5d6517729e3978320be8e4267bac4eb37a89cf98b1c19b369b12c816d96929d0

General

Target

100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe
Size

14KB
MD5

100fce82f2901c328ade83de47f4d96a
SHA1

f77ac502bc113c4f262ed39e1ef75f517e54bf0c
SHA256

5d6517729e3978320be8e4267bac4eb37a89cf98b1c19b369b12c816d96929d0
SHA512

e6695f3c56b4f669fa86b43fef98800374b81728af2ecd30820f7614dc1a73e753bcdf7e95722a5addd6e4c813583f78c311be79da549836b25aac3faca56090
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhD:hDXWipuE+K3/SSHgxR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1668	DEM2349.exe
2600	DEM787A.exe
2916	DEMCDBB.exe
2784	DEM22CC.exe
1608	DEM77EE.exe
2532	DEMCCF0.exe

Loads dropped DLL 6 IoCs

pid	Process
2032	100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe
1668	DEM2349.exe
2600	DEM787A.exe
2916	DEMCDBB.exe
2784	DEM22CC.exe
1608	DEM77EE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1668	2032	100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe	29
PID 2032 wrote to memory of 1668	2032	100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe	29
PID 2032 wrote to memory of 1668	2032	100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe	29
PID 2032 wrote to memory of 1668	2032	100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe	29
PID 1668 wrote to memory of 2600	1668	DEM2349.exe	31
PID 1668 wrote to memory of 2600	1668	DEM2349.exe	31
PID 1668 wrote to memory of 2600	1668	DEM2349.exe	31
PID 1668 wrote to memory of 2600	1668	DEM2349.exe	31
PID 2600 wrote to memory of 2916	2600	DEM787A.exe	35
PID 2600 wrote to memory of 2916	2600	DEM787A.exe	35
PID 2600 wrote to memory of 2916	2600	DEM787A.exe	35
PID 2600 wrote to memory of 2916	2600	DEM787A.exe	35
PID 2916 wrote to memory of 2784	2916	DEMCDBB.exe	37
PID 2916 wrote to memory of 2784	2916	DEMCDBB.exe	37
PID 2916 wrote to memory of 2784	2916	DEMCDBB.exe	37
PID 2916 wrote to memory of 2784	2916	DEMCDBB.exe	37
PID 2784 wrote to memory of 1608	2784	DEM22CC.exe	39
PID 2784 wrote to memory of 1608	2784	DEM22CC.exe	39
PID 2784 wrote to memory of 1608	2784	DEM22CC.exe	39
PID 2784 wrote to memory of 1608	2784	DEM22CC.exe	39
PID 1608 wrote to memory of 2532	1608	DEM77EE.exe	41
PID 1608 wrote to memory of 2532	1608	DEM77EE.exe	41
PID 1608 wrote to memory of 2532	1608	DEM77EE.exe	41
PID 1608 wrote to memory of 2532	1608	DEM77EE.exe	41

C:\Users\Admin\AppData\Local\Temp\100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\DEM2349.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2349.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\DEM787A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM787A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\DEMCDBB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCDBB.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\DEM22CC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM22CC.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Users\Admin\AppData\Local\Temp\DEM77EE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM77EE.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\DEMCCF0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCCF0.exe"
        7⤵
        Executes dropped EXE
        
        PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2349.exe

Filesize
14KB

MD5
04e72eeb08384b1d6ab00cd0f2636058

SHA1
f3304235255af99979a021773d06587b26594469

SHA256
56eca8437c7df2b2c6b684687ca46e6087be5a26ad1a64356271bcde4653dd53

SHA512
d60845b0142dd2863219f843f1a0c975f585ee93b6004a95083b7d2315db7dd6c46ea5f1bec9b9b42ce88668dfdcc6db77d5f0cc62fd2943a2f386a5dd2caee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM77EE.exe

Filesize
14KB

MD5
4169fcfbcdd0079c7549b562b5693b65

SHA1
d7207ed9988a344fd34ff372b2acc99ec9ba73ff

SHA256
1b1565de754c063b40d5a57d50e1f9514147d5c7e2b50130a451afd18f55d81c

SHA512
26187784b887f99dd8402e59c1f4897dcdb4dee3bbf1c9f50235e19a5d1876aa6540fe1081e6db8a88238be4661029b3b064c195d3a3ecadaa824d3922c08ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM787A.exe

Filesize
14KB

MD5
b03a746d07ca13f91202b47a6dcdfa8d

SHA1
14663cf8fec4f1443f1c6b608e11cd20ae574d4f

SHA256
89c7f632a78cc7642607b0b70a84df2e46032060762a06407eb3eecf8f6b997d

SHA512
99540877b83a905052f89acefd2f9756b734a5d6ef45a683542732ec45746ab36beb086543dab6e1ba668f42e3f8e853dfcd0f54b1cbd3fa04466ddc9652565d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCCF0.exe

Filesize
14KB

MD5
5b2f3ae197d223d59f0a2e5a3f1bbd5e

SHA1
4f2281a3892cc87616c578241f3629dc8ee8e531

SHA256
7fe07fc525cbeaf443fbd70349b5e6009b680e4d7cd1dcd5e8dd39bf2b34e85d

SHA512
69846d1f5f417a1da322bdb6c2b5c0033632939dc46590da4ffb610e040006aa512864cf7c26a12651e32fed0c51e1af9220f0e570ac48e2b01c53f3dbbb645d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCDBB.exe

Filesize
14KB

MD5
c3393ee3e819893446656e4196d82cdd

SHA1
e8069ed32261eb89e5545727c24b50ad70f5e36e

SHA256
b80791544edd9252ff706b8180bfbd76eefe430d227cc5793cebb39cc2aff3c3

SHA512
5ee03c5e0e519fb4591f9cf223f4fde79814659483818e9a43ab6c63ad2ff23a42df59da3cbadb44d6f7caa671a3366cf833fb4fc473a7cdf234e05866e68ff2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM22CC.exe

Filesize
14KB

MD5
878248b47d2b73b766ad6733a0a3a1a0

SHA1
6f292330ed6fc74791fc78a62767d9eef45fa107

SHA256
ede4e876ba604f1a514150b9949b227935df97c7d7684d8d3f70f07d648f1a83

SHA512
8c4b35b8c9c9d0d72943f45961e38e10acddfa43639218ab19447e1da8e26581d67df4dc9573dccb3898772f70cc285323199c047676bcaa06688d1815b2c3f0

Download Submit

Analysis

Sharing