f7e7a93ce6330b00d14ab3bbc9a12bb7ff30b3ce154ae739c721ad691275741c

General

Target

f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe
Size

15KB
MD5

f7ad71d9042f3d76e659d220dd34ba98
SHA1

d55422b573806836906211e0e62ef013874b3dd5
SHA256

f7e7a93ce6330b00d14ab3bbc9a12bb7ff30b3ce154ae739c721ad691275741c
SHA512

6f40628e7ac1299fa5c513a7fa7c811c928cefd0d554fcd8409f2bf026b617b31b354e1e2d8368c3985c607929c7d2b2eac90f1dc5e98c64d902eb334e730c9b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl0rJHPz:hDXWipuE+K3/SSHgxmlOJHb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2952	DEM38CC.exe
2412	DEM904E.exe
548	DEME688.exe
2332	DEM3DEA.exe
1692	DEM9482.exe
2088	DEMEABC.exe

Loads dropped DLL 6 IoCs

pid	Process
2496	f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe
2952	DEM38CC.exe
2412	DEM904E.exe
548	DEME688.exe
2332	DEM3DEA.exe
1692	DEM9482.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2952	2496	f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe	29
PID 2496 wrote to memory of 2952	2496	f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe	29
PID 2496 wrote to memory of 2952	2496	f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe	29
PID 2496 wrote to memory of 2952	2496	f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe	29
PID 2952 wrote to memory of 2412	2952	DEM38CC.exe	33
PID 2952 wrote to memory of 2412	2952	DEM38CC.exe	33
PID 2952 wrote to memory of 2412	2952	DEM38CC.exe	33
PID 2952 wrote to memory of 2412	2952	DEM38CC.exe	33
PID 2412 wrote to memory of 548	2412	DEM904E.exe	35
PID 2412 wrote to memory of 548	2412	DEM904E.exe	35
PID 2412 wrote to memory of 548	2412	DEM904E.exe	35
PID 2412 wrote to memory of 548	2412	DEM904E.exe	35
PID 548 wrote to memory of 2332	548	DEME688.exe	37
PID 548 wrote to memory of 2332	548	DEME688.exe	37
PID 548 wrote to memory of 2332	548	DEME688.exe	37
PID 548 wrote to memory of 2332	548	DEME688.exe	37
PID 2332 wrote to memory of 1692	2332	DEM3DEA.exe	39
PID 2332 wrote to memory of 1692	2332	DEM3DEA.exe	39
PID 2332 wrote to memory of 1692	2332	DEM3DEA.exe	39
PID 2332 wrote to memory of 1692	2332	DEM3DEA.exe	39
PID 1692 wrote to memory of 2088	1692	DEM9482.exe	41
PID 1692 wrote to memory of 2088	1692	DEM9482.exe	41
PID 1692 wrote to memory of 2088	1692	DEM9482.exe	41
PID 1692 wrote to memory of 2088	1692	DEM9482.exe	41

C:\Users\Admin\AppData\Local\Temp\f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\DEM38CC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM38CC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\DEM904E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM904E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\DEME688.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME688.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Users\Admin\AppData\Local\Temp\DEM3DEA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3DEA.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Users\Admin\AppData\Local\Temp\DEM9482.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9482.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\DEMEABC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEABC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM904E.exe

Filesize
15KB

MD5
d7d52a745656d4b90e61a9f24646d801

SHA1
cf413d0f1fb6468d095a404348f9faa21a5fc180

SHA256
ad1bb96e58f0458f746daeea4eb698b4bbd531bbd214a9aa3b7cdd427003da35

SHA512
7f86a994980353d15457b113489984ae5d4a61ed1bfa31b1b3f65b58043a468acc00ab01c63041bbf624b0634a4e3521d74ceb75fd11e68a8847f7197cff0a23

Download Submit
\Users\Admin\AppData\Local\Temp\DEM38CC.exe

Filesize
15KB

MD5
cdd9669cfdda9eea545dc2929c223d24

SHA1
5f5398bff40056482312617aee9bbf3c36ba6b78

SHA256
fbf12239496e32e79baaaab9a4922fc66fb1868cc8eac072b279715a1b8f543c

SHA512
f2fc2fc90171d01b472a50dfd54a744735152b106e017a00d564efa11ae25c6c1931705ab080b74b372cf8e00e6b9c897c3f619c536f3e12e0ce463f7d5c8d8a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3DEA.exe

Filesize
15KB

MD5
3eb27e6e45ae04c56dcd5aa8fc1d69cd

SHA1
da5549924724e9aae7022c636023bfd80e7cb691

SHA256
54a2f104d8bc33832a786476d6923a27fac50bd9e11fc59b225bc8a46410353e

SHA512
0cbfdf5e3cf4326ec3dc4a0c9b7383a03ce559b65175eaf721b2efa8305d136e937eda6bd72a031fad05b27ea86176ceb51c55efc0f9c106aeff229350b1ae29

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9482.exe

Filesize
15KB

MD5
240fea90aa3ab0abc0fdbcb66503344a

SHA1
4e36c27f06b1c3e75d946159c530c83baa284044

SHA256
9894e7473d96baa668e12b84c7d770d0e0764e900366fa209287caab9ab4bb90

SHA512
7668fc74c02f520518a15ef8c8f9ec6f09638ffdc3ae162834422d623c7bec845175b88719684650551ba056e3e6035811fa46ddb93410ea9347d174ae5a6adb

Download Submit
\Users\Admin\AppData\Local\Temp\DEME688.exe

Filesize
15KB

MD5
08945d3e73ff5ac021e78f0cef6c4f74

SHA1
4cc4f495978dc627143c2dff2d8813aa9b9acafe

SHA256
24d567787334971db79046692e1bad883898b07926ac37903428f62f80185369

SHA512
579c7f98c42a29bfd4f5b964f4bbebe174b1a8cc85f4e69773253501f82f3c9cfec36e528bff5d2973d032aba0175321be75296e1d52310cb6e203485c1384c3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEABC.exe

Filesize
15KB

MD5
55872edb9e154213cdd692ca6ba62a96

SHA1
70deaebcd4f2524cb8b9138cf04441bf753904f7

SHA256
f2a7863993ce14c805b92f7310960a16b629403be960f78a2f1dbf9c7c366c74

SHA512
12055c6962c5ffc0b2a081d930330976d553682cace6427029c9c419cd89d2f39dc46bbf35cbc06104355f98b688152821fcd3e22a1081f51c5bcb2b53b979e8

Download Submit

Analysis

Sharing