8ac2111a44cb9300da4a9e0e84ede9b1815d80264638ac765e1539c0966844d4

General

Target

f275c3e31eae93aed3ee177548762b77_JaffaCakes118.exe
Size

13KB
MD5

f275c3e31eae93aed3ee177548762b77
SHA1

c4b2fefd383004555caed1e2b02ddbb8a47c1c3a
SHA256

8ac2111a44cb9300da4a9e0e84ede9b1815d80264638ac765e1539c0966844d4
SHA512

86f0d34771ebd17660b56d4f2a2fe1f17b961ce4b84d82c7c7246262bca51f42328043af8bd201eb8afa849d46f243ac2ca1f1a8adf3a0dcea545e7bdb5dedd5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh9p:hDXWipuE+K3/SSHgxHp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2640	DEM72C0.exe
2528	DEMC8FA.exe
1360	DEM1EC7.exe
1008	DEM74F1.exe
2344	DEMCAFD.exe
1592	DEM21A4.exe

Loads dropped DLL 6 IoCs

pid	Process
2492	f275c3e31eae93aed3ee177548762b77_JaffaCakes118.exe
2640	DEM72C0.exe
2528	DEMC8FA.exe
1360	DEM1EC7.exe
1008	DEM74F1.exe
2344	DEMCAFD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2640	2492	f275c3e31eae93aed3ee177548762b77_JaffaCakes118.exe	29
PID 2492 wrote to memory of 2640	2492	f275c3e31eae93aed3ee177548762b77_JaffaCakes118.exe	29
PID 2492 wrote to memory of 2640	2492	f275c3e31eae93aed3ee177548762b77_JaffaCakes118.exe	29
PID 2492 wrote to memory of 2640	2492	f275c3e31eae93aed3ee177548762b77_JaffaCakes118.exe	29
PID 2640 wrote to memory of 2528	2640	DEM72C0.exe	33
PID 2640 wrote to memory of 2528	2640	DEM72C0.exe	33
PID 2640 wrote to memory of 2528	2640	DEM72C0.exe	33
PID 2640 wrote to memory of 2528	2640	DEM72C0.exe	33
PID 2528 wrote to memory of 1360	2528	DEMC8FA.exe	35
PID 2528 wrote to memory of 1360	2528	DEMC8FA.exe	35
PID 2528 wrote to memory of 1360	2528	DEMC8FA.exe	35
PID 2528 wrote to memory of 1360	2528	DEMC8FA.exe	35
PID 1360 wrote to memory of 1008	1360	DEM1EC7.exe	37
PID 1360 wrote to memory of 1008	1360	DEM1EC7.exe	37
PID 1360 wrote to memory of 1008	1360	DEM1EC7.exe	37
PID 1360 wrote to memory of 1008	1360	DEM1EC7.exe	37
PID 1008 wrote to memory of 2344	1008	DEM74F1.exe	39
PID 1008 wrote to memory of 2344	1008	DEM74F1.exe	39
PID 1008 wrote to memory of 2344	1008	DEM74F1.exe	39
PID 1008 wrote to memory of 2344	1008	DEM74F1.exe	39
PID 2344 wrote to memory of 1592	2344	DEMCAFD.exe	41
PID 2344 wrote to memory of 1592	2344	DEMCAFD.exe	41
PID 2344 wrote to memory of 1592	2344	DEMCAFD.exe	41
PID 2344 wrote to memory of 1592	2344	DEMCAFD.exe	41

C:\Users\Admin\AppData\Local\Temp\f275c3e31eae93aed3ee177548762b77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f275c3e31eae93aed3ee177548762b77_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\DEM72C0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM72C0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\DEMC8FA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC8FA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\DEM1EC7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1EC7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\DEM74F1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM74F1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Users\Admin\AppData\Local\Temp\DEMCAFD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCAFD.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\DEM21A4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM21A4.exe"
        7⤵
        Executes dropped EXE
        
        PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1EC7.exe

Filesize
13KB

MD5
dc409de856901c240f0b72dbab4aa4d9

SHA1
744cca9aff9b2d122b769002b5e3ff18811bf2c3

SHA256
ec968bc35ce56358e57e1adaaac93c00d5cb4458059d27c60442f511815a4c33

SHA512
a1e76c5095463a24e41058610949ea770a4b0c51bb881873472c63c1acd4398b81e32f5a3e2945a6c1116df6c15220d04949728218f4e9aafbbc72ca117c43cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC8FA.exe

Filesize
13KB

MD5
b2d622fc4b46ecd6abce70da151e2ada

SHA1
b23fcf1152a397bb9d8e6154dc880df0e280587d

SHA256
acda8f97a8e16f044331481b8509bce2c4d7b5eb88cb49a9a5c7891de5f87556

SHA512
b8e3f5eff5559decec0ae1caacb638266e003abe73fa34743d1049ec8723ea25d19a5adf4f70521089829069df6f06eb1b3c3010013f55d5bbf3f4b6fa9c4d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCAFD.exe

Filesize
13KB

MD5
1666e969ec8ad3cd25550e7a15f078e2

SHA1
fdd77ae59e02a6a7dfd507b9013d66ce097177b1

SHA256
5046e633640bdb1d152fc595e15a80108cd7480444fce6c7205a05eb192c70ea

SHA512
a8bbd9632dd9c9738c90016ce08514850dd627b0a4bf2dda5893c9e18e643d44f5b2da11a2a0dc83d242744cce3b709b0bff4886a1d6e229619200f15eeaa8d1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM21A4.exe

Filesize
13KB

MD5
ff9160cdd0b46ab33dcf3696a3fe3e68

SHA1
7942c83a308bf53c0805355269c65eacf1d19710

SHA256
cbbfed975c86d483db87690a198751fed33c7c01be66dced2e2ba7218b5ee52c

SHA512
a89a8cd75e85359f02d383c43af69287f17f4db4415a8258a6541baa1ec717e9e28f4979c5c058f69d07249df9c8c7440e9e858dd8ff2f2bd55c1f1cc5d13117

Download Submit
\Users\Admin\AppData\Local\Temp\DEM72C0.exe

Filesize
13KB

MD5
f911c7a943f1d5c018fea6309f431b7a

SHA1
4db2cdbaeb8a8efdbaa15e6e8a4b74e543fa23b6

SHA256
5e194416e1ead136ec5029ead03957afddc8bf78714fdd417852ce017858c645

SHA512
c9cfda3e3b9e97c170bf9796bf04bb906efd6fb3b7dde43f4ff6a836c75ebb62f3b4b677cded8b8a80d86adfd87cdc97dcc1d9788800f651b72dcc49eb9c2601

Download Submit
\Users\Admin\AppData\Local\Temp\DEM74F1.exe

Filesize
13KB

MD5
21d17068019b4ca06209c3dc4bda68b6

SHA1
0efecf232e2586a4e6f84d44732edb42e1db09e5

SHA256
ee52bf0f426c5708ede3cfe798f9226d78681a5dbae346b105c2c952771d20a0

SHA512
aa46e2b2d25dc883ee015fddffc87cd8f239526187658e4e207fc091226f9f5affd9955a0c3b81ce6e5b3e83a2c7d5c7663755d1889510f63143b843a1c3bfd2

Download Submit

Analysis

Sharing