9f592e4f1bf399b1b1449c2e5e232a19e7778098118fee649b3dbff7d3a27dcc

General

Target

2ec7f22dac6a4714414558667c0fcd0d_JaffaCakes118.exe
Size

14KB
MD5

2ec7f22dac6a4714414558667c0fcd0d
SHA1

df964659a7b6a299143674ef6bfd514426fd89d8
SHA256

9f592e4f1bf399b1b1449c2e5e232a19e7778098118fee649b3dbff7d3a27dcc
SHA512

ddd58672ae148d82d576a9433af6b64c55a1d88487bee65d8960b078053d52f0cd35645faa7bb42149f550b10354d70bca74349fffa0d504f5467ed3579cf40c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhs:hDXWipuE+K3/SSHgxS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2016	DEMF6DD.exe
2756	DEM4BDF.exe
2644	DEMA11F.exe
1792	DEMF650.exe
2920	DEM4B91.exe
1748	DEMA0F1.exe

Loads dropped DLL 6 IoCs

pid	Process
448	2ec7f22dac6a4714414558667c0fcd0d_JaffaCakes118.exe
2016	DEMF6DD.exe
2756	DEM4BDF.exe
2644	DEMA11F.exe
1792	DEMF650.exe
2920	DEM4B91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2016	448	2ec7f22dac6a4714414558667c0fcd0d_JaffaCakes118.exe	30
PID 448 wrote to memory of 2016	448	2ec7f22dac6a4714414558667c0fcd0d_JaffaCakes118.exe	30
PID 448 wrote to memory of 2016	448	2ec7f22dac6a4714414558667c0fcd0d_JaffaCakes118.exe	30
PID 448 wrote to memory of 2016	448	2ec7f22dac6a4714414558667c0fcd0d_JaffaCakes118.exe	30
PID 2016 wrote to memory of 2756	2016	DEMF6DD.exe	32
PID 2016 wrote to memory of 2756	2016	DEMF6DD.exe	32
PID 2016 wrote to memory of 2756	2016	DEMF6DD.exe	32
PID 2016 wrote to memory of 2756	2016	DEMF6DD.exe	32
PID 2756 wrote to memory of 2644	2756	DEM4BDF.exe	34
PID 2756 wrote to memory of 2644	2756	DEM4BDF.exe	34
PID 2756 wrote to memory of 2644	2756	DEM4BDF.exe	34
PID 2756 wrote to memory of 2644	2756	DEM4BDF.exe	34
PID 2644 wrote to memory of 1792	2644	DEMA11F.exe	36
PID 2644 wrote to memory of 1792	2644	DEMA11F.exe	36
PID 2644 wrote to memory of 1792	2644	DEMA11F.exe	36
PID 2644 wrote to memory of 1792	2644	DEMA11F.exe	36
PID 1792 wrote to memory of 2920	1792	DEMF650.exe	38
PID 1792 wrote to memory of 2920	1792	DEMF650.exe	38
PID 1792 wrote to memory of 2920	1792	DEMF650.exe	38
PID 1792 wrote to memory of 2920	1792	DEMF650.exe	38
PID 2920 wrote to memory of 1748	2920	DEM4B91.exe	40
PID 2920 wrote to memory of 1748	2920	DEM4B91.exe	40
PID 2920 wrote to memory of 1748	2920	DEM4B91.exe	40
PID 2920 wrote to memory of 1748	2920	DEM4B91.exe	40

C:\Users\Admin\AppData\Local\Temp\2ec7f22dac6a4714414558667c0fcd0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ec7f22dac6a4714414558667c0fcd0d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\DEMF6DD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF6DD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\DEM4BDF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4BDF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\DEMA11F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA11F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\DEMF650.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF650.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1792
      - C:\Users\Admin\AppData\Local\Temp\DEM4B91.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4B91.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\DEMA0F1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA0F1.exe"
        7⤵
        Executes dropped EXE
        
        PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4BDF.exe

Filesize
14KB

MD5
f664da5f3f309296d8400db5d7871e2b

SHA1
2f6e29711f638a16cad11bac11a4be3b017748c1

SHA256
95befed73ac856299c65cac66047cb5951ae00a05422babaa412b28393c5216f

SHA512
aa54e522f501bcdf23d96b7d18c8abfcd240ba5fd598f41a8c4187a2bf6c9c6785a46b6410a9746a41d06adc8b327df9a0d9517fd6bd8cc6fddd2053fed1efd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA0F1.exe

Filesize
14KB

MD5
d1f1c393970ad82819fc527eac136d2c

SHA1
fc62fce893a9046607f58c49351f1960a0472b1b

SHA256
38c36f586d16454e3e89aee69bbf8a86ae9fa16da84c2fb9bc59f73d7a5f3ac8

SHA512
049f707e37d04cba88c99e6f8bc80ce9d1c52ab9c16ab910f1453cc63e8e91e1c21667f15446667108e758be3b3782a769e6b010cd39a467a3f614d5424bf997

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA11F.exe

Filesize
14KB

MD5
94d015e29268427cb169c3b5268728ce

SHA1
3ee976fafce3ed2b2f0ec10bf1e3c6f691771185

SHA256
1da34e15b5193201d55d54e89840fd175bb5ae8dbbc82ee8bdb59163b3d0cf00

SHA512
e241918d893996e95ee3c2c8cb7641524269280d72053e586a7f13665ce39a24486ad2870cf8508c3ae1248188285e5b6f11502542cf9fec80cd575bccf1973c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4B91.exe

Filesize
14KB

MD5
d25b8df6e5247fd27aa7b8212e8e4c62

SHA1
8093dc2c856013844fdef4b5ba048cbbafaee9e9

SHA256
6c487aeeb98868a015764543d6eeed46c0c1324a0d96118bbf92b83c3bfa6ce0

SHA512
085ca958cee82cb37641c6b04fef26f9569f203526c24f0f3282fbd30de36c62b9b8f558a0c7f2c1a5b91a7427cb3e396b580df9188bb0e01545e4f0e96fdfbb

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF650.exe

Filesize
14KB

MD5
802c94e6d15fcde82adad190864729be

SHA1
d33f520619123387c70b81480bce38292c24b307

SHA256
726fd7b2c023753d50056bf5b18e8cadc0cba0a617e75e2cdd9f91efc5f7df2f

SHA512
1850b8836faaf5b17999dd428ec9de928c830526461b8a06735994157e77f8f15177a18d63121cbceda5fb8ea72f1180ac18f5d52a8d808f5e3adcf85afee8d9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF6DD.exe

Filesize
14KB

MD5
04486a0ad92242bb70119c659958ec18

SHA1
6827d5f2c6dfdc731dfd6ca25839451c96d3b698

SHA256
3ac5da4107a876c3046162683dc852bd5a6ecf423ac0b165904a47b399aeb950

SHA512
93e0862debb9da4288b7f22107b16c3c80e20a8c8b0fe80902822a4315a8be5b82c78b562c47c8dff5ce94409196d236841637de817634d1e74f6db92d0f098c

Download Submit

Analysis

Sharing