71a6f5ce884e108ee0a02d453e91beca10021ce4d56a1cea16994ce732e3de74

General

Target

150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe
Size

14KB
MD5

150905c22aba1839292edc2a59e4b2f8
SHA1

22df283ac4a6b45d33f738bcf5ed1370a974448d
SHA256

71a6f5ce884e108ee0a02d453e91beca10021ce4d56a1cea16994ce732e3de74
SHA512

2074a83ab71afdfb936d6bf5d68515ccec8f616e78651d832c12ae04f486cafa3f459f3baf03657252083a54c9305f4e881c3c9a9c3fbfb4d1377d0b2d079801
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlbv:hDXWipuE+K3/SSHgxmlbv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2652	DEM25C9.exe
2520	DEM7BD4.exe
2488	DEMD105.exe
328	DEM2684.exe
648	DEM7BE4.exe
1908	DEMD115.exe

Loads dropped DLL 6 IoCs

pid	Process
1720	150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe
2652	DEM25C9.exe
2520	DEM7BD4.exe
2488	DEMD105.exe
328	DEM2684.exe
648	DEM7BE4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2652	1720	150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2652	1720	150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2652	1720	150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2652	1720	150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe	29
PID 2652 wrote to memory of 2520	2652	DEM25C9.exe	33
PID 2652 wrote to memory of 2520	2652	DEM25C9.exe	33
PID 2652 wrote to memory of 2520	2652	DEM25C9.exe	33
PID 2652 wrote to memory of 2520	2652	DEM25C9.exe	33
PID 2520 wrote to memory of 2488	2520	DEM7BD4.exe	35
PID 2520 wrote to memory of 2488	2520	DEM7BD4.exe	35
PID 2520 wrote to memory of 2488	2520	DEM7BD4.exe	35
PID 2520 wrote to memory of 2488	2520	DEM7BD4.exe	35
PID 2488 wrote to memory of 328	2488	DEMD105.exe	37
PID 2488 wrote to memory of 328	2488	DEMD105.exe	37
PID 2488 wrote to memory of 328	2488	DEMD105.exe	37
PID 2488 wrote to memory of 328	2488	DEMD105.exe	37
PID 328 wrote to memory of 648	328	DEM2684.exe	39
PID 328 wrote to memory of 648	328	DEM2684.exe	39
PID 328 wrote to memory of 648	328	DEM2684.exe	39
PID 328 wrote to memory of 648	328	DEM2684.exe	39
PID 648 wrote to memory of 1908	648	DEM7BE4.exe	41
PID 648 wrote to memory of 1908	648	DEM7BE4.exe	41
PID 648 wrote to memory of 1908	648	DEM7BE4.exe	41
PID 648 wrote to memory of 1908	648	DEM7BE4.exe	41

C:\Users\Admin\AppData\Local\Temp\150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\DEM25C9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM25C9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\DEM7BD4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7BD4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\DEMD105.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD105.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\DEM2684.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2684.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:328
      - C:\Users\Admin\AppData\Local\Temp\DEM7BE4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7BE4.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\DEMD115.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD115.exe"
        7⤵
        Executes dropped EXE
        
        PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM25C9.exe

Filesize
14KB

MD5
9089caa94c9ae14faf1ba6516969b4f3

SHA1
5f5311522729713efccb4fda1fbb4f7c1c8ed604

SHA256
a83929e7a8466ca064c2e215739b797436a5fee6ab75c41039c8cd08e06bd130

SHA512
ef9c3ba2cfd5cbc671126dc7d9f11b18920e9a69dc7805a26e9405264fd42c146d5cb4ab091200a96c137e04445c10150aefb5fd9d715431c463fc6d84660c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7BD4.exe

Filesize
14KB

MD5
cb0328931015a181d7fe1bbc14ce3bbb

SHA1
f5586ddf88827d1bb68a12aa5ad3a418cb6ef049

SHA256
33bea962f7c838baaf308166242d1889df819bf9e0c5d355e7285c00c0632e9f

SHA512
cf4628de1fdc6fa6ee94e1fcf62e15bc0fbcd1736c3e302456398f4c82c9f4291c1971ecb07d6eafbc01bbc43ed207e7f878bb5181109d2858728e76f17ba2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD115.exe

Filesize
15KB

MD5
2b3d955e9a732254f4ac779507622477

SHA1
dbed38f93b97fea6e8b5e9025239321fb34656a5

SHA256
bd2b0cca705f96e2d2c2a830cc80ba528d37ddafb25339ea49116bd09976b142

SHA512
81c88a2dc7cd38f262275a7fa02c35710b13d52a6556bdd41693d370e29417f72a3a4a883db3ce092d22ebcd7d90d97babd835062a6decc1cfd1880e88ef1763

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2684.exe

Filesize
14KB

MD5
651bb6639b83d245113091c546bc2e46

SHA1
a4e92538ca5d93178f6c54bcf285c60cff2fa4d0

SHA256
3d96f04899b9d9b97f6ab23f3872b45590fc58bb4193bb2e47518e1685e40d0c

SHA512
2daf20ed6b60381a842419cbbd97ba48a1dd6e43aa32e668b7e33682e6ccf97702dfee8146480ac87ef212f4b9488371737afd137ddfe48c1694ea868de3ca52

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7BE4.exe

Filesize
14KB

MD5
8ccc07665943d5b25385094380a39820

SHA1
dcdcd15f5097a066038d8f0f9cd8eaf467024a2f

SHA256
f9f217e5d00bbec9e537bbb8be54b36f18ddbb61b55e511c9fd3d1a69362f62f

SHA512
f8c112b9e132e54a0f4a288db24a2ecf7e3ea80be165d382baa3d9cb16278afb95a946f430b7143627af4b2d2b7b5f49c30d7d44293f39b54bd426cd4f58c4ea

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD105.exe

Filesize
14KB

MD5
7ed73f28a416c6eded76d9a854586302

SHA1
7178c662c79fddc27b73c148c47821766d59dbd7

SHA256
7ed4232822d3376a8c31f29add1de703b6c610993c41c824f1d6811809e19328

SHA512
f6ffd67e5e5b5cc94b5974a6897c3e434067733a5208f984e7f5ddc87d188217b5d5d50274e9a522321565bcb5b834117f2c38404031213d8f874b5ae7cab2e0

Download Submit

Analysis

Sharing