9d997d8a14d4261ab5f3c097bd0d0af1da3e0415a134035db13bc9a0b5e191e2

General

Target

f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe
Size

20KB
MD5

f4123d6b6601e98963f4b05c6a5ff35d
SHA1

11e447a518d372a62d4926a5bb48833613687b68
SHA256

9d997d8a14d4261ab5f3c097bd0d0af1da3e0415a134035db13bc9a0b5e191e2
SHA512

f1a99619f810e46c5af54fdf68a9c3a0aca7d1b7aa6e549a0f960d1c55fb08347f3694ae06c07f7e29409954889f41dc4b1eaee8ee070e26ad69fea161bd5c2b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PR6:hDXWipuE+K3/SSHgxmHZPR6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2608	DEM60A6.exe
2328	DEMB75D.exe
2512	DEME62.exe
2820	DEM648D.exe
2396	DEMBAF6.exe
1944	DEM10B3.exe

Loads dropped DLL 6 IoCs

pid	Process
2188	f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe
2608	DEM60A6.exe
2328	DEMB75D.exe
2512	DEME62.exe
2820	DEM648D.exe
2396	DEMBAF6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2608	2188	f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe	29
PID 2188 wrote to memory of 2608	2188	f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe	29
PID 2188 wrote to memory of 2608	2188	f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe	29
PID 2188 wrote to memory of 2608	2188	f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe	29
PID 2608 wrote to memory of 2328	2608	DEM60A6.exe	33
PID 2608 wrote to memory of 2328	2608	DEM60A6.exe	33
PID 2608 wrote to memory of 2328	2608	DEM60A6.exe	33
PID 2608 wrote to memory of 2328	2608	DEM60A6.exe	33
PID 2328 wrote to memory of 2512	2328	DEMB75D.exe	35
PID 2328 wrote to memory of 2512	2328	DEMB75D.exe	35
PID 2328 wrote to memory of 2512	2328	DEMB75D.exe	35
PID 2328 wrote to memory of 2512	2328	DEMB75D.exe	35
PID 2512 wrote to memory of 2820	2512	DEME62.exe	37
PID 2512 wrote to memory of 2820	2512	DEME62.exe	37
PID 2512 wrote to memory of 2820	2512	DEME62.exe	37
PID 2512 wrote to memory of 2820	2512	DEME62.exe	37
PID 2820 wrote to memory of 2396	2820	DEM648D.exe	39
PID 2820 wrote to memory of 2396	2820	DEM648D.exe	39
PID 2820 wrote to memory of 2396	2820	DEM648D.exe	39
PID 2820 wrote to memory of 2396	2820	DEM648D.exe	39
PID 2396 wrote to memory of 1944	2396	DEMBAF6.exe	41
PID 2396 wrote to memory of 1944	2396	DEMBAF6.exe	41
PID 2396 wrote to memory of 1944	2396	DEMBAF6.exe	41
PID 2396 wrote to memory of 1944	2396	DEMBAF6.exe	41

C:\Users\Admin\AppData\Local\Temp\f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\DEM60A6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM60A6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\DEMB75D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB75D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\DEME62.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME62.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\DEM648D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM648D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Users\Admin\AppData\Local\Temp\DEMBAF6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBAF6.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\DEM10B3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM10B3.exe"
        7⤵
        Executes dropped EXE
        
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMB75D.exe

Filesize
20KB

MD5
e62bc78f5010f6511c5ba0c1c07372ca

SHA1
6221844c51c58e2eab4c9ad99390d1650631be38

SHA256
aed0b26bfc4ef7090cc19a14fa314dad4d271084eb261f35ed3585f006343cdd

SHA512
ac6be74b102e7f057ac6be05840cf4fdf1ea432c80502887e0614baf246d54fa2cfe8620566ff95a0901e9b20617b9906c222fbe4c45959e25a1d4532bed27c1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM10B3.exe

Filesize
20KB

MD5
97a95741cb70708b83f6226051191aa7

SHA1
ce45c6dfe03a3a41597d4f39cf448d27349fedca

SHA256
9411fa8c3cf81ae70ad0668e972e1ff18c78865dc450a4ce186ca65d4a22f864

SHA512
3dd0aea3b833617b1aac2089c069b02d3e0306a4222dc046eef53d697d90e466972f6bd2f310adff18a13e7e2c96a601c44af9eca38970ec381daddb14c34969

Download Submit
\Users\Admin\AppData\Local\Temp\DEM60A6.exe

Filesize
20KB

MD5
4f9af7473f3cfedc11817a8bbcafb8b0

SHA1
4a45f1a4b3671743cd748aec283025f07d68808e

SHA256
39389e5ef40acf68d3eebac217fa2e4bbd7e763bad275c3b87532983e28cbfad

SHA512
e92c447d2de30acbd6d47a8580f3264cb39ef5adf11edd8addb71ab9e496891e6c116967ecaffd358e9b3dcf2bb1c5e0a3f05a8b70ea59bc5a55e06cfe8754bd

Download Submit
\Users\Admin\AppData\Local\Temp\DEM648D.exe

Filesize
20KB

MD5
1bf01db02925ca9331b0f75a26f4779a

SHA1
9d894b00a9a41a3e6bd65d6610287c1d61648053

SHA256
aa1e242d10bf837c2c7ef7a87401c59391cb02e5a8569d66ffa972d6b0599de2

SHA512
343933cfb7f349dc5e79199fcc81937975bcb01e709d02963a1fb7c6885eca3648bc64952403153969305580663ff338170569ae81cadf20f421889f32d93a57

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBAF6.exe

Filesize
20KB

MD5
dafb8bdbfb5949033ce762b998fa8e50

SHA1
3af83128138821cf3a290567d193f043220d5d16

SHA256
d32462d8598939d5b2547756d3a13351fb8de25e21ebac5718ec860050cb7ab3

SHA512
783719d3396ffbb31a9237aa9583d5cb4483e600a4638d65f84bd2937d450cbe9941eb00971804ec8de4691d32ae9f8f348ab2e1c09361c316b400cb35b8a07b

Download Submit
\Users\Admin\AppData\Local\Temp\DEME62.exe

Filesize
20KB

MD5
82befb7132c52ba98f9c60f0f62ed1e5

SHA1
8d53d2fc352af9c6fe879cdb41e3a2406a923366

SHA256
9ed7b69022a7b4461d31e65bbf78356ce45b9913c98b7a5cc08cd9a3a8ab62de

SHA512
c1c4603bd3ed5a0ac5805febea7fefc5afa84a1b94766df8660c385e9e65dddc7deb3a21a71fdc13b8302c3722c71349cef5e6bf06464433a636a33b947ee466

Download Submit

Analysis

Sharing