989a48df7ec146222b9456910bd605afafcb3f77557eacae65f3226abfab13d5

General

Target

f858143b5e8af3326f848e490cc4bc02_JaffaCakes118.exe
Size

14KB
MD5

f858143b5e8af3326f848e490cc4bc02
SHA1

7e788604e88965dee6bf996e99dc7e8788e8ef56
SHA256

989a48df7ec146222b9456910bd605afafcb3f77557eacae65f3226abfab13d5
SHA512

11e62c3cf415976d4b96935b182688b2460353184d3933aa8219c14fd58edde13eaee41e3ffe3aebd4979fa89fc3215aec4e17c222325f899b886df6369203a8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvC8T:hDXWipuE+K3/SSHgxma8T

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2544	DEM5570.exe
2428	DEMAC37.exe
2744	DEM2EE.exe
2780	DEM5985.exe
2796	DEMB01D.exe
692	DEM5EA.exe

Loads dropped DLL 6 IoCs

pid	Process
1404	f858143b5e8af3326f848e490cc4bc02_JaffaCakes118.exe
2544	DEM5570.exe
2428	DEMAC37.exe
2744	DEM2EE.exe
2780	DEM5985.exe
2796	DEMB01D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2544	1404	f858143b5e8af3326f848e490cc4bc02_JaffaCakes118.exe	29
PID 1404 wrote to memory of 2544	1404	f858143b5e8af3326f848e490cc4bc02_JaffaCakes118.exe	29
PID 1404 wrote to memory of 2544	1404	f858143b5e8af3326f848e490cc4bc02_JaffaCakes118.exe	29
PID 1404 wrote to memory of 2544	1404	f858143b5e8af3326f848e490cc4bc02_JaffaCakes118.exe	29
PID 2544 wrote to memory of 2428	2544	DEM5570.exe	33
PID 2544 wrote to memory of 2428	2544	DEM5570.exe	33
PID 2544 wrote to memory of 2428	2544	DEM5570.exe	33
PID 2544 wrote to memory of 2428	2544	DEM5570.exe	33
PID 2428 wrote to memory of 2744	2428	DEMAC37.exe	35
PID 2428 wrote to memory of 2744	2428	DEMAC37.exe	35
PID 2428 wrote to memory of 2744	2428	DEMAC37.exe	35
PID 2428 wrote to memory of 2744	2428	DEMAC37.exe	35
PID 2744 wrote to memory of 2780	2744	DEM2EE.exe	37
PID 2744 wrote to memory of 2780	2744	DEM2EE.exe	37
PID 2744 wrote to memory of 2780	2744	DEM2EE.exe	37
PID 2744 wrote to memory of 2780	2744	DEM2EE.exe	37
PID 2780 wrote to memory of 2796	2780	DEM5985.exe	39
PID 2780 wrote to memory of 2796	2780	DEM5985.exe	39
PID 2780 wrote to memory of 2796	2780	DEM5985.exe	39
PID 2780 wrote to memory of 2796	2780	DEM5985.exe	39
PID 2796 wrote to memory of 692	2796	DEMB01D.exe	41
PID 2796 wrote to memory of 692	2796	DEMB01D.exe	41
PID 2796 wrote to memory of 692	2796	DEMB01D.exe	41
PID 2796 wrote to memory of 692	2796	DEMB01D.exe	41

C:\Users\Admin\AppData\Local\Temp\f858143b5e8af3326f848e490cc4bc02_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f858143b5e8af3326f848e490cc4bc02_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\DEM5570.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5570.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\DEMAC37.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAC37.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\DEM2EE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2EE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\DEM5985.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5985.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Users\Admin\AppData\Local\Temp\DEMB01D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB01D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\DEM5EA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5EA.exe"
        7⤵
        Executes dropped EXE
        
        PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMAC37.exe

Filesize
15KB

MD5
7d21f4e4ae92eb94af3630d5d236f1e0

SHA1
a892540ed51edfee5e4d61b5dbd8f80670dec19b

SHA256
be5bda6ddc6c312d748002572e47f7c76ac891688c2a28df3672f67606d4a7f9

SHA512
218ced84a225a44132cc160c73fab80e373fe4a386dd7dc48a8f76dae686360b45a8d4f4b0dca160a70471ff436df2182adc19cca7f3b3a7faed584c360d5912

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2EE.exe

Filesize
15KB

MD5
35d55ad9c377319ee7d72790aff4868c

SHA1
29d3084df5a3e53cb8d978110db2e023fa919ebb

SHA256
f92294f006b6c256db46f9089d034fcb7c701a21ce5061f6cdf59715e44e1e89

SHA512
a8d9ce8539500772fceae49a0944df061b78e75e83f51aa4dcf8fea1196917e837bc46719d587218f45bb0fa77cbed959581d2e383f4a53607e52f3ea753e00a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5570.exe

Filesize
15KB

MD5
e74267e29ae01108112811e0b55dfb7a

SHA1
a04445a8580feba437c0fb9090663258f5c1fffe

SHA256
7081ef892111a810f970a9bc6a14b5ebbeff06a60bad0bc45c998045b9344bda

SHA512
e4543fcaa112b1ff03edfb27d9989da5cbaee76dfbfd76e0df16a9ace9d37c91d1cc4efadaf991a265c247023308a29fc284498d3552c01b6efb95d68700730a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5985.exe

Filesize
15KB

MD5
36760608af8a1e6aa1c5aa132de95819

SHA1
50eaa6adec16cb4f27578dbc087d95227b7bbcc6

SHA256
5a68978a25212a1165dae1ba6fa7ed51415096e4b172db7a4e3b137c408f881e

SHA512
b361509b1643c3bf76f534a18e0a935ef9bc173b61d932e42cf3bfde03f3344c8e814ae98d8baf1fa92e9ebfc8cc5a6dcd43141e0d65790f94179f1eb2a396d1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5EA.exe

Filesize
15KB

MD5
a09f265ec902a59486ac0519b3e62286

SHA1
f508d88d4b5f50bd4e0be8ab4b13c1897b5b077d

SHA256
8236380ab2d8bc21bc2c01fee8176375f633a651f554b5aec1e7bd736766457d

SHA512
0bac04d61b36c393566cb22df6e1ef9eb9f84682c0493ab9c70f9567bfe596a217fa7114eae68a004bfae6357e1e3d9b234ea9eabcc9438d75c2afc74576f52d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB01D.exe

Filesize
15KB

MD5
f0f3aa4ea2b9977f528275b07f3f23e4

SHA1
b21d0d3e2a4b8677c781b4be7e20746cc7032223

SHA256
4e5b696108ab2fbbc2d978250395fc41e6412b79fb644fd906a23af03601c0c7

SHA512
c6214d26dea4c08ab32610175c52e9048a841bb18ed70959fdcebfafd4d1cf18c4a4f155084dbeaa24698f12aad2c6640760fb4b5ce6fba9b10896cb28dbca18

Download Submit

Analysis

Sharing