to memory of 2420	2588	DEM8FC1.exe	33
PID 2588 wrote to memory of 2420	2588	DEM8FC1.exe	33
PID 2420 wrote to memory of 584	2420	DEME6A7.exe	35
PID 2420 wrote to memory of 584	2420	DEME6A7.exe	35
PID 2420 wrote to memory of 584	2420	DEME6A7.exe	35
PID 2420 wrote to memory of 584	2420	DEME6A7.exe	35
PID 584 wrote to memory of 2396	584	DEM3C45.exe	37
PID 584 wrote to memory of 2396	584	DEM3C45.exe	37
PID 584 wrote to memory of 2396	584	DEM3C45.exe	37
PID 584 wrote to memory of 2396	584	DEM3C45.exe	37
PID 2396 wrote to memory of 2184	2396	DEM9379.exe	39
PID 2396 wrote to memory of 2184	2396	DEM9379.exe	39
PID 2396 wrote to memory of 2184	2396	DEM9379.exe	39
PID 2396 wrote to memory of 2184	2396	DEM9379.exe	39
PID 2184 wrote to memory of 2060	2184	DEMEACC.exe	41
PID 2184 wrote to memory of 2060	2184	DEMEACC.exe	41
PID 2184 wrote to memory of 2060	2184	DEMEACC.exe	41
PID 2184 wrote to memory of 2060	2184	DEMEACC.exe	41

C:\Users\Admin\AppData\Local\Temp\f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\DEM8FC1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8FC1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\DEME6A7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME6A7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\DEM3C45.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3C45.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:584
    - - C:\Users\Admin\AppData\Local\Temp\DEM9379.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9379.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Users\Admin\AppData\Local\Temp\DEMEACC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEACC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\DEM4144.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4144.exe"
        7⤵
        Executes dropped EXE
        
        PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8FC1.exe

Filesize
14KB

MD5
b6f1a8950a55a1114dbcde30c36086dc

SHA1
8905cf4275ff76af983bcddca4ca44777fd47b33

SHA256
d43a3e2dd4c646a38b6b7132427f4afb43809fe5be4b055a041252ac219d36c3

SHA512
89b51bf90d502b92fbfa031be9a8e7d9d52b34e0b27f7d6fbfb4d1d563533e2224ebafcd86db50e5449b1bb3f144ff0bda36fde9cd4f6bd4cd5ba6582361f0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME6A7.exe

Filesize
14KB

MD5
b5b053c83c8e413cdc2b6f3f3babb2a1

SHA1
135fb0a2d54b179bde0e3fda9056b04b1292124f

SHA256
105971aa454dd97dfd396fd3ef0c76ae0aef0b7abc42161c94798ee43142d355

SHA512
d76860428429d501e5aafee657f779904f436c9682e7eed93ca78b0a351d5fa020ece267bd3f8d70dcf33a6d620dbeaa65483ddf55e4908c6f21756df5905afc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3C45.exe

Filesize
14KB

MD5
d3e2e1baf8d9b81f41ed073a6d9ae2b3

SHA1
aaaa1ba8b046284e39746114f39a4657cae6b449

SHA256
34dee1d4e533a61ca7a99db175dad04abc4a1d5b219906f25624b54cc70139a9

SHA512
1e100ddc2f06afdf5d9466c19f760657e55c65c036cf7e78c9947e2f326f8de6cd19185b5f7dc43cb141c56dd1c8672c5e37ba0cdb934c292255327a9d270c35

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4144.exe

Filesize
14KB

MD5
0ef4fef010c5581ddef2c7a358a200cb

SHA1
695e1e995f82f11bf60b06c188872ec13309ff60

SHA256
ee5364a97988e2d2236be2f7f7fcab816baa40423b5bc408b7adf27167c35733

SHA512
857c9390bcdce0eada015a81718e0a23c9a670ee107bb0332e5c69efcbf6c94b6a0966b1b7ce118c972a5be8c347ca8cad2ba715cab3fd09cd4d7b144ef97442

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9379.exe

Filesize
14KB

MD5
7a9a5a5d24cd0186e64491283ccdf96d

SHA1
9eb8aeb6f0fab8c09906fce6e5ada1056e4dab9b

SHA256
c389380581058b428936ba388554da4bbf2420a8273fccd4b65f6bd796af5d60

SHA512
1eeaf0201889de0a2b0d01311e5799a48ad3a8d73c2b81baef10b181e6b173b28c5d27b6adc7fd2c8d267febdd507a2581548be344cc2e0820ae355fee58e24f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEACC.exe

Filesize
14KB

MD5
7e56d5b4f48fd1c2972f19b0c698d079

SHA1
b59bce1d706bc84f312afcf60a7d84d3c18229d4

SHA256
480690a0b39a9d29226f5cf1bd82115d8dfe719fd13be492744e91384adbe7b7

SHA512
b162b53f7f13d45b794536d892d4db02e506d658598fdb13870b6f5fd228e14c9744cb910e626316dc116f6283742125a79db8f332000fb13473479c485ab017

Download Submit

Analysis

Sharing