280c55f49f8dfc176107f508b6ff9c703ae6d6d84bce130f38d1982dd24c3671

General

Target

f27adc6159481867b87176875b7691c9_JaffaCakes118.exe
Size

14KB
MD5

f27adc6159481867b87176875b7691c9
SHA1

d89aec1877079328481a688ff98f2f9438eec38e
SHA256

280c55f49f8dfc176107f508b6ff9c703ae6d6d84bce130f38d1982dd24c3671
SHA512

9af8b623817cf2913aef4a95584d9ac8f1b99a67d610e91d6ac8636aa9336d64f966e7cd91f40b28949c70f2a17ffd4ccd77a9c9cdabb5dedd2fea04a4f1bbed
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYF:hDXWipuE+K3/SSHgxmF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2292	DEM3CE1.exe
2432	DEM9492.exe
2744	DEMEAFB.exe
1860	DEM4192.exe
1108	DEM98E5.exe
1384	DEMEF4E.exe

Loads dropped DLL 6 IoCs

pid	Process
1696	f27adc6159481867b87176875b7691c9_JaffaCakes118.exe
2292	DEM3CE1.exe
2432	DEM9492.exe
2744	DEMEAFB.exe
1860	DEM4192.exe
1108	DEM98E5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2292	1696	f27adc6159481867b87176875b7691c9_JaffaCakes118.exe	29
PID 1696 wrote to memory of 2292	1696	f27adc6159481867b87176875b7691c9_JaffaCakes118.exe	29
PID 1696 wrote to memory of 2292	1696	f27adc6159481867b87176875b7691c9_JaffaCakes118.exe	29
PID 1696 wrote to memory of 2292	1696	f27adc6159481867b87176875b7691c9_JaffaCakes118.exe	29
PID 2292 wrote to memory of 2432	2292	DEM3CE1.exe	33
PID 2292 wrote to memory of 2432	2292	DEM3CE1.exe	33
PID 2292 wrote to memory of 2432	2292	DEM3CE1.exe	33
PID 2292 wrote to memory of 2432	2292	DEM3CE1.exe	33
PID 2432 wrote to memory of 2744	2432	DEM9492.exe	35
PID 2432 wrote to memory of 2744	2432	DEM9492.exe	35
PID 2432 wrote to memory of 2744	2432	DEM9492.exe	35
PID 2432 wrote to memory of 2744	2432	DEM9492.exe	35
PID 2744 wrote to memory of 1860	2744	DEMEAFB.exe	37
PID 2744 wrote to memory of 1860	2744	DEMEAFB.exe	37
PID 2744 wrote to memory of 1860	2744	DEMEAFB.exe	37
PID 2744 wrote to memory of 1860	2744	DEMEAFB.exe	37
PID 1860 wrote to memory of 1108	1860	DEM4192.exe	39
PID 1860 wrote to memory of 1108	1860	DEM4192.exe	39
PID 1860 wrote to memory of 1108	1860	DEM4192.exe	39
PID 1860 wrote to memory of 1108	1860	DEM4192.exe	39
PID 1108 wrote to memory of 1384	1108	DEM98E5.exe	41
PID 1108 wrote to memory of 1384	1108	DEM98E5.exe	41
PID 1108 wrote to memory of 1384	1108	DEM98E5.exe	41
PID 1108 wrote to memory of 1384	1108	DEM98E5.exe	41

C:\Users\Admin\AppData\Local\Temp\f27adc6159481867b87176875b7691c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f27adc6159481867b87176875b7691c9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\DEM3CE1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3CE1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\DEM9492.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9492.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\DEMEAFB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEAFB.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\DEM4192.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4192.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Users\Admin\AppData\Local\Temp\DEM98E5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM98E5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\DEMEF4E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEF4E.exe"
        7⤵
        Executes dropped EXE
        
        PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4192.exe

Filesize
15KB

MD5
7abe76cead53d94afc73c080572480f8

SHA1
d588545cc4d3dc214d695c666c3175a654abb693

SHA256
28daaebe6ecaa6aac405962b418583feed7f215a1718443bc169a802f0bac43f

SHA512
cea2d9b654c2def9dac7b01ab67d0e61bff99b5f554df09b44ce1a349d9766a9383eb10db523822021f648b2423ad70f3273d32a448f7f0a681f91bcc3fd0518

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9492.exe

Filesize
15KB

MD5
f26b8e47fda7135f5bd3b183cbbf3ba2

SHA1
5f3d114dd04eb6352e0a915c001c937d3b659089

SHA256
b213cfeb195061573596ef16b52329aee0253051cd1bbbe31cef0f1a014b9237

SHA512
95c99f02f67e31b27602f83e6cb8564d66765491b8fd3591ab1feed2b77ad6d0e20f0f57a2133eae71d1033a666b2f67ec84f2a832257da802bfec82d5925876

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3CE1.exe

Filesize
15KB

MD5
04e7b0229afc5fda5763218ccc54666d

SHA1
796e2e1f3a64c8444bc5c9cfa6204df2a0ab7c93

SHA256
44551d09a2220070cdee3437873f5f3fa0712804809d8e16eff83fdf4d7fa794

SHA512
d735a23249f2af70d20ff12a327e1e95acf0b85036d8809842472923009e9352007cec4f1fe74ea91a19b5407e362a285d7a2bbd4159dae25c578698597527c2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM98E5.exe

Filesize
15KB

MD5
85756b1d1350372c0f906b950019a948

SHA1
76b210ab3d876e4d1bb7c5673fb35e4f76265c90

SHA256
9db9538b4f7128f9f346c7b68169d9932cb7fc8b2ab798e4d82b3cb944d38772

SHA512
99781c78527825de816fd6e252738e3fa9799c1e2f317501c4264c419132bd89b04049980f80f815911e55b92e201de7b765002a3185a3c7bddf928c27cba338

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEAFB.exe

Filesize
15KB

MD5
f08140d6b4423a272c12b41741a8571e

SHA1
0d292b7610b0d24715bcd3cd0591c3728214b28c

SHA256
c125487c6e37a83d8a56bcec2a1c0c2f31e8649a130a26ec82dec7b3c219263f

SHA512
abd9e02d1c0d135e08b4c0219839a33c6571070503fb5a0ddfc575d0a8264ec0cec5dbb18b2be1b2289c54a4cf508b04003bd4d0e74b4683ffce1c5454aab7d0

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEF4E.exe

Filesize
15KB

MD5
88b4dc3feab922bf050c2b9ee311d3c7

SHA1
2e5f5ce6e5f4c0500fe118b633706ea3155679d0

SHA256
70b1e017092ba18a0f0a5d2e8aa8f021442bfbedb13985bcb909758f9818a7b1

SHA512
02ac4f1d57f6791200c9c5f5514b5155e15f501340e515f1b3e94149041e76cfcb3aad783e94d87032b85c46c55b9d5bd4faae5b889e4a6bff713a4f5f5cc6a1

Download Submit

Analysis

Sharing