5d7377fc6ddbf0f1d13bf431d7d5140173ea6af64ef67ec7dac2e3dab69d72a7

General

Target

f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe
Size

16KB
MD5

f5cbd2db2f3cb4c4fb69f4b27d7b574f
SHA1

6368de0a11fa988a7a40c9dc57e3f564bc95e0ce
SHA256

5d7377fc6ddbf0f1d13bf431d7d5140173ea6af64ef67ec7dac2e3dab69d72a7
SHA512

ef50f6b004a878436c5b8b39cc36ed662cb372f5798739e21309ba481fca26b94421fc02a4ca9862190db242e425d799d303a3042c717afa1c09873d69b2af45
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyOB:hDXWipuE+K3/SSHgxmyOB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2620	DEM4BDF.exe
3064	DEMA3ED.exe
2708	DEMF9BA.exe
1860	DEM5013.exe
1176	DEMA62E.exe
2276	DEMFC2A.exe

Loads dropped DLL 6 IoCs

pid	Process
2176	f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe
2620	DEM4BDF.exe
3064	DEMA3ED.exe
2708	DEMF9BA.exe
1860	DEM5013.exe
1176	DEMA62E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2620	2176	f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2620	2176	f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2620	2176	f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2620	2176	f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe	29
PID 2620 wrote to memory of 3064	2620	DEM4BDF.exe	33
PID 2620 wrote to memory of 3064	2620	DEM4BDF.exe	33
PID 2620 wrote to memory of 3064	2620	DEM4BDF.exe	33
PID 2620 wrote to memory of 3064	2620	DEM4BDF.exe	33
PID 3064 wrote to memory of 2708	3064	DEMA3ED.exe	35
PID 3064 wrote to memory of 2708	3064	DEMA3ED.exe	35
PID 3064 wrote to memory of 2708	3064	DEMA3ED.exe	35
PID 3064 wrote to memory of 2708	3064	DEMA3ED.exe	35
PID 2708 wrote to memory of 1860	2708	DEMF9BA.exe	37
PID 2708 wrote to memory of 1860	2708	DEMF9BA.exe	37
PID 2708 wrote to memory of 1860	2708	DEMF9BA.exe	37
PID 2708 wrote to memory of 1860	2708	DEMF9BA.exe	37
PID 1860 wrote to memory of 1176	1860	DEM5013.exe	39
PID 1860 wrote to memory of 1176	1860	DEM5013.exe	39
PID 1860 wrote to memory of 1176	1860	DEM5013.exe	39
PID 1860 wrote to memory of 1176	1860	DEM5013.exe	39
PID 1176 wrote to memory of 2276	1176	DEMA62E.exe	41
PID 1176 wrote to memory of 2276	1176	DEMA62E.exe	41
PID 1176 wrote to memory of 2276	1176	DEMA62E.exe	41
PID 1176 wrote to memory of 2276	1176	DEMA62E.exe	41

C:\Users\Admin\AppData\Local\Temp\f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\DEM4BDF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4BDF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\DEMA3ED.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA3ED.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\DEMF9BA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF9BA.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\DEM5013.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5013.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Users\Admin\AppData\Local\Temp\DEMA62E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA62E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\DEMFC2A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFC2A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA3ED.exe

Filesize
16KB

MD5
95b2ce0199fcde47f5442ec3b8d4dcb5

SHA1
953b82c003a81e622e7c97b7e7100e1b6a246bfd

SHA256
a09d2073ddca9938df2cf7e43c0b12fdba99a85cfa58b7dca02f955d611e7540

SHA512
da6cdbbee2b7440109fcd284a417dfe225f820ffc49b38e51b082dd2c0c9d655e75e757ffc00c4118a385114ed65fa6b9e18f32c49a5209ffa5eaf6b592726a7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4BDF.exe

Filesize
16KB

MD5
9f56f17d1b88aea3e363b26ededbc4f3

SHA1
86721022b0296860d53ffbad292b7530fc0b9179

SHA256
dd78d01d47f369c8ad75ccdea6a5bff888a6e419f56836eeaf13ae8e5f5e21e1

SHA512
ff55a4703f44b3460ed2ac19efbb7396baefa4615b7ababbf6e75b6630ac03946b3564a0635b4621a4966685a8fb6a8716c68c027045b63505f0728d04eb1ad2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5013.exe

Filesize
16KB

MD5
ffb301c4038484d798f9963ddcf9f312

SHA1
f366316e62c51fc1acd94250ae2fbec7e6a93267

SHA256
0aac10c1c1e54a49f9b15b38515a5ecd8322116a1911fbdae46a188287dd8270

SHA512
e4339553f9aecf2aa5b46099351e226f357c974539aa079eb449ba6f7c2fbd6b52fc73c77d872189810edf9512578fbf55e7ce8362d7eb56c995346d7540f5ea

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA62E.exe

Filesize
16KB

MD5
dbb07f89e83c8af0f9b962f1c770e097

SHA1
1050d1b6abce7c3438759e0114376404b63b35df

SHA256
0236dc07ea630e73254c4bd6fe0ed4f8e0d9b253b2240d8891090295e36fc285

SHA512
fc5574020203d146fd0685243a20c95fac8f29e20db2ffdafb96311cb8a6cabdc9e425c6faa3151fe24eb866e9c63f307bbcff4f40c5953a74c24005fd90eecc

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF9BA.exe

Filesize
16KB

MD5
4d6df0cf6b31152596c24521c60daa4b

SHA1
993cc872d6b5a574e698fb7ed2f957ec208cd707

SHA256
94cc6a98f1a2770e7c53fe20ccf4fafe1c7edb48b3400662911a85877623e347

SHA512
778cf5f7f7c7efe1fc1ab7b951be5f81391481e54c6eaae556d4037f668f8b20f75a2e91c1c0ec3a5ce9a85e913a505b1877433ddf5adc61481814701df3476c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFC2A.exe

Filesize
16KB

MD5
db25b42920cd2f92954e946cf8e981e7

SHA1
17575ce387900a9742745d2a2675930c7e7730a0

SHA256
e218c26772fdfed68f4067d713caac743d871ec67e3afbfc23cb3379c888b334

SHA512
e6fdb29576e5a0ad8aae8cdbe86d448381a94130772d9ec33493102e8913ddf2c562262eef5eef8e4548b2216811c87d852e42aa30860cfb296cdca6b07e9847

Download Submit

Analysis

Sharing