fffc7c77f59aac11d6a7f894f57739c81afba21288c489ae821107b95b19065f

General

Target

2acdaa2884bb76e7d446ad6db9ed4764_JaffaCakes118.exe
Size

15KB
MD5

2acdaa2884bb76e7d446ad6db9ed4764
SHA1

53ec3ee7caeeff55928e0b7f69c809f822cac67b
SHA256

fffc7c77f59aac11d6a7f894f57739c81afba21288c489ae821107b95b19065f
SHA512

1770ab728164a7e3b193f04823bbc3262f00b926290bdf198ab8223558494fa6be5451d06c57a85005b502ac91552ec5f2ec1fd8bbc19cb1ce648b420df88878
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx0:hDXWipuE+K3/SSHgxmHS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2752	DEM6CC7.exe
2296	DEMC2A3.exe
1952	DEM189F.exe
740	DEM6E9B.exe
2976	DEMC4D5.exe
328	DEM1AA2.exe

Loads dropped DLL 6 IoCs

pid	Process
1612	2acdaa2884bb76e7d446ad6db9ed4764_JaffaCakes118.exe
2752	DEM6CC7.exe
2296	DEMC2A3.exe
1952	DEM189F.exe
740	DEM6E9B.exe
2976	DEMC4D5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2752	1612	2acdaa2884bb76e7d446ad6db9ed4764_JaffaCakes118.exe	30
PID 1612 wrote to memory of 2752	1612	2acdaa2884bb76e7d446ad6db9ed4764_JaffaCakes118.exe	30
PID 1612 wrote to memory of 2752	1612	2acdaa2884bb76e7d446ad6db9ed4764_JaffaCakes118.exe	30
PID 1612 wrote to memory of 2752	1612	2acdaa2884bb76e7d446ad6db9ed4764_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2296	2752	DEM6CC7.exe	32
PID 2752 wrote to memory of 2296	2752	DEM6CC7.exe	32
PID 2752 wrote to memory of 2296	2752	DEM6CC7.exe	32
PID 2752 wrote to memory of 2296	2752	DEM6CC7.exe	32
PID 2296 wrote to memory of 1952	2296	DEMC2A3.exe	34
PID 2296 wrote to memory of 1952	2296	DEMC2A3.exe	34
PID 2296 wrote to memory of 1952	2296	DEMC2A3.exe	34
PID 2296 wrote to memory of 1952	2296	DEMC2A3.exe	34
PID 1952 wrote to memory of 740	1952	DEM189F.exe	36
PID 1952 wrote to memory of 740	1952	DEM189F.exe	36
PID 1952 wrote to memory of 740	1952	DEM189F.exe	36
PID 1952 wrote to memory of 740	1952	DEM189F.exe	36
PID 740 wrote to memory of 2976	740	DEM6E9B.exe	38
PID 740 wrote to memory of 2976	740	DEM6E9B.exe	38
PID 740 wrote to memory of 2976	740	DEM6E9B.exe	38
PID 740 wrote to memory of 2976	740	DEM6E9B.exe	38
PID 2976 wrote to memory of 328	2976	DEMC4D5.exe	40
PID 2976 wrote to memory of 328	2976	DEMC4D5.exe	40
PID 2976 wrote to memory of 328	2976	DEMC4D5.exe	40
PID 2976 wrote to memory of 328	2976	DEMC4D5.exe	40

C:\Users\Admin\AppData\Local\Temp\2acdaa2884bb76e7d446ad6db9ed4764_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2acdaa2884bb76e7d446ad6db9ed4764_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\DEM6CC7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6CC7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\DEMC2A3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC2A3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\DEM189F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM189F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\DEM6E9B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6E9B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:740
      - C:\Users\Admin\AppData\Local\Temp\DEMC4D5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC4D5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\DEM1AA2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1AA2.exe"
        7⤵
        Executes dropped EXE
        
        PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM189F.exe

Filesize
15KB

MD5
b800df45cef6fd8bd00de7a52936ec2d

SHA1
5716aae2b2567e9afdf442153eb3923759e99825

SHA256
05546b58ae09ee5fb396903737ef08f03ead851222bf4490cfd38f6803e797a1

SHA512
2ac8552bd7c4bab9d204e155b688adb69290d0d5588722d5879624156035bcb43073d84f5b6b7769797bfcc2b29925adb76791dc8c242a3d515d697f4a62126c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6CC7.exe

Filesize
15KB

MD5
842062bdb8c40fe8f54f8b0f151eb207

SHA1
13644aaad9c26e648871743fd51c13876065b1e3

SHA256
7b99020c2c0e25ce9095b05c542ee28baa5a6b5ebe2a6de71d251d260db0e80e

SHA512
4adebac7809bd7137007b01bdecde162251517c83166e09bf8056cbae4bfcc171283f1a8a95ac24b5a815477f58ce0cc76bff8438418c411f24496b5b105e64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC2A3.exe

Filesize
15KB

MD5
a26b37c12f3be3648ff44d49551e9736

SHA1
cb498241193a167e2beac6011a0328c6402505d6

SHA256
2ec8f5a377026be6b165f7694b007d6ebb388359ed9084038293448dd0ecfd1a

SHA512
aa0d1792693bca9ab2a86ab3cf30fa5d5bb0b921b34a5d3e924f9f7eb95bc4deeb0f3bcfb1d0465fcfb44f2a1a462778cf39f5cdda42b8b44413dca392d00889

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1AA2.exe

Filesize
15KB

MD5
9c6a4d7f53cf2923eae769fb45a56d70

SHA1
3fa538ff5163cc1484c1dc2b7a42cddb926bfbe5

SHA256
291dff856b06cbfe6e305a4eb9131d15a60e30e45bc743c56ad839d3f6507af8

SHA512
8c37996bf4929048b916548d4e3f3e4f3fae7aeb929bb75fd6361a1ca46a45b86fe18294f2ca9d4fe6dfb8260dd6455be03764867c26bd10fcf8c520bdb33a11

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6E9B.exe

Filesize
15KB

MD5
dfc550dff5d7cbd5fcf1823898570e8a

SHA1
e2d3c95fb652e350bbbe224ca426c305c3e95d6f

SHA256
820594c98493a3f00b663fa34062ae39e4e9dc287985e858dc6ee3f27f051183

SHA512
e4cabe5a425b47d4ffcec480a7e555195eae418a18c4a756d8036a9e0ffee57d39eebbb9b23cb812e8baecca3bf0eafc9f84416a64e8460d21febc4a2d045982

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC4D5.exe

Filesize
15KB

MD5
66e1d6439a48cad7c517389999928776

SHA1
95c22b4a48603de21af62a93ddbb0d879917f9b7

SHA256
ed40a7e19439f698459e59151c9517209b3902eff273bfff8e356575118b1fd9

SHA512
9eb93818b8614ce12f55e67990397b13194cb0cd2864510ce3a196f34515c15b31702a0e7b6b0f386e56fa2d5324ade4aec2b399451aac18a2f859d9ccefc9da

Download Submit

Analysis

Sharing