8f7fc87a3066c65cbdba85e3a7e217a65d57f20185957906a5ca5c62fa01237f

General

Target

2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe
Size

14KB
MD5

2ae5edb00b4699c17f107e96ecb726ff
SHA1

9761c59cfa4e59aad6bf9a2b96c76632208e5a99
SHA256

8f7fc87a3066c65cbdba85e3a7e217a65d57f20185957906a5ca5c62fa01237f
SHA512

8a48446a9976665940e749d38586d31529d2fb68910670c72cf1ad98aa0037d56eb5254072c1b9499d65894bc70d2aca0d9b122c03ba483228cf8674ac950ec7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhW8B:hDXWipuE+K3/SSHgxc2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2504	DEMF8FF.exe
2980	DEM4EFB.exe
2704	DEMA4C7.exe
1264	DEMFAE2.exe
1108	DEM50BF.exe
2728	DEMA6AB.exe

Loads dropped DLL 6 IoCs

pid	Process
1052	2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe
2504	DEMF8FF.exe
2980	DEM4EFB.exe
2704	DEMA4C7.exe
1264	DEMFAE2.exe
1108	DEM50BF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2504	1052	2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe	30
PID 1052 wrote to memory of 2504	1052	2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe	30
PID 1052 wrote to memory of 2504	1052	2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe	30
PID 1052 wrote to memory of 2504	1052	2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2980	2504	DEMF8FF.exe	32
PID 2504 wrote to memory of 2980	2504	DEMF8FF.exe	32
PID 2504 wrote to memory of 2980	2504	DEMF8FF.exe	32
PID 2504 wrote to memory of 2980	2504	DEMF8FF.exe	32
PID 2980 wrote to memory of 2704	2980	DEM4EFB.exe	34
PID 2980 wrote to memory of 2704	2980	DEM4EFB.exe	34
PID 2980 wrote to memory of 2704	2980	DEM4EFB.exe	34
PID 2980 wrote to memory of 2704	2980	DEM4EFB.exe	34
PID 2704 wrote to memory of 1264	2704	DEMA4C7.exe	36
PID 2704 wrote to memory of 1264	2704	DEMA4C7.exe	36
PID 2704 wrote to memory of 1264	2704	DEMA4C7.exe	36
PID 2704 wrote to memory of 1264	2704	DEMA4C7.exe	36
PID 1264 wrote to memory of 1108	1264	DEMFAE2.exe	38
PID 1264 wrote to memory of 1108	1264	DEMFAE2.exe	38
PID 1264 wrote to memory of 1108	1264	DEMFAE2.exe	38
PID 1264 wrote to memory of 1108	1264	DEMFAE2.exe	38
PID 1108 wrote to memory of 2728	1108	DEM50BF.exe	40
PID 1108 wrote to memory of 2728	1108	DEM50BF.exe	40
PID 1108 wrote to memory of 2728	1108	DEM50BF.exe	40
PID 1108 wrote to memory of 2728	1108	DEM50BF.exe	40

C:\Users\Admin\AppData\Local\Temp\2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\DEMF8FF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF8FF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\DEM4EFB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4EFB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\DEMA4C7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA4C7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\DEMFAE2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFAE2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1264
      - C:\Users\Admin\AppData\Local\Temp\DEM50BF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM50BF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\DEMA6AB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA6AB.exe"
        7⤵
        Executes dropped EXE
        
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4EFB.exe

Filesize
14KB

MD5
d5732d2b27a85d01a986ef08546bf123

SHA1
b85c685e3fb7a73c1336210860796f2af80e44ee

SHA256
a79081a72b3ebd9799e6a95eca24aba0c03ab2c694544a13dd5558421dde1f34

SHA512
17c03056afdd70af6200862fb4c7357ee05b0e6288f4028744277a5052e5a284f5acb21011d72c11148d3bc661d12e1aa1e1961ad05850313cfb2a43e2dd2b4b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM50BF.exe

Filesize
14KB

MD5
029e5a173946c65c8f9810ab8435bd21

SHA1
3fc626523d4fcddfa4a9aa071ba240049bf5a90e

SHA256
4ebb98817154410225e000f5ddd556651f62126f36ffab32cf10f5f2f09c23a4

SHA512
0dfc4b566fadea18df4918a808055b47b28b0ddba29096a6d25e08d8370a1014ca4d6046e4cde4ce73b282a9c4b6c54e5af4efdc603616ae95a99d4447761640

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA4C7.exe

Filesize
14KB

MD5
4ee3968d87053bd71d903f89afec6aef

SHA1
655ea6237344ec9bd3af0ae4de367689478c6b1d

SHA256
286099f45803fce0af44ea1893a6dc26a0d93d4eef48f96e07387e89f09c314d

SHA512
5431fe46cef7491a9c04619e9d40b5ab5f3efe76bb6a32f3f4db7d063bbd906ae0f83b3e8cb8f479d22932b55ee3f24039e9120fd40b2f4057915bd95bb2aa5f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA6AB.exe

Filesize
14KB

MD5
5b56b1b34ff8d0ecbb57aba5226e46c5

SHA1
2dda725f51a129c782507287a0106a89f00c1339

SHA256
3aeb13f2edd833cf8c9183214f74cdc4e49f2b77f6caec382b5c2ffac7483bc2

SHA512
fcc17ac469169cfe82247920252ff83ea686b578015b5451f38a2aed207581027c10d345af390c4ed852bb2e4087a8b6271c1033b99621914332e2f56192005a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF8FF.exe

Filesize
14KB

MD5
531825172d7c90c60551de8c57084fe6

SHA1
e6e95260a8145a9bb78347612ca0a2f2d707b711

SHA256
7698249c759a8c738575d2d0ca9c5fcf6c64c0311cda3fd3b3d2821cfe274cb5

SHA512
fa9e5d050376de936fcae40fa3aaa6f49e91c491347534ccf8bfa953cf424bf48126db201cb51f14991f1ac99335f7fcf9e51c47ff7d25f3d41fae46afd0446e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFAE2.exe

Filesize
14KB

MD5
e30cc0351f2fe1a8b43df9549129cf7d

SHA1
371fef0d99ea4b860412781160badee9e4ea4474

SHA256
d602107ac1dbd323e523081354ab1c89c57421c09aaea80c7c69f0a3750bc4b4

SHA512
8ece0a96ebf38c397ba879e80dc8bb30c2b6d949159024432d1c2fc6143a110a16e07e408dfa886e5a288b67fb46b0b6c6b9708b41e0bebd6d57f2d882c30e1f

Download Submit

Analysis

Sharing