8094cdc4f5c8ed280a27077dc12ec10cc006adfdfc7345601e6eab26e82b450b

General

Target

2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe
Size

15KB
MD5

2964a4c1279a6b3c42e66b8c3557f41e
SHA1

0a717f23dd9422db39e9d6a85e0a7561291277b5
SHA256

8094cdc4f5c8ed280a27077dc12ec10cc006adfdfc7345601e6eab26e82b450b
SHA512

850ed98af3ac9b43b3afdc4f344f239b59d883690b4f66f3d3789b8150bc8a9bc10b5e88b2fa78b8db978cc26d1b84790675973269558309d06edc6ec19c5525
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxnOik:hDXWipuE+K3/SSHgxmHROik

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2068	DEMFC88.exe
2820	DEM5235.exe
2472	DEMA766.exe
2364	DEMFD33.exe
1624	DEM5255.exe
2148	DEMA7A5.exe

Loads dropped DLL 6 IoCs

pid	Process
2864	2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe
2068	DEMFC88.exe
2820	DEM5235.exe
2472	DEMA766.exe
2364	DEMFD33.exe
1624	DEM5255.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2068	2864	2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe	31
PID 2864 wrote to memory of 2068	2864	2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe	31
PID 2864 wrote to memory of 2068	2864	2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe	31
PID 2864 wrote to memory of 2068	2864	2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe	31
PID 2068 wrote to memory of 2820	2068	DEMFC88.exe	33
PID 2068 wrote to memory of 2820	2068	DEMFC88.exe	33
PID 2068 wrote to memory of 2820	2068	DEMFC88.exe	33
PID 2068 wrote to memory of 2820	2068	DEMFC88.exe	33
PID 2820 wrote to memory of 2472	2820	DEM5235.exe	35
PID 2820 wrote to memory of 2472	2820	DEM5235.exe	35
PID 2820 wrote to memory of 2472	2820	DEM5235.exe	35
PID 2820 wrote to memory of 2472	2820	DEM5235.exe	35
PID 2472 wrote to memory of 2364	2472	DEMA766.exe	37
PID 2472 wrote to memory of 2364	2472	DEMA766.exe	37
PID 2472 wrote to memory of 2364	2472	DEMA766.exe	37
PID 2472 wrote to memory of 2364	2472	DEMA766.exe	37
PID 2364 wrote to memory of 1624	2364	DEMFD33.exe	39
PID 2364 wrote to memory of 1624	2364	DEMFD33.exe	39
PID 2364 wrote to memory of 1624	2364	DEMFD33.exe	39
PID 2364 wrote to memory of 1624	2364	DEMFD33.exe	39
PID 1624 wrote to memory of 2148	1624	DEM5255.exe	41
PID 1624 wrote to memory of 2148	1624	DEM5255.exe	41
PID 1624 wrote to memory of 2148	1624	DEM5255.exe	41
PID 1624 wrote to memory of 2148	1624	DEM5255.exe	41

C:\Users\Admin\AppData\Local\Temp\2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\DEMFC88.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMFC88.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\DEM5235.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5235.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\DEMA766.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA766.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\DEMFD33.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFD33.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Users\Admin\AppData\Local\Temp\DEM5255.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5255.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\DEMA7A5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA7A5.exe"
        7⤵
        Executes dropped EXE
        
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5235.exe

Filesize
15KB

MD5
1be9c0022c579a195de21224ef850c49

SHA1
94538f918682b3e3e480623742001f24e0491921

SHA256
cdcbdce25c02a1b2c65a63b81fb95059c2cfce37ebcd1ad4a66b8e4061eaa6d5

SHA512
567f2fa2564a394542b2aa23671969a66ce060b60f8ff5e7a137212460ba5889c3034edd3850752524874bb5c866f734aae125d1cd37991b515b9781a6fb0537

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA7A5.exe

Filesize
15KB

MD5
18c7e79b2551d0ba66d3b19270c058d7

SHA1
f2afe8eca28353d71178844e91522cd35361149d

SHA256
89e326558ffeee9d66540f5f44fcccd170ffcfcc096f4ff90cde8a21118d1725

SHA512
04e5569875d173b4092af33c23db84513f4170197a06e80e525ae85b1f461a42e5266aa902cae6c269d78a1b11e028a6edc7bf8320daf34c8ca7e3e72406db24

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFC88.exe

Filesize
15KB

MD5
e8a5858de91154fa2dc0a9583c7a0dcd

SHA1
0925cfc5676cc80b58fe80d9e07691d0648f7a8d

SHA256
b5966d45c5c661ddbdca4582864fec98aa8685828eb782b6e52a6c60959619e3

SHA512
0653a42a1a5726f279487cb402c796cf589a92297f6b3226938cb1059bff92d9f7ab209e03854127d862711e9afc2436b60ecd32afb2feeb8b68ac3cd4a82946

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFD33.exe

Filesize
15KB

MD5
356190df91aaa2f1b42fd1b66afda489

SHA1
318ccdf1fee30dd5da9daba40291c5b3cad48c20

SHA256
f3907850d9e177fda7e779ed3ab7170211bf375a8255e21dfe48b01d582e97ce

SHA512
83f417153a9660fca7ffe3c6a5f8ab35b9507cbafe35c2d9a210d423af922b728c171f47f739fec2742f03000680b6859c316121061b9ded74d178c585591879

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5255.exe

Filesize
15KB

MD5
128fa080339cb30b260aa01f368091a7

SHA1
1a9800fb6bf6e6b07ae1e6706afca272bd70f2ed

SHA256
300e47e2d375f456f233178ff012793cf91763672c56b09ca2210037720065e3

SHA512
6252b621e95bb0ba727cf4e309da244b5b2d21d5544561c0ab2dc57d1128c9b650c1a14041cd650820df0dd0416d4c4e0f5dc96bcc1ae35989b36875aebf2c06

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA766.exe

Filesize
15KB

MD5
2dba33737824a3eaf99f109c628b2eaf

SHA1
c2d9e345e7ba0f3ff0fede477ba28fced8be5fb8

SHA256
e82aff34513c6aea143dd055072f2066e98168bdff3e946bc655b0c4fafe3cf5

SHA512
6a0f4b0329e41781df9df9691c5f64e0619ba5385ede1ed237820852dddedaa2751ff189fd6944048cce4203bb3b1c3b23aba4d4b04ae846075e997dca6ba925

Download Submit

Analysis

Sharing