af55714da39eda7c44d8a2884409f344101ffda2318f722efd0bd035ec9dece4

General

Target

fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe
Size

15KB
MD5

fb3b7bcdc07d6803b3c41d61e5d1d255
SHA1

389542b012ff6fa3d64522a8cf5bd17d00145054
SHA256

af55714da39eda7c44d8a2884409f344101ffda2318f722efd0bd035ec9dece4
SHA512

c40218c8a210b66f81351e80426bb54c31dcdc4cfc3936f9ab89fb590af9c6cdf1dba2f8f003bb0d2455fdf7c5efda66cfe905704b470df4c7346c035446b604
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0pjW2UWXg:hDXWipuE+K3/SSHgx49WdWXg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2604	DEM2B26.exe
2452	DEM8102.exe
2656	DEMD652.exe
1712	DEM2B64.exe
872	DEM8085.exe
2412	DEMD643.exe

Loads dropped DLL 6 IoCs

pid	Process
1692	fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe
2604	DEM2B26.exe
2452	DEM8102.exe
2656	DEMD652.exe
1712	DEM2B64.exe
872	DEM8085.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2604	1692	fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe	29
PID 1692 wrote to memory of 2604	1692	fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe	29
PID 1692 wrote to memory of 2604	1692	fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe	29
PID 1692 wrote to memory of 2604	1692	fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2452	2604	DEM2B26.exe	33
PID 2604 wrote to memory of 2452	2604	DEM2B26.exe	33
PID 2604 wrote to memory of 2452	2604	DEM2B26.exe	33
PID 2604 wrote to memory of 2452	2604	DEM2B26.exe	33
PID 2452 wrote to memory of 2656	2452	DEM8102.exe	35
PID 2452 wrote to memory of 2656	2452	DEM8102.exe	35
PID 2452 wrote to memory of 2656	2452	DEM8102.exe	35
PID 2452 wrote to memory of 2656	2452	DEM8102.exe	35
PID 2656 wrote to memory of 1712	2656	DEMD652.exe	37
PID 2656 wrote to memory of 1712	2656	DEMD652.exe	37
PID 2656 wrote to memory of 1712	2656	DEMD652.exe	37
PID 2656 wrote to memory of 1712	2656	DEMD652.exe	37
PID 1712 wrote to memory of 872	1712	DEM2B64.exe	39
PID 1712 wrote to memory of 872	1712	DEM2B64.exe	39
PID 1712 wrote to memory of 872	1712	DEM2B64.exe	39
PID 1712 wrote to memory of 872	1712	DEM2B64.exe	39
PID 872 wrote to memory of 2412	872	DEM8085.exe	41
PID 872 wrote to memory of 2412	872	DEM8085.exe	41
PID 872 wrote to memory of 2412	872	DEM8085.exe	41
PID 872 wrote to memory of 2412	872	DEM8085.exe	41

C:\Users\Admin\AppData\Local\Temp\fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\DEM2B26.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2B26.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\DEM8102.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8102.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\DEMD652.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD652.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\DEM2B64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2B64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\DEM8085.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8085.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\DEMD643.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD643.exe"
        7⤵
        Executes dropped EXE
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2B26.exe

Filesize
15KB

MD5
cfe0d48e9d5637d65f32687655d57c7f

SHA1
bf6b55720634d55e1c13722413bc743b719f5793

SHA256
c78d58dc04f5ea8967ab5ebae0d08711a429c9d01b3a07eb5aab97e91ff055b2

SHA512
a35a7ffc1cedd8b0f463e63654d8707ece49e5a32dd1ede605cd6f50d9d05f4db587424d063590062a5aeca264bdc6b173c67597047a85e8140306f269c08d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8085.exe

Filesize
15KB

MD5
03b6fc26407ef9ee63d07cba3142dfdb

SHA1
cf1c59001b33e180c7181678f7b14f5c4ffa4e99

SHA256
d0ef3ad6185ec959279b7dcf13388d38e823b5a290a1e45e6d5ac073984d34fd

SHA512
aec0ee61e7664130075197ba4546fef64c55ac07f5c47e81a4ad2564e6f81d3021b8376ec28a9708c064d91735ce0364277b380cce1fff2d46a60107bb77897b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8102.exe

Filesize
15KB

MD5
a6a0ff1978ca014658f8a6162c8e5779

SHA1
3083073e3bb08c1d17dfe09ec7b786c3ec72518f

SHA256
0ce4b4544e2c22d8135e009ec7b5c187ab89e02e61187b1ab591a0588443dc4a

SHA512
4b2b7d14742f5fe49e8eefbe8853300a4e82c6a3e53b3e67d0dca86fc1f53c8b2e9863c44cfbb263d4e2320762e918e76a3b3b3abab0f71b180f7ca18a519841

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD643.exe

Filesize
15KB

MD5
2b8a523f9f3123b8bb11c1e80dcc8812

SHA1
453c0880aeee2d85775f1e17976638e46d4bb41a

SHA256
dc406d2dee598b55ca03f2c38ca24b063812f89c4c1039d03216863e723b13c8

SHA512
5bf3148191580fbaef1564bb82c102b4d5e5c134e9e61af063d5ec6155de542703bdde9af32149f0c55595b2c06e48c9c29a6d7b8d8bef912ab3a50a57f2e7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD652.exe

Filesize
15KB

MD5
51a27d87db6767aaebc0d09f106b2688

SHA1
f933901e263e5ee875c4f5d4d69d01f26ab98d84

SHA256
c7db51a6c60cad8716bad7b3bb17bcac1cdcb1a8298ffc4ead57c75c599bc41a

SHA512
7a1b05e3c2f14f4da3e4b0604ae5bfe9cac875fe2bb58979457f8222c2b9d9463377c76235e9cfa2bd315a309ebf424e617ec7eef8606dfb0d9c164bba7f7534

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2B64.exe

Filesize
15KB

MD5
bef69c7bf9da50fdf1f3732e324e245d

SHA1
6f9d15ed38b12a10c2e5916a1259acf370ff3bf5

SHA256
44401b185bd61d790f4adc160a70c60c9b44c5451c5ba2627d4b4c5e58ed37ee

SHA512
2c12cfaa1ead165fa656588728079b3b9c6190d6d6aaa1cdd6ad63d34abd0d36a185ef523654fd28d8a659a365ef076c93fb947ffedd30294fe59069d7184042

Download Submit

Analysis

Sharing