23165f146acd6873f71ae0dd28a8e0ec4e86426eb03e6fbed02c7940972d731a

General

Target

fdc159f3c68c2e85f0c9244f1af737cf_JaffaCakes118.exe
Size

14KB
MD5

fdc159f3c68c2e85f0c9244f1af737cf
SHA1

dc40150c8f102333acae280c2281349d66bac423
SHA256

23165f146acd6873f71ae0dd28a8e0ec4e86426eb03e6fbed02c7940972d731a
SHA512

2537cac744fb6b020e422897de6423ca458ca9f91b51b1053e1b0271d53f491fd6589b7f89bf2790a11d7a21eb840110d2042e40b8c9ed2fefaabb77d6a7b093
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhOOhClw:hDXWipuE+K3/SSHgxthww

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2580	DEM24DF.exe
2544	DEM7A3F.exe
2472	DEMCF6F.exe
1960	DEM255C.exe
1668	DEM7AAC.exe
2780	DEMCFFC.exe

Loads dropped DLL 6 IoCs

pid	Process
2984	fdc159f3c68c2e85f0c9244f1af737cf_JaffaCakes118.exe
2580	DEM24DF.exe
2544	DEM7A3F.exe
2472	DEMCF6F.exe
1960	DEM255C.exe
1668	DEM7AAC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2580	2984	fdc159f3c68c2e85f0c9244f1af737cf_JaffaCakes118.exe	29
PID 2984 wrote to memory of 2580	2984	fdc159f3c68c2e85f0c9244f1af737cf_JaffaCakes118.exe	29
PID 2984 wrote to memory of 2580	2984	fdc159f3c68c2e85f0c9244f1af737cf_JaffaCakes118.exe	29
PID 2984 wrote to memory of 2580	2984	fdc159f3c68c2e85f0c9244f1af737cf_JaffaCakes118.exe	29
PID 2580 wrote to memory of 2544	2580	DEM24DF.exe	31
PID 2580 wrote to memory of 2544	2580	DEM24DF.exe	31
PID 2580 wrote to memory of 2544	2580	DEM24DF.exe	31
PID 2580 wrote to memory of 2544	2580	DEM24DF.exe	31
PID 2544 wrote to memory of 2472	2544	DEM7A3F.exe	35
PID 2544 wrote to memory of 2472	2544	DEM7A3F.exe	35
PID 2544 wrote to memory of 2472	2544	DEM7A3F.exe	35
PID 2544 wrote to memory of 2472	2544	DEM7A3F.exe	35
PID 2472 wrote to memory of 1960	2472	DEMCF6F.exe	37
PID 2472 wrote to memory of 1960	2472	DEMCF6F.exe	37
PID 2472 wrote to memory of 1960	2472	DEMCF6F.exe	37
PID 2472 wrote to memory of 1960	2472	DEMCF6F.exe	37
PID 1960 wrote to memory of 1668	1960	DEM255C.exe	39
PID 1960 wrote to memory of 1668	1960	DEM255C.exe	39
PID 1960 wrote to memory of 1668	1960	DEM255C.exe	39
PID 1960 wrote to memory of 1668	1960	DEM255C.exe	39
PID 1668 wrote to memory of 2780	1668	DEM7AAC.exe	41
PID 1668 wrote to memory of 2780	1668	DEM7AAC.exe	41
PID 1668 wrote to memory of 2780	1668	DEM7AAC.exe	41
PID 1668 wrote to memory of 2780	1668	DEM7AAC.exe	41

C:\Users\Admin\AppData\Local\Temp\fdc159f3c68c2e85f0c9244f1af737cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdc159f3c68c2e85f0c9244f1af737cf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\DEM24DF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM24DF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\DEM7A3F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7A3F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\DEMCF6F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCF6F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\DEM255C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM255C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\DEM7AAC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7AAC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\DEMCFFC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCFFC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM255C.exe

Filesize
14KB

MD5
00d3520049d08db42b83e581c15845ad

SHA1
199be2c7132c116f1a31b1ff41adc000cb9b5aac

SHA256
270bd63cfe5c2e0773c245bc881fefcc0c436422d5aaa7203b159c0962ed99ef

SHA512
704991bdf420612bbc42c3efec007870af8c97166734902b3d4e6fdfc7833f3b9cf8b27587bf0ad77473f542480e139ebc127f6107efa3dfc05cf22fa4306c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A3F.exe

Filesize
14KB

MD5
700ca23f2b7054431af6b4c58db9bb50

SHA1
eaf3da450800c23f3f774a88b7a4e8ae8bd58453

SHA256
6a492696ba5e39a91064749ffcdcb88148bf4e719eefec48319c5fdd71decd1d

SHA512
9a78bb5fabbfdf8ac830131621eade9a8e7ced147949721e504c2bcf68541f1a61fc51cc16248f9a005d8896c48b53e1ac09601eb92dcdcc3a4e434ce3cb1d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7AAC.exe

Filesize
14KB

MD5
2696cb71bdd5558d39759c59c2123282

SHA1
364ea5dea90819142bbec8372dfc21e3b78cf98b

SHA256
0bd80a2b5bd9bf1ece7c8477e909439cc49f7d1097cdf422d9a8f2dfa1a45a57

SHA512
f8523c4d1229c4f412444ec36ede6cc41d6cba3d733f0e08e6f1e320345f421f25b986ac98a9ccb57377c0f96ac1ba77fb71434c42b8405dee1118447f8a0bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCFFC.exe

Filesize
14KB

MD5
a6a50c24515ba8ad6e419735a81a53de

SHA1
4938e3983bac95cb1c89d200b47143dce591714d

SHA256
d0bb9a2e5d3e063eff19ab042660f11ae0b59612a239d209295102cead86f7f4

SHA512
99c2103bfabbac29ce24381f61d4f590a7ed4fd3203a691f2150932d7b55b92fd67d96d025641f5a1f0dd650a6b0545631c8c2a302e1e7467d7f50363cd935c7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM24DF.exe

Filesize
14KB

MD5
4dcce3ea20424cda107beb14a747e010

SHA1
bc7338196660065f4eb1b17aacffce0d83ff3175

SHA256
4d7dc94c1bd86c50e8638e12c9a36a32346ce196e9697659c05239578e87d75b

SHA512
de67bca5d13a4558798d3208a4b98aefeae9992615fa867f1a5c7d6445ad40ac9e83c332f529e433c390a8cde28584572c4cb15f68566bda40c0741a6f5ae7cf

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCF6F.exe

Filesize
14KB

MD5
2f300a962381f13de4d3e659a43e0733

SHA1
4bd8adccf27ca329774df81bc7deda0a6d1f01f2

SHA256
8401aa9d454f05a9541f3f0c1a5e825cf02b0ac64e1523fefe07fa2fad6bca91

SHA512
ac246a953309e10a2d47c7aa46f640fa17db181c140d3dadd751d2f3f2581c2af67f362c4ad402c362f2bc805e7c44c395a2d4f6eb450ed7e061644e73c051b0

Download Submit

Analysis

Sharing