f98b017ac2a2dbefa95fb883a8705b24d902dc4cd31733d370dde1d9e6808798

General

Target

f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe
Size

14KB
MD5

f23f454e607e28fa1d20ab02d1dfe352
SHA1

423c1a26bab639498ff05061d52bb16ddbb343cb
SHA256

f98b017ac2a2dbefa95fb883a8705b24d902dc4cd31733d370dde1d9e6808798
SHA512

be890bc794d6c84c682f0330953c9eff43e968c34c970c1defc921f40a5d2e8bc983ad2443f0ae67bed02dd6d61b6bb7e77ba95d0369ce281dd4f9adb6aa4d5b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhkRw:hDXWipuE+K3/SSHgxL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2600	DEM4930.exe
2420	DEMA026.exe
2544	DEMF612.exe
1944	DEM4B81.exe
1620	DEMA1EA.exe
2812	DEMF798.exe

Loads dropped DLL 6 IoCs

pid	Process
2868	f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe
2600	DEM4930.exe
2420	DEMA026.exe
2544	DEMF612.exe
1944	DEM4B81.exe
1620	DEMA1EA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2600	2868	f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2600	2868	f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2600	2868	f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2600	2868	f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe	29
PID 2600 wrote to memory of 2420	2600	DEM4930.exe	33
PID 2600 wrote to memory of 2420	2600	DEM4930.exe	33
PID 2600 wrote to memory of 2420	2600	DEM4930.exe	33
PID 2600 wrote to memory of 2420	2600	DEM4930.exe	33
PID 2420 wrote to memory of 2544	2420	DEMA026.exe	35
PID 2420 wrote to memory of 2544	2420	DEMA026.exe	35
PID 2420 wrote to memory of 2544	2420	DEMA026.exe	35
PID 2420 wrote to memory of 2544	2420	DEMA026.exe	35
PID 2544 wrote to memory of 1944	2544	DEMF612.exe	37
PID 2544 wrote to memory of 1944	2544	DEMF612.exe	37
PID 2544 wrote to memory of 1944	2544	DEMF612.exe	37
PID 2544 wrote to memory of 1944	2544	DEMF612.exe	37
PID 1944 wrote to memory of 1620	1944	DEM4B81.exe	39
PID 1944 wrote to memory of 1620	1944	DEM4B81.exe	39
PID 1944 wrote to memory of 1620	1944	DEM4B81.exe	39
PID 1944 wrote to memory of 1620	1944	DEM4B81.exe	39
PID 1620 wrote to memory of 2812	1620	DEMA1EA.exe	41
PID 1620 wrote to memory of 2812	1620	DEMA1EA.exe	41
PID 1620 wrote to memory of 2812	1620	DEMA1EA.exe	41
PID 1620 wrote to memory of 2812	1620	DEMA1EA.exe	41

C:\Users\Admin\AppData\Local\Temp\f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\DEM4930.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4930.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\DEMA026.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA026.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\DEMF612.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF612.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Users\Admin\AppData\Local\Temp\DEM4B81.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4B81.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Users\Admin\AppData\Local\Temp\DEMA1EA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA1EA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\DEMF798.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF798.exe"
        7⤵
        Executes dropped EXE
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA026.exe

Filesize
14KB

MD5
f4df89d914c2257733c7080c3687890c

SHA1
d6d78556f597404b83e7e0b2870ab2a6ed143fc6

SHA256
c96ae4cdc6ad7cbf8f91e4060fc68c7518c9d3ec9d4c8f19be068276b5d7b308

SHA512
8e096c7a33f8366a20b3563cdf7895fe6450a4ee78a089b266444279d56831db3608f238344cdfaf3483fe883cad37e7b6c765c93a3df9cc339824f4b95c3fcb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4930.exe

Filesize
14KB

MD5
c16412fd3d297d4528d02c7aa7091b7d

SHA1
c56986364f9d5517fec487ebace1f9518bf80f79

SHA256
9d7731c27440362a783a328c5e548fa61d2bf6b4773cd1ee268c7c55b4a19266

SHA512
18c7e58214fe7254078e8c649291fede0342a09d21a00210c0d7c5e90ad3c402e1c7cd05fa8f8c7cf8669e81967db10f33cd56f2f62d72fb25eeb3347af700f3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4B81.exe

Filesize
14KB

MD5
b0fb846dfebeb48eb7d4bd9d84002e73

SHA1
f303921eb06746562ff65fb45cc81dbf8deae6df

SHA256
1133a0f6f5d8e7d557272db8d5d439c398f81fe2f72a5b4ce66a388ea462607a

SHA512
43882786dc0153924cd19d246333df2ae8e7c2051fdb805e708cef82433a5ccbdd05bf80692c197a1837c7fd7cea99cf05707f2136f812a16bcf5158bcb74db6

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA1EA.exe

Filesize
14KB

MD5
5cb742e6f6825e88b11bba4a141c9d01

SHA1
997cf8a828cfb9d4d1f85fd083b4b8a7a68b7808

SHA256
160f3ccbce8260b23daeb847cbdf798aef643b3af8675ae5abdbd198337d5ce1

SHA512
cadee3a9b823e23b50a1c2e6e446f37893d427577c23fe02f0b0112577d0417d3f600d5a7071f926dc44cc8d43ac996bbd88b946f58caf6340cd4211810bfead

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF612.exe

Filesize
14KB

MD5
39e8f6eb93ffc0702229e6a5e5715d47

SHA1
cdf0ae7f4ff318517dc4c9f2b5df2b568f5eaa12

SHA256
a1e1cc85f3a5754a16b09507212b826d7901fb291fa08a7af8f4cfbb1d1acac2

SHA512
40c5993ca7ea0a70a3745ee0f7328f95b499ae7557e131d36c78596748a8093c26d221a50f15418b94202ece8ef2c18650813e10fb5af0a74f7116babeb60a03

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF798.exe

Filesize
14KB

MD5
04f92a48de95a1d702251994bf6c899d

SHA1
b1459bac2d436372e0c464732a029bdb57bbf43e

SHA256
6da8ef89c5f2c54dfbb9ce254ad25a8924689cb719774bca6ace9fc60f467378

SHA512
8b64858ab8a656bc8b1afba57b050d40263dfff7eec52484c13f5c301018476b612cc3d453a02220fadc70fac39c7855ce18dd65d231577c623b89fe01cd35ec

Download Submit

Analysis

Sharing