c0886cc4e3aa82033ef87770af50bfda7b63fbf38f31a2d65b19f728768bab4f

General

Target

fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe
Size

20KB
MD5

fa83bf7904cba0c1944963dd0bcd626e
SHA1

3a25157344d951c9e328b42fcaf8380c7d20c001
SHA256

c0886cc4e3aa82033ef87770af50bfda7b63fbf38f31a2d65b19f728768bab4f
SHA512

16168bab7c16d8474feee48fb0da3a80d1654fa194da472493f01b7734dd577694478b7d09765d3ab538c210985dd6028ced76f2967eca0d562f61049a020c8e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L41mm:hDXWipuE+K3/SSHgxmHZ1B

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2516	DEM200E.exe
2364	DEM7530.exe
2708	DEMCA8F.exe
1852	DEM1FA1.exe
2040	DEM74B3.exe
2204	DEMC9C5.exe

Loads dropped DLL 6 IoCs

pid	Process
1952	fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe
2516	DEM200E.exe
2364	DEM7530.exe
2708	DEMCA8F.exe
1852	DEM1FA1.exe
2040	DEM74B3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2516	1952	fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe	29
PID 1952 wrote to memory of 2516	1952	fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe	29
PID 1952 wrote to memory of 2516	1952	fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe	29
PID 1952 wrote to memory of 2516	1952	fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe	29
PID 2516 wrote to memory of 2364	2516	DEM200E.exe	31
PID 2516 wrote to memory of 2364	2516	DEM200E.exe	31
PID 2516 wrote to memory of 2364	2516	DEM200E.exe	31
PID 2516 wrote to memory of 2364	2516	DEM200E.exe	31
PID 2364 wrote to memory of 2708	2364	DEM7530.exe	35
PID 2364 wrote to memory of 2708	2364	DEM7530.exe	35
PID 2364 wrote to memory of 2708	2364	DEM7530.exe	35
PID 2364 wrote to memory of 2708	2364	DEM7530.exe	35
PID 2708 wrote to memory of 1852	2708	DEMCA8F.exe	37
PID 2708 wrote to memory of 1852	2708	DEMCA8F.exe	37
PID 2708 wrote to memory of 1852	2708	DEMCA8F.exe	37
PID 2708 wrote to memory of 1852	2708	DEMCA8F.exe	37
PID 1852 wrote to memory of 2040	1852	DEM1FA1.exe	39
PID 1852 wrote to memory of 2040	1852	DEM1FA1.exe	39
PID 1852 wrote to memory of 2040	1852	DEM1FA1.exe	39
PID 1852 wrote to memory of 2040	1852	DEM1FA1.exe	39
PID 2040 wrote to memory of 2204	2040	DEM74B3.exe	41
PID 2040 wrote to memory of 2204	2040	DEM74B3.exe	41
PID 2040 wrote to memory of 2204	2040	DEM74B3.exe	41
PID 2040 wrote to memory of 2204	2040	DEM74B3.exe	41

C:\Users\Admin\AppData\Local\Temp\fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\DEM200E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM200E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\DEM7530.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7530.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\DEMCA8F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCA8F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\DEM1FA1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1FA1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Users\Admin\AppData\Local\Temp\DEM74B3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM74B3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\DEMC9C5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC9C5.exe"
        7⤵
        Executes dropped EXE
        
        PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1FA1.exe

Filesize
20KB

MD5
275fea69e910a0251a940a20985beb0e

SHA1
792a3dbca66cf43c6932cb9cdb51bcf6a9f50e55

SHA256
87e74d4bcb3bfc7811c7a00cfade3e4f5e2f2bc568a634ef893d4e36f5f7c7a5

SHA512
a829f5edc86ab2b8e31eaa1a089e087e9e8c666f9ae1cb86b0724d493acf0dab68f54465c8fb04f1695c19588e78518b59b5c6bbf6107863efa321fa8bed405f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM200E.exe

Filesize
20KB

MD5
3f9c6bb4168807d027cacae0db1f0e74

SHA1
90998caa85a46c0f5b75652e93882e6f608d5474

SHA256
abb7d59875fe69d47d29feebb6df5e51cb0d03a38e4d7b32cd946e40d861a247

SHA512
becd62385d6088c325be334f4a8f5acaa7d61acbe44cb3b7332ad83b6d3c1b27616c1dcec1b7677e9cbc78c7dc9223c7648992d1119a91f29ea6dd318a309119

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM74B3.exe

Filesize
20KB

MD5
37843a61b1118c72afb849238bca1616

SHA1
08abe443245b8e19dd0ae67c4d5f8bb3bbcf737b

SHA256
cd8ad325f5c9474feb17c4ddb6681b82fd60ad660d98cbd37c94b58efce1cf1d

SHA512
5efe0ebb2541901c7224f02e7a5ed819c7a68e969405cc5f15d5b600f451096963541d6b267e21aa6ed63a647e92b1a7bac8d5897e4eb6fca67662bf1cbafa9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7530.exe

Filesize
20KB

MD5
5cb89478970f2eb18e5d38464d58292a

SHA1
09be598bf90e7e3171c5d02081193578861d9484

SHA256
5a2f7f2afc5f7b2dcc5c281012ef79830025ea21bbfe9a759f19b3778d2abba5

SHA512
6c2a175602790a9268609b204135995925dd65d8a8d914ca2739a23c345cc536d5049508ecccc9dee8b715d827051bd7a8b335caf89dbe05d23aa93aff549b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC9C5.exe

Filesize
20KB

MD5
1a7fa0b2661fabfd2dfea4dbf476a01e

SHA1
c5594bb6c2df5aa0787d259b5ddd9aa39401c42c

SHA256
7f93d004632bab841d532f18889667b7cb7c43a558eff2209f6a94a28f692c67

SHA512
80d58c50e1eba820a74f6485045262e6427f40dc3c1e0525f9aa70f71e3254b00dfa18f3762a09452c0e6df4328f02adb2a0c50cb2604c7355597de640c2b777

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCA8F.exe

Filesize
20KB

MD5
f583d35e8377b367211a4d1f24a6fd20

SHA1
e033720a9b22d25bffb213d348ec697aa08a0d3f

SHA256
2fd050a2f88382d521f47e11310e626ec120e8e579acbf3ed15d49ab0f6a343b

SHA512
05fa77a56a097bfe00e49c9823651816866b7347af96dd9300482292ea3dfbda20be28f7025ceafc8137a9ad33c432b1dc02e0ac7c3a6643b4d6969545e79a74

Download Submit

Analysis

Sharing