9f2173862d9a80cc7e1148f0ba178b73de76dd7d6ae0a6fd8fff9114a3e140fc

General

Target

22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe
Size

14KB
MD5

22a38029ca6945568a588f1967e191c2
SHA1

b1cf486918e951a80df05e7e3bc8149941829cc4
SHA256

9f2173862d9a80cc7e1148f0ba178b73de76dd7d6ae0a6fd8fff9114a3e140fc
SHA512

67c55fd743add96902cdacad32071df407538e9e92face9964308d4afd863f73dd49eab9c8190414077c612c98dac27f0c0c8030b254b18b3d5ca479f6110108
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhWD:hDXWipuE+K3/SSHgxcD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2956	DEMB47.exe
2628	DEM60E5.exe
2936	DEMB70F.exe
1820	DEMC31.exe
2864	DEM6191.exe
2508	DEMB77D.exe

Loads dropped DLL 6 IoCs

pid	Process
1044	22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe
2956	DEMB47.exe
2628	DEM60E5.exe
2936	DEMB70F.exe
1820	DEMC31.exe
2864	DEM6191.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2956	1044	22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe	29
PID 1044 wrote to memory of 2956	1044	22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe	29
PID 1044 wrote to memory of 2956	1044	22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe	29
PID 1044 wrote to memory of 2956	1044	22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe	29
PID 2956 wrote to memory of 2628	2956	DEMB47.exe	31
PID 2956 wrote to memory of 2628	2956	DEMB47.exe	31
PID 2956 wrote to memory of 2628	2956	DEMB47.exe	31
PID 2956 wrote to memory of 2628	2956	DEMB47.exe	31
PID 2628 wrote to memory of 2936	2628	DEM60E5.exe	35
PID 2628 wrote to memory of 2936	2628	DEM60E5.exe	35
PID 2628 wrote to memory of 2936	2628	DEM60E5.exe	35
PID 2628 wrote to memory of 2936	2628	DEM60E5.exe	35
PID 2936 wrote to memory of 1820	2936	DEMB70F.exe	37
PID 2936 wrote to memory of 1820	2936	DEMB70F.exe	37
PID 2936 wrote to memory of 1820	2936	DEMB70F.exe	37
PID 2936 wrote to memory of 1820	2936	DEMB70F.exe	37
PID 1820 wrote to memory of 2864	1820	DEMC31.exe	39
PID 1820 wrote to memory of 2864	1820	DEMC31.exe	39
PID 1820 wrote to memory of 2864	1820	DEMC31.exe	39
PID 1820 wrote to memory of 2864	1820	DEMC31.exe	39
PID 2864 wrote to memory of 2508	2864	DEM6191.exe	41
PID 2864 wrote to memory of 2508	2864	DEM6191.exe	41
PID 2864 wrote to memory of 2508	2864	DEM6191.exe	41
PID 2864 wrote to memory of 2508	2864	DEM6191.exe	41

C:\Users\Admin\AppData\Local\Temp\22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\DEMB47.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB47.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\DEM60E5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM60E5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\DEMB70F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB70F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\DEMC31.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC31.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1820
      - C:\Users\Admin\AppData\Local\Temp\DEM6191.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6191.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\DEMB77D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB77D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM60E5.exe

Filesize
14KB

MD5
efc7090e816c8497e0a3cbcfe44bb06a

SHA1
f76e28a63248e55a649f06519f0cafcdbe1c9eb1

SHA256
862153600d813a38094c65822462c1e5023c745e13278c82d06907a1a4bd2ba9

SHA512
bcf9a54517cd1cf4213ae88049e587695e2882e0112e7e76c998eec95d491abb8313321444550648ccf2d768acb55c20253d2085c30bfcb43fc4e40e391c3a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB47.exe

Filesize
14KB

MD5
5b6c71f91cf0ba207c967e8c23b770fa

SHA1
d4a78a6932502a9295e12521edfd935eec129187

SHA256
897f27b23f8d0ea1b8eb236bdb7df65673bdc2f68e6047413bfb95ffc4cad971

SHA512
fa7cc65eb8a6e258414842f6f7aabf801e9684ae847b5327503f13acd1182c2669922d274be0488d90083d26f0fbab45dc881811d4b1be57c9b892a01c0037cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB77D.exe

Filesize
14KB

MD5
1a215cd62508228f13c6a50160537634

SHA1
9e2784c4fd96b60012e3f32dfa99268569ba795c

SHA256
b76284c12a6de32c95d8cb229ffdabd994c42e382df944f95d6f2a747b9ce9ea

SHA512
bb0ac1fd96d77e55c6f049879de0f1422dd4902445a30bbd59fa4c4c0d7f8f62799b991b5cc3540bd0f9ae3e97331ab29621512e033076a16803a53ee7e4ad21

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6191.exe

Filesize
14KB

MD5
e0847017a58694f46c829f29bd4d5f1b

SHA1
352cd85c8ecd142ad8a0859be83e2ce8d78431fe

SHA256
4b55d398f6bb35da9579634f766d773d74c90ce6a2364124fcc3e080a42e597c

SHA512
c7abedf2065e7da5e54cadb988afa41e60814fbc04aefbafc21e632fa5acb4bc2aab36ac0261824ec4f5797d32ff1f88b2273e8d4706a6f10c4141889294bcb0

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB70F.exe

Filesize
14KB

MD5
1e6da1432fed6384f1a22b60791cec1b

SHA1
b43a3e6e1129d4cdfb0fe92b729bd7a6169ca162

SHA256
09a798b63f4fa864fc9906a53c476ac9dc8341f209f437f07e0212084a1afc03

SHA512
e4e046c39e794081d145d070b764ea58b52f02eb844d692b44964f9e8e600b7d6b447231c1f70371facb501257e1535f7b2d3b8217f7effba0da73a36dfedc62

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC31.exe

Filesize
14KB

MD5
21b7dfbf4c825fdbd164edf28464e454

SHA1
536c475482bd4893eef1c5b498d01b0be71040c4

SHA256
4bbc809d0a407410a58fde84e4533518f1da81c362b7a13706d916da9135c9fe

SHA512
ba267fcca3cf75b995438d02f2911046c1a3ddfaa917604e9c866e59d5695d5ae86be88b9684165c3279d8e301719ff00e43fb82d858a354b884fafea4d52dc9

Download Submit

Analysis

Sharing