fd6fa686051b07321e8ca5aad47eee1c593d5061a13d229e112727c6c3c501fe

General

Target

f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe
Size

16KB
MD5

f6487fd7dde33f46bf442b9d92e50a50
SHA1

b235e3adc0ae66db916808b058c8ade43f4e1542
SHA256

fd6fa686051b07321e8ca5aad47eee1c593d5061a13d229e112727c6c3c501fe
SHA512

ce50f3bdf141fafb706e3f2866c59c7a08b74ef04032668ff12f45cab974e1c59c010ad410e2ce55be6a7434688ce8238ed23bb1c55ca17c628d628c2d4323d2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8ic:hDXWipuE+K3/SSHgxm8ic

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2500	DEM196A.exe
2864	DEM6ECA.exe
2136	DEMC41A.exe
2196	DEM1A35.exe
2464	DEM6F95.exe
2100	DEMC504.exe

Loads dropped DLL 6 IoCs

pid	Process
1640	f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe
2500	DEM196A.exe
2864	DEM6ECA.exe
2136	DEMC41A.exe
2196	DEM1A35.exe
2464	DEM6F95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2500	1640	f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe	29
PID 1640 wrote to memory of 2500	1640	f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe	29
PID 1640 wrote to memory of 2500	1640	f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe	29
PID 1640 wrote to memory of 2500	1640	f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe	29
PID 2500 wrote to memory of 2864	2500	DEM196A.exe	31
PID 2500 wrote to memory of 2864	2500	DEM196A.exe	31
PID 2500 wrote to memory of 2864	2500	DEM196A.exe	31
PID 2500 wrote to memory of 2864	2500	DEM196A.exe	31
PID 2864 wrote to memory of 2136	2864	DEM6ECA.exe	35
PID 2864 wrote to memory of 2136	2864	DEM6ECA.exe	35
PID 2864 wrote to memory of 2136	2864	DEM6ECA.exe	35
PID 2864 wrote to memory of 2136	2864	DEM6ECA.exe	35
PID 2136 wrote to memory of 2196	2136	DEMC41A.exe	37
PID 2136 wrote to memory of 2196	2136	DEMC41A.exe	37
PID 2136 wrote to memory of 2196	2136	DEMC41A.exe	37
PID 2136 wrote to memory of 2196	2136	DEMC41A.exe	37
PID 2196 wrote to memory of 2464	2196	DEM1A35.exe	39
PID 2196 wrote to memory of 2464	2196	DEM1A35.exe	39
PID 2196 wrote to memory of 2464	2196	DEM1A35.exe	39
PID 2196 wrote to memory of 2464	2196	DEM1A35.exe	39
PID 2464 wrote to memory of 2100	2464	DEM6F95.exe	41
PID 2464 wrote to memory of 2100	2464	DEM6F95.exe	41
PID 2464 wrote to memory of 2100	2464	DEM6F95.exe	41
PID 2464 wrote to memory of 2100	2464	DEM6F95.exe	41

C:\Users\Admin\AppData\Local\Temp\f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\DEM196A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM196A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\DEM6ECA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6ECA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\DEMC41A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC41A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Users\Admin\AppData\Local\Temp\DEM1A35.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1A35.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Users\Admin\AppData\Local\Temp\DEM6F95.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6F95.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\DEMC504.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC504.exe"
        7⤵
        Executes dropped EXE
        
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6ECA.exe

Filesize
16KB

MD5
e0a2a9af6490b84a2e9abf6707a5e811

SHA1
3cdafe579b811c447c3f9df69383c9eb8e134a2d

SHA256
50a4e5a07047214d612ec6970bc5f40a6c7bcc37e071ebb938fd64f3928eb3a1

SHA512
5737d42e85e1cde8541f4be4435e34a803b4865376c75efe4ad8d3d3de9b4b2c212b557b7c1295bb61b34aa6758e7ae61524a4f321bcb37d22de2ffbfcd5cf11

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC41A.exe

Filesize
16KB

MD5
c60695dcdc57fd2549becf9546602151

SHA1
1bb1da60fdfaadb270d37460b16945a89b38121a

SHA256
beb9f05078226126aba3a2be63d861588c337a50a61b63e0740ae006a02cca84

SHA512
94fa16fd09f8756a2a9dc5ec6ae05885a75adde4dd0a25fbf3f2d666e330897494c1b519e33f46d9de96d6932e7fac80821ddbcd7fc8c25ed1c7f8003178b7b0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM196A.exe

Filesize
16KB

MD5
d1a796a32052f45ae0414dae7554adbf

SHA1
65c8c2859a7799d28e205c4455a1a1a34ab58623

SHA256
0e20432141a8d74191b41b6a1c024a44aef8869524b71a7641203cb3469f1aab

SHA512
95328955d10a62b876413ef39991956859f201debeb86f190f72513eeea6455724b208030abb057513b86358a6e486089f020633774c7d068020c3ae1619756c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1A35.exe

Filesize
16KB

MD5
67d17575941ff1a57c2a885ef21a8080

SHA1
9126dc0a459b7f5a84b6fcbf0448cc7227afef99

SHA256
c402c18a605ca3166262d7c6bc7bd7969af50109d99fcdba9f59f03bcd5a6bd3

SHA512
735ae8df42638700df1bb6655d0792ef25d10b24bee8a338b878f3a77e0b1191c854b09a295791f7cae6235dd11889ba6f18e6158ea91f3f406bef930cb95e11

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6F95.exe

Filesize
16KB

MD5
3b72d1b72f77aa8a7b09bea0d5612cef

SHA1
a9eeb179d80679f3e5d001a66ba5808ec6d55b08

SHA256
c0ab672a3217b358862e475ea1acf5c0c565c4798b120ed629c9f527255ba122

SHA512
9b17a1ae6c0c9afd8e85ab6beb300901e9d2cd8f648c79974cc83067882a27022937c405613cce699d392abb334c4dda45f65891ff6a9accf44fbe2f7faf1aee

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC504.exe

Filesize
16KB

MD5
88583fa903076329803d96a4bbb2a321

SHA1
f3ad114462829a9631d9e1347da26ed954a7b2a9

SHA256
234d69d79c99586fcc561b5c0aa1d994e68e7468a2a3fca3511cb5b7bc0dc28d

SHA512
28e0bd6c612046d90449c5903608c7f70b476632c4963a6f4efdc6041bb6afd3061df92b67dfe57ed1ef7c1e8615d037f8741a6f240945c0d2bfc5ff6503a23e

Download Submit

Analysis

Sharing