a8ec0e90fbce2db4559af4178aeea8c6a4df7311e4e56baf3ac963100276838e

General

Target

1b896a595788018fc0393e612a6957de_JaffaCakes118.exe
Size

14KB
MD5

1b896a595788018fc0393e612a6957de
SHA1

5453bcb34903b0b36904e900569738dd90624698
SHA256

a8ec0e90fbce2db4559af4178aeea8c6a4df7311e4e56baf3ac963100276838e
SHA512

5155a7484bc379f361355ede3d9989698c842b806edf2262944fc38e70768a687d8cbc0066621e18300cf2e1c9d8c77fc7d45975fadc3764ca46a0f214863af5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYuoi:hDXWipuE+K3/SSHgxmBi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2576	DEM2BD1.exe
2452	DEM818F.exe
2664	DEMD6CF.exe
1896	DEM2C10.exe
568	DEM8131.exe
2412	DEMD6B0.exe

Loads dropped DLL 6 IoCs

pid	Process
2000	1b896a595788018fc0393e612a6957de_JaffaCakes118.exe
2576	DEM2BD1.exe
2452	DEM818F.exe
2664	DEMD6CF.exe
1896	DEM2C10.exe
568	DEM8131.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2576	2000	1b896a595788018fc0393e612a6957de_JaffaCakes118.exe	29
PID 2000 wrote to memory of 2576	2000	1b896a595788018fc0393e612a6957de_JaffaCakes118.exe	29
PID 2000 wrote to memory of 2576	2000	1b896a595788018fc0393e612a6957de_JaffaCakes118.exe	29
PID 2000 wrote to memory of 2576	2000	1b896a595788018fc0393e612a6957de_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2452	2576	DEM2BD1.exe	33
PID 2576 wrote to memory of 2452	2576	DEM2BD1.exe	33
PID 2576 wrote to memory of 2452	2576	DEM2BD1.exe	33
PID 2576 wrote to memory of 2452	2576	DEM2BD1.exe	33
PID 2452 wrote to memory of 2664	2452	DEM818F.exe	35
PID 2452 wrote to memory of 2664	2452	DEM818F.exe	35
PID 2452 wrote to memory of 2664	2452	DEM818F.exe	35
PID 2452 wrote to memory of 2664	2452	DEM818F.exe	35
PID 2664 wrote to memory of 1896	2664	DEMD6CF.exe	37
PID 2664 wrote to memory of 1896	2664	DEMD6CF.exe	37
PID 2664 wrote to memory of 1896	2664	DEMD6CF.exe	37
PID 2664 wrote to memory of 1896	2664	DEMD6CF.exe	37
PID 1896 wrote to memory of 568	1896	DEM2C10.exe	39
PID 1896 wrote to memory of 568	1896	DEM2C10.exe	39
PID 1896 wrote to memory of 568	1896	DEM2C10.exe	39
PID 1896 wrote to memory of 568	1896	DEM2C10.exe	39
PID 568 wrote to memory of 2412	568	DEM8131.exe	41
PID 568 wrote to memory of 2412	568	DEM8131.exe	41
PID 568 wrote to memory of 2412	568	DEM8131.exe	41
PID 568 wrote to memory of 2412	568	DEM8131.exe	41

C:\Users\Admin\AppData\Local\Temp\1b896a595788018fc0393e612a6957de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b896a595788018fc0393e612a6957de_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\DEM2BD1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2BD1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\DEM818F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM818F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\DEMD6CF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD6CF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\DEM2C10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2C10.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Users\Admin\AppData\Local\Temp\DEM8131.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8131.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\DEMD6B0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD6B0.exe"
        7⤵
        Executes dropped EXE
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM818F.exe

Filesize
14KB

MD5
ddfc695c215b75eff444c87923d11b7a

SHA1
af07db0d9595fee1e6e860861807e6e497aa1618

SHA256
5d7d9c9ca22196e229377009aa3f8e29c1b9e5602dbb92b8bb1fc34dd3b26fce

SHA512
04c6b3a9be740bd4a48a11af85a8ef7d13c411c1c19b22ad105144b8bcf166a4a30eb397ff85a7b2b9e2c95dd4f6ec38087aba1f0e14e572cca3d98bf21eabda

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD6B0.exe

Filesize
14KB

MD5
09875ea7e5d427b1ce87431459d75cd9

SHA1
622e1317512761d6d4535586917a58deec7481f8

SHA256
41d21aa4c4da67ded17f250d854ad12f94f403d8f6ca36b810dc718a76e61a30

SHA512
013fa7dd47dbb3ddfe6a6fe12262b284485ff81c83c4ddf498bb6f55fdbba5998176e9dd24f8185af55d4b7106fd130ddc07c6823d4b10affccb71e9e445c915

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD6CF.exe

Filesize
14KB

MD5
0b32adedb2037d33cf616c974cb05b95

SHA1
0d6285e9f6fd8a1877ebd5b157e564453097fbfa

SHA256
f29a1ef993f17fa04969d0e8a9f5697f4081fd26c2912a9c7f87cd41e8913838

SHA512
d61f41b5c0d3060b3c82288d431bf17b92a26cf37b5289a0928950b39519789713f80495ec5d6b69305b0a78be70682a927113fe5ee4fd84779e751bd47bc70c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2BD1.exe

Filesize
14KB

MD5
5bb35998be027ef7314415c74b1ad149

SHA1
3840f745e355d58e2160facfce3e683b1a1f6fcd

SHA256
33ebbf4f7b495946ffcb686c76311a5d7f270b572c6e61f3032d71464b9bd8d7

SHA512
0a5f0cdd20d829f271274f10ecd3f6cc179a4c79f30155701621c2b07c3cf02ea7b3d408ef033003a2536aca5e9ac045c4a32e8ac382f3a7201ec46e49325124

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2C10.exe

Filesize
14KB

MD5
1d8956f03fb9d5d1c32655a8f7fcfcce

SHA1
dc4d3348dab38baa9b77861962685c74c40fa8d7

SHA256
76538a6d1b2e63aa73cabcd23155aaf2799ab101b2951d3ec022e9e6dea8a5df

SHA512
a4c9bc68d3d2b7509b1f7a350d8873079181c078e0339321663b92e6b5906cd23aae540c20768d85d22a624c2f68207e802a106c2211b8b523b1ae868eb1cc10

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8131.exe

Filesize
14KB

MD5
914317baef3d342c6cc2dfbe3f583b51

SHA1
7b259fc0017d9b731627b7614f73806fd25b90ee

SHA256
15108c1acae8003757035493ce7ca7a9b4eafd269ed054ad184ce0c5fa446e91

SHA512
c50b83fd73bbe7d35c794c4ad5838a1115400967e2660b5ade22bd1b09f369977765d83732d0c0812afea04a45c7df3a472d566a59f70e9543edfba091f708ca

Download Submit

Analysis

Sharing