f9ba592ada8437b603a30de56db0277e03ec9f60e8053c49ee4a8264f3f14de3

General

Target

15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe
Size

14KB
MD5

15e4bf4b762bba00ce17ce250709fec2
SHA1

18b17c7d94ce7695c2b0af4d70ad709f479fba9b
SHA256

f9ba592ada8437b603a30de56db0277e03ec9f60e8053c49ee4a8264f3f14de3
SHA512

cfeca2da509ecec1e5bc785f24b496a2a9011f5066e2fd927aad838453da2f0fc0dd88ad610fb16885f907af2f3289a665d93d4bc04a0079875ed7a6b1f27851
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYD+:hDXWipuE+K3/SSHgxmD+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2604	DEM1FEF.exe
2708	DEM758D.exe
2168	DEMCAED.exe
2404	DEM203D.exe
2984	DEM757E.exe
2344	DEMCAFD.exe

Loads dropped DLL 6 IoCs

pid	Process
2896	15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe
2604	DEM1FEF.exe
2708	DEM758D.exe
2168	DEMCAED.exe
2404	DEM203D.exe
2984	DEM757E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2604	2896	15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe	29
PID 2896 wrote to memory of 2604	2896	15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe	29
PID 2896 wrote to memory of 2604	2896	15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe	29
PID 2896 wrote to memory of 2604	2896	15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2708	2604	DEM1FEF.exe	31
PID 2604 wrote to memory of 2708	2604	DEM1FEF.exe	31
PID 2604 wrote to memory of 2708	2604	DEM1FEF.exe	31
PID 2604 wrote to memory of 2708	2604	DEM1FEF.exe	31
PID 2708 wrote to memory of 2168	2708	DEM758D.exe	35
PID 2708 wrote to memory of 2168	2708	DEM758D.exe	35
PID 2708 wrote to memory of 2168	2708	DEM758D.exe	35
PID 2708 wrote to memory of 2168	2708	DEM758D.exe	35
PID 2168 wrote to memory of 2404	2168	DEMCAED.exe	37
PID 2168 wrote to memory of 2404	2168	DEMCAED.exe	37
PID 2168 wrote to memory of 2404	2168	DEMCAED.exe	37
PID 2168 wrote to memory of 2404	2168	DEMCAED.exe	37
PID 2404 wrote to memory of 2984	2404	DEM203D.exe	39
PID 2404 wrote to memory of 2984	2404	DEM203D.exe	39
PID 2404 wrote to memory of 2984	2404	DEM203D.exe	39
PID 2404 wrote to memory of 2984	2404	DEM203D.exe	39
PID 2984 wrote to memory of 2344	2984	DEM757E.exe	41
PID 2984 wrote to memory of 2344	2984	DEM757E.exe	41
PID 2984 wrote to memory of 2344	2984	DEM757E.exe	41
PID 2984 wrote to memory of 2344	2984	DEM757E.exe	41

C:\Users\Admin\AppData\Local\Temp\15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\DEM1FEF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1FEF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\DEM758D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM758D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\DEMCAED.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCAED.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Users\Admin\AppData\Local\Temp\DEM203D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM203D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2404
      - C:\Users\Admin\AppData\Local\Temp\DEM757E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM757E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\DEMCAFD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCAFD.exe"
        7⤵
        Executes dropped EXE
        
        PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM758D.exe

Filesize
14KB

MD5
a1c308797f9b96f05e2898a82669f62c

SHA1
f2ab0724b498ed00cac45595af7d3a4789f2a5c4

SHA256
9b3824a731cb88a6c384a5f17a5ee90f1321932b3f903e388268dcb1d57fda9a

SHA512
18855c48b850cb519508059af31709a7cdc0b7dc69421cfbdfa2947766a941e8020c7803fcfcb5375ac3b409710d40fae384576a2a2daf282e7e036feb507063

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1FEF.exe

Filesize
14KB

MD5
7e3d0e218c0917932f6c4e11be277e3a

SHA1
965d1e2a59186f9672a855dc7d6ed8d0ff92f180

SHA256
91c9f3f6499ad8e83ee6e5e4012f03296fe122d7f1f14e04fc4aadc4f2a9eedb

SHA512
e9b12ef015767a79905a27101913ebe6cbd62cbaec4c8d3a1a5c40f8be25080c2f2d134deace7502d4d39bf6f5608275505063fdd23a307444bcc3aac9cbaec3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM203D.exe

Filesize
14KB

MD5
5760e4dadc0ba1175fdb39d7bdfef473

SHA1
bc44d6c9a0eebf655bdb1cfe7f56a0b07ebc0c6e

SHA256
174c76277712d3166be490e61293c7be85b8a0c4424e9a5fd3127001a8c4d737

SHA512
e13b76daa1b95c90bf39bf6d466af03f6936bce1a204a8aedd837fbc7c8ccc74abe25f5a1a1074ad81835f7962083b43931dfafa2e5c532d685d0130f7df6a7b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM757E.exe

Filesize
14KB

MD5
cee3b5261e165c807d3ea49e0e98b162

SHA1
006c2e31775dd61eea016d7cfd8bca949c267e3a

SHA256
87ba2b4ec383be8b36780de57dfd5d348673a07e78cdb06a76fc5d247e5d6e98

SHA512
bc8fa2426380d78e7d2723a1f3f99bebd6a7630e2751c29ba325f63a8fdc08f39a0bbf6860f436706fa10ab6046c43a80115a7a1f5dcd8987e0e888ce4a8c622

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCAED.exe

Filesize
14KB

MD5
749aa2008f4e250a4ad64a32e939ec74

SHA1
a2fddbab32ba3e5104e71de87055e282060ef9fa

SHA256
b307ceffd97de436989cb5263ba23d9c904b20b94cc10493310329588d236aae

SHA512
13c2a1ba04b27fa6641f061249070aeb4acae36ee9392b71c3079fe1e2721e09232d70e989a8ddf7fa3940b683903baf5b3512b3522fb7c9f81fb3d64a9f3e21

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCAFD.exe

Filesize
14KB

MD5
b2561a0c2fd1195086df9240b21bbde9

SHA1
e68ee6dca6314edf0bde9b0e8a7bd2c2c3171b2f

SHA256
0ed1e1717488b3f28e502c7430e831babe155773195be1c922da818f167c6376

SHA512
4adac35d5d8a01c1bf5f39e46bff3fc4f55b74e2a8dd97c025281082d604a621ea9e3262f02326fc5012b22266b8d844380c298763ed3ba32a5c8dc68e8eb6cc

Download Submit

Analysis

Sharing