f56c4119f0715e747b522c38c08e91af3a3411419bd4190406f6f6436d4bc46f

General

Target

2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe
Size

14KB
MD5

2bfea4a8754925e30ee7c6207b24478b
SHA1

cbd9aac1145c2ef7c9fd4afcf682cdb15484ac6b
SHA256

f56c4119f0715e747b522c38c08e91af3a3411419bd4190406f6f6436d4bc46f
SHA512

5493be357b12e0a977eec0912fa543cfd8a320109192ac2a2a9f8ef37625d3000b994794d8b44283945b863d3aacf096b0d74925d836139d7ac40a4a51e4cfed
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/Tyt:hDXWipuE+K3/SSHgxm/TK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2680	DEMF660.exe
2200	DEM4BB0.exe
1576	DEMA1AC.exe
1952	DEMF6CD.exe
1804	DEM4C4C.exe
2060	DEMA1AD.exe

Loads dropped DLL 6 IoCs

pid	Process
656	2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe
2680	DEMF660.exe
2200	DEM4BB0.exe
1576	DEMA1AC.exe
1952	DEMF6CD.exe
1804	DEM4C4C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 2680	656	2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe	30
PID 656 wrote to memory of 2680	656	2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe	30
PID 656 wrote to memory of 2680	656	2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe	30
PID 656 wrote to memory of 2680	656	2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2200	2680	DEMF660.exe	32
PID 2680 wrote to memory of 2200	2680	DEMF660.exe	32
PID 2680 wrote to memory of 2200	2680	DEMF660.exe	32
PID 2680 wrote to memory of 2200	2680	DEMF660.exe	32
PID 2200 wrote to memory of 1576	2200	DEM4BB0.exe	34
PID 2200 wrote to memory of 1576	2200	DEM4BB0.exe	34
PID 2200 wrote to memory of 1576	2200	DEM4BB0.exe	34
PID 2200 wrote to memory of 1576	2200	DEM4BB0.exe	34
PID 1576 wrote to memory of 1952	1576	DEMA1AC.exe	36
PID 1576 wrote to memory of 1952	1576	DEMA1AC.exe	36
PID 1576 wrote to memory of 1952	1576	DEMA1AC.exe	36
PID 1576 wrote to memory of 1952	1576	DEMA1AC.exe	36
PID 1952 wrote to memory of 1804	1952	DEMF6CD.exe	38
PID 1952 wrote to memory of 1804	1952	DEMF6CD.exe	38
PID 1952 wrote to memory of 1804	1952	DEMF6CD.exe	38
PID 1952 wrote to memory of 1804	1952	DEMF6CD.exe	38
PID 1804 wrote to memory of 2060	1804	DEM4C4C.exe	40
PID 1804 wrote to memory of 2060	1804	DEM4C4C.exe	40
PID 1804 wrote to memory of 2060	1804	DEM4C4C.exe	40
PID 1804 wrote to memory of 2060	1804	DEM4C4C.exe	40

C:\Users\Admin\AppData\Local\Temp\2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:656
- C:\Users\Admin\AppData\Local\Temp\DEMF660.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF660.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\DEM4BB0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4BB0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\DEMA1AC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA1AC.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1576
    - - C:\Users\Admin\AppData\Local\Temp\DEMF6CD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF6CD.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Users\Admin\AppData\Local\Temp\DEM4C4C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4C4C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\DEMA1AD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA1AD.exe"
        7⤵
        Executes dropped EXE
        
        PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4BB0.exe

Filesize
14KB

MD5
11a38ad8b82d4b6fcb90d6db9d7d16e5

SHA1
b5e5f3b1dfea2c64cd01c12789a7c6ffa0cade24

SHA256
ae7e2a542eeb342e4fa7120c1e9687a36e8d5d8195137590a224b155c2b7c657

SHA512
8c9fd9c637ae660906bd8b721de94088de63488f5f9b8d046c543a098b97db7e2f383d998402bf1c301f8e7401cbdfb8bae6dee746dfbd523259b4d935b6d66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA1AD.exe

Filesize
14KB

MD5
ac91135ba147240498da30c0eed402e7

SHA1
d92d515981e32c52f9c3ed4aca744ea6f2f1b505

SHA256
446c776775d6ff2a49b9ba85bf3498af3720c347023e5b56556b710743736caa

SHA512
62a160cd780a39777c846e38d32a771c5bc9e2d3f739aa40dcc0e06f6f414348259240a842160ff20f3453bdbe175a2e9d0cf7eaa2c3098c2e986bfc4e6c4eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF660.exe

Filesize
14KB

MD5
3b8fe375dd45c6bb9eb9ac931a316bdb

SHA1
407146256e8c05645213a694f0ef9fa6f57e6b1e

SHA256
09f26f046d32b53f09576483f09cd3ee5b70c282f1870844cf9e289f17c95e25

SHA512
1c6e0935e99f0697320d46da0d9aab07a6f24021fc6979a67af14c01906642d45a0167548f52778ac49e52a6cfae0cb7fc335e49896901f1993deebd16234575

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF6CD.exe

Filesize
14KB

MD5
f13357c08867da4e7748ef6f326c674d

SHA1
61f5e505810fdd31ff120f60505907909ab4de4d

SHA256
88340caf1aa107c23e8877a8767de7736f61724f79a071566404e9f7fbe6dcbe

SHA512
d0a9fceaea8d3f948dd98030c246274e7279142f30bea61971a40dcf45a31806779393682d08df88e488bf33556921e2a699c1bd6f19d212a35f12b915c965fc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4C4C.exe

Filesize
14KB

MD5
9a411be839be6ed69bc918b53ef9a6f5

SHA1
fcdfbb4c7eb4edd498be8f19c2d10ab5a72241bf

SHA256
2a452a672b637f92df916117c519704dbdb2f55f04682bb4f38a0b113a0fd22c

SHA512
8e7afb3a73594fb69cef2b7221ff21b8dac02846358d38f6ab18879bcb20089e6de0cb9c09d13f49ea62f8aefbfcb975e1812091e597319279d5f84a32007979

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA1AC.exe

Filesize
14KB

MD5
8ee1c7be0e374ed290fe0c0943254a59

SHA1
e19f7081c55020bbac7774a1a6f7b26c07560276

SHA256
a46969b4a727a70cc2295ae0012b36ce4c6fb3e4ef431ad9b0b20c3f9004b2b3

SHA512
608605fa2085f25c8c1604f27a228ace45ee84846db88aa90f2b26ff056e09633f82db75cf295b08809b71b109c1491d52f38abc9c79deb81f7d923e4b8db95b

Download Submit

Analysis

Sharing