01fe2f24bd4d01533be5a17a519005ebb24a5cd860aa187b0e70a0358afa1125

General

Target

f74d66fbd7991d629e9b6608ddfd0c66_JaffaCakes118.exe
Size

14KB
MD5

f74d66fbd7991d629e9b6608ddfd0c66
SHA1

cb66749dad659878f760d6067971097ec0eed974
SHA256

01fe2f24bd4d01533be5a17a519005ebb24a5cd860aa187b0e70a0358afa1125
SHA512

b3f8e3697659a0698d7629f12e0c9020cd191b54aaa2ac038518b7b71b2367cea19f0776d9b0788d2dc1009580fb18c869253d092e1bfd0dc1f2fac446a83ae3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHuM:hDXWipuE+K3/SSHgx3NHHj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2628	DEM88CF.exe
2980	DEMDF86.exe
1452	DEM3524.exe
1936	DEM8BBC.exe
1660	DEME263.exe
1352	DEM3840.exe

Loads dropped DLL 6 IoCs

pid	Process
1988	f74d66fbd7991d629e9b6608ddfd0c66_JaffaCakes118.exe
2628	DEM88CF.exe
2980	DEMDF86.exe
1452	DEM3524.exe
1936	DEM8BBC.exe
1660	DEME263.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2628	1988	f74d66fbd7991d629e9b6608ddfd0c66_JaffaCakes118.exe	29
PID 1988 wrote to memory of 2628	1988	f74d66fbd7991d629e9b6608ddfd0c66_JaffaCakes118.exe	29
PID 1988 wrote to memory of 2628	1988	f74d66fbd7991d629e9b6608ddfd0c66_JaffaCakes118.exe	29
PID 1988 wrote to memory of 2628	1988	f74d66fbd7991d629e9b6608ddfd0c66_JaffaCakes118.exe	29
PID 2628 wrote to memory of 2980	2628	DEM88CF.exe	33
PID 2628 wrote to memory of 2980	2628	DEM88CF.exe	33
PID 2628 wrote to memory of 2980	2628	DEM88CF.exe	33
PID 2628 wrote to memory of 2980	2628	DEM88CF.exe	33
PID 2980 wrote to memory of 1452	2980	DEMDF86.exe	35
PID 2980 wrote to memory of 1452	2980	DEMDF86.exe	35
PID 2980 wrote to memory of 1452	2980	DEMDF86.exe	35
PID 2980 wrote to memory of 1452	2980	DEMDF86.exe	35
PID 1452 wrote to memory of 1936	1452	DEM3524.exe	37
PID 1452 wrote to memory of 1936	1452	DEM3524.exe	37
PID 1452 wrote to memory of 1936	1452	DEM3524.exe	37
PID 1452 wrote to memory of 1936	1452	DEM3524.exe	37
PID 1936 wrote to memory of 1660	1936	DEM8BBC.exe	39
PID 1936 wrote to memory of 1660	1936	DEM8BBC.exe	39
PID 1936 wrote to memory of 1660	1936	DEM8BBC.exe	39
PID 1936 wrote to memory of 1660	1936	DEM8BBC.exe	39
PID 1660 wrote to memory of 1352	1660	DEME263.exe	41
PID 1660 wrote to memory of 1352	1660	DEME263.exe	41
PID 1660 wrote to memory of 1352	1660	DEME263.exe	41
PID 1660 wrote to memory of 1352	1660	DEME263.exe	41

C:\Users\Admin\AppData\Local\Temp\f74d66fbd7991d629e9b6608ddfd0c66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f74d66fbd7991d629e9b6608ddfd0c66_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\DEM88CF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM88CF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\DEMDF86.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDF86.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\DEM3524.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3524.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Users\Admin\AppData\Local\Temp\DEM8BBC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8BBC.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Users\Admin\AppData\Local\Temp\DEME263.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME263.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\DEM3840.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3840.exe"
        7⤵
        Executes dropped EXE
        
        PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMDF86.exe

Filesize
14KB

MD5
dc8c5cd11891cb7964ddb4de17712ed0

SHA1
15d2948d028e0838779cbf912ce252e2373bb860

SHA256
013c20e1d1ffacf0effc4ef07153e5aa368d3b5b201cffdba6a8b8dbd82a0b08

SHA512
b6df1403210cd433251c5495ab4387fa96ba158ac05ce2f9de62a23df6b1de4abcf1fe3243996856368bd6a273ae3212f3190238e666ce1773b68ce03b16a1c9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3524.exe

Filesize
14KB

MD5
05ffcf0f98084c433c6e7db16839785b

SHA1
2b15a93e175fb163e682ea45e6152ae1e4e7b19d

SHA256
dc0a831eecc25eebd7e67ab7cd877f57764c834e0b16d89d6ce8e2a316739590

SHA512
1933ea626d5cdf46390b7a52e68b4c7757b9d68d4e88246faf1fee9d46d3d4e74e79b5b0083b025a9c2ba93f90dfcd859ff1aded53707210237c3924f8c1a477

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3840.exe

Filesize
14KB

MD5
8146d59327315ca4471698892c1bfbb2

SHA1
96a5405fb0ce67a68cd7b334465b14c4929caf92

SHA256
49403f10d2233079ed50fe523bb4f4ab5bf25b2f1bff6fe27184619a24ec19f8

SHA512
fd0a84e3047f281b18802c767133ec4dba8144caf2ac4a3910244ac11311404b730d499c58b17e44f119f88fcc81f8d107437afb3938ceb52f917f1dc1399f87

Download Submit
\Users\Admin\AppData\Local\Temp\DEM88CF.exe

Filesize
14KB

MD5
313d2ee9570f5a6e4ebfa5755fc76921

SHA1
709a8e69c2144a91151735f39fe92ab934496120

SHA256
22bcec6ae5b1182d6ce46b97bdfa13f8ce5dc0cf83c40377986a43c8b702a851

SHA512
d2b2baf1f285b79c9d0e87634baa0338c84ed535a049b446edba81d711f4108aa9dc31e273e04430db64223064f33e4117a5ee0ebe53b14cea50edf682b04a4c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8BBC.exe

Filesize
14KB

MD5
9688e64e34dfe87f1b86baf506a2d881

SHA1
39be30aa285904ae688d3eb3c0ffb720daeaf0d3

SHA256
25aa0a38671378a4ca0811b581075dc469395d3c0251ef6d7ac82b0f62ed310c

SHA512
841a97319d756d7d51f462fdc74819238cb0b2f0acdfeedd93b075b2228b70f11cb679556c3827dff0bc764b49a6b0ec5003ad1532e878dda91ee1e81e92c609

Download Submit
\Users\Admin\AppData\Local\Temp\DEME263.exe

Filesize
14KB

MD5
8de1c8f72a95bb74292e01f6546bb13c

SHA1
18588441ef49fcc3015974add07712775bbaa444

SHA256
8a9df664c5500570773614b4d9fdf548468d81ac5b90af1d1f5871186bada77e

SHA512
bd88cfd5c48caf862d6620224fded31c9c29b6a3441a9f10ffe722ef4e4650adffa4fd12ca82538267bfa6c0a8d51a5739820c2a8f27317e142b0d82517a1863

Download Submit

Analysis

Sharing