c89b736c4e7a4d989271a2a8217904fdcae3fa52abecd8a688ec2177ecff22d7

General

Target

ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe
Size

15KB
MD5

ff8fc259ff0fa909675f4bff59c38568
SHA1

b1b66f7bdc8885c50b47e3de9a70d254cd50f886
SHA256

c89b736c4e7a4d989271a2a8217904fdcae3fa52abecd8a688ec2177ecff22d7
SHA512

3bb78bbfa9860a781debef5b97f5c5882c379c61629fb0c1ade3c3f32b9a2e8471d5adcf5ab48e4189f999936a181f0a6ab3f6732786d9c9710c503afc870a1b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhG:hDXWipuE+K3/SSHgxzG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2568	DEM281A.exe
3012	DEM7D4B.exe
320	DEMD2D9.exe
1520	DEM27FA.exe
948	DEM7CFD.exe
3064	DEMD1FF.exe

Loads dropped DLL 6 IoCs

pid	Process
2908	ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe
2568	DEM281A.exe
3012	DEM7D4B.exe
320	DEMD2D9.exe
1520	DEM27FA.exe
948	DEM7CFD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2568	2908	ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe	29
PID 2908 wrote to memory of 2568	2908	ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe	29
PID 2908 wrote to memory of 2568	2908	ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe	29
PID 2908 wrote to memory of 2568	2908	ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe	29
PID 2568 wrote to memory of 3012	2568	DEM281A.exe	33
PID 2568 wrote to memory of 3012	2568	DEM281A.exe	33
PID 2568 wrote to memory of 3012	2568	DEM281A.exe	33
PID 2568 wrote to memory of 3012	2568	DEM281A.exe	33
PID 3012 wrote to memory of 320	3012	DEM7D4B.exe	35
PID 3012 wrote to memory of 320	3012	DEM7D4B.exe	35
PID 3012 wrote to memory of 320	3012	DEM7D4B.exe	35
PID 3012 wrote to memory of 320	3012	DEM7D4B.exe	35
PID 320 wrote to memory of 1520	320	DEMD2D9.exe	37
PID 320 wrote to memory of 1520	320	DEMD2D9.exe	37
PID 320 wrote to memory of 1520	320	DEMD2D9.exe	37
PID 320 wrote to memory of 1520	320	DEMD2D9.exe	37
PID 1520 wrote to memory of 948	1520	DEM27FA.exe	39
PID 1520 wrote to memory of 948	1520	DEM27FA.exe	39
PID 1520 wrote to memory of 948	1520	DEM27FA.exe	39
PID 1520 wrote to memory of 948	1520	DEM27FA.exe	39
PID 948 wrote to memory of 3064	948	DEM7CFD.exe	41
PID 948 wrote to memory of 3064	948	DEM7CFD.exe	41
PID 948 wrote to memory of 3064	948	DEM7CFD.exe	41
PID 948 wrote to memory of 3064	948	DEM7CFD.exe	41

C:\Users\Admin\AppData\Local\Temp\ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\DEM281A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM281A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\DEM7D4B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7D4B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\DEMD2D9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD2D9.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Users\Admin\AppData\Local\Temp\DEM27FA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM27FA.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Users\Admin\AppData\Local\Temp\DEM7CFD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7CFD.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\DEMD1FF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD1FF.exe"
        7⤵
        Executes dropped EXE
        
        PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM281A.exe

Filesize
15KB

MD5
85da61ae8252c8da4952fad14fc6a892

SHA1
255d4429dbf47d77b70db31212e22374bbe59028

SHA256
a70ce19e8eb5fcd365d37bc632aff5d68f85229417eb55cfd57cc68d8d6f3f08

SHA512
9d794dbc60286f6423ea5934b37afd33548c27b45d6cb4f0195921f61b7f3a258ad5fde291477082949159b17306dfe6a8d7a59963642fd5a34003d356da3358

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7CFD.exe

Filesize
15KB

MD5
f98e22b0008d24e4524625bec286c28c

SHA1
bc26e0a12edd35a8cf83a63835cec3a9758a7b84

SHA256
8fc571fe9f79f72e9ed06afc7081f5e2181b203afaeb9ed3e2f54f81bfe61166

SHA512
970495b3be3153b0f13a28b87495f451c005ac1498abd20b2fdcbaf0e624905d738063771fa968e03b30daace3457841879558e06ab2fb35e204e05ba730ea38

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7D4B.exe

Filesize
15KB

MD5
0a1769bd2b927d1814e5e002c72d998f

SHA1
ec85f1132230692d939585c12748074860682ff4

SHA256
addf1e96fb0681fbd5a1cf97d6a3f83114ed116b6369892388ee5db047c78f2c

SHA512
96fbf0245638ed30418dd16b0a6cdf758d2c5093932ebe98721d0c1f0278180ce10855d569f47d5b6e674a127cd53a09daecc0c64f91edc7b9a230a4937b6c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD1FF.exe

Filesize
15KB

MD5
9e70497752c6696c54012f097f58030f

SHA1
6d6fe238c1e606fac813d2e079ea06f138a04ae2

SHA256
30cf104e957062afd6187f1dd09a6ec3121b91724bbb22cd9d601d3daccac9b6

SHA512
db5193fb94d8de08f3b78ac18c8b8bfd2078f344d53f7a48becfd95880fc83a5c71523e42f1b413abb53b6ea958aeec29e16ee874da8239223d721bf47b6fad6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM27FA.exe

Filesize
15KB

MD5
ecdc5f4494c47bab2b66413ab55d24b7

SHA1
ccfdee98aa757c2cd37940436f88a46d1120afd5

SHA256
d1ae301711e40e5288b000391c1952591c45e90d9608f235c59031e4f2d592e0

SHA512
63efa2e2cfdd2481ef4f9e9cff975c6bdda5763510389d30caee1108a8a7b74101be4cee2924a0adc613e06d2e5400e88ecda52639b6a814eac86dddfab2d539

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD2D9.exe

Filesize
15KB

MD5
b00549fec7485e55969c1f9f47de635f

SHA1
76d021844d8fca0f8d35ff275f6e34cc46baff31

SHA256
d0424efa34b1729b90d073d04dad3f9e51cb22493c8404440da83db6f4f8f818

SHA512
6d2c466942056f3e3feb2307ac3bd76d97478ebb5ec9385579c921c298a8113856fc1fbe35d2a14ad42d803f80708e3c201362d63e4ec2870559cd77d5b08270

Download Submit

Analysis

Sharing