2af36b97612a632f07cdf97ee354284ed6e3c7320da2642b849c6c36e687b16d

General

Target

33a54102b283d365c75663f3a09b6138_JaffaCakes118.exe
Size

14KB
MD5

33a54102b283d365c75663f3a09b6138
SHA1

cec708bea305e352613f44797c22542de8d1e098
SHA256

2af36b97612a632f07cdf97ee354284ed6e3c7320da2642b849c6c36e687b16d
SHA512

84ab110bf4ef42302e8a4c3090dffe23151c396f4184c1406aa546070982607c542eb0857118706c01bcee0ac949aed9dca48c60bd1deda8be541ed7ef8819ac
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlk:hDXWipuE+K3/SSHgxmlk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2816	DEM4173.exe
2776	DEM96A4.exe
3060	DEMEC04.exe
1980	DEM422F.exe
900	DEM977F.exe
1256	DEMECFE.exe

Loads dropped DLL 6 IoCs

pid	Process
2536	33a54102b283d365c75663f3a09b6138_JaffaCakes118.exe
2816	DEM4173.exe
2776	DEM96A4.exe
3060	DEMEC04.exe
1980	DEM422F.exe
900	DEM977F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2816	2536	33a54102b283d365c75663f3a09b6138_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2816	2536	33a54102b283d365c75663f3a09b6138_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2816	2536	33a54102b283d365c75663f3a09b6138_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2816	2536	33a54102b283d365c75663f3a09b6138_JaffaCakes118.exe	30
PID 2816 wrote to memory of 2776	2816	DEM4173.exe	32
PID 2816 wrote to memory of 2776	2816	DEM4173.exe	32
PID 2816 wrote to memory of 2776	2816	DEM4173.exe	32
PID 2816 wrote to memory of 2776	2816	DEM4173.exe	32
PID 2776 wrote to memory of 3060	2776	DEM96A4.exe	34
PID 2776 wrote to memory of 3060	2776	DEM96A4.exe	34
PID 2776 wrote to memory of 3060	2776	DEM96A4.exe	34
PID 2776 wrote to memory of 3060	2776	DEM96A4.exe	34
PID 3060 wrote to memory of 1980	3060	DEMEC04.exe	36
PID 3060 wrote to memory of 1980	3060	DEMEC04.exe	36
PID 3060 wrote to memory of 1980	3060	DEMEC04.exe	36
PID 3060 wrote to memory of 1980	3060	DEMEC04.exe	36
PID 1980 wrote to memory of 900	1980	DEM422F.exe	38
PID 1980 wrote to memory of 900	1980	DEM422F.exe	38
PID 1980 wrote to memory of 900	1980	DEM422F.exe	38
PID 1980 wrote to memory of 900	1980	DEM422F.exe	38
PID 900 wrote to memory of 1256	900	DEM977F.exe	40
PID 900 wrote to memory of 1256	900	DEM977F.exe	40
PID 900 wrote to memory of 1256	900	DEM977F.exe	40
PID 900 wrote to memory of 1256	900	DEM977F.exe	40

C:\Users\Admin\AppData\Local\Temp\33a54102b283d365c75663f3a09b6138_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33a54102b283d365c75663f3a09b6138_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\DEM4173.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4173.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\DEM96A4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM96A4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\DEMEC04.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEC04.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Users\Admin\AppData\Local\Temp\DEM422F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM422F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Users\Admin\AppData\Local\Temp\DEM977F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM977F.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\DEMECFE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMECFE.exe"
        7⤵
        Executes dropped EXE
        
        PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM96A4.exe

Filesize
14KB

MD5
2f967ef23ba4cd5af89bfaf6b4a86dd3

SHA1
9820c68a4b2fcb53fe447805779fdbf6383a57d6

SHA256
f327c6117d0b758d0a59ae7ca72bf6f413fb5217bdb2e5e0c12de5fc6b44d229

SHA512
9479eac7a5513d48b38c2e8c4f64791af716bb58de0c8ec62b0fe9e0d78f1e41892ae235d16c08bd902116b8f69b63da4bbd764ae09067559f13c9dd8786c323

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEC04.exe

Filesize
14KB

MD5
936e6ebc2b2b69a3cca75860a01e9e29

SHA1
8f9495488a0bc2b61be4662a1e054e67a553e39e

SHA256
e7930fc5acd924f8022664bd55f806167c329e644e903b462371b747855093c9

SHA512
0d822537c3b72dc6bb1d0bbb4274da274b627305c0127ba7795bb5c3efdc071deab556c020bc287f1ceb72e74ddad4a3ebf49b5590c55c41b276e28dfa273d34

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4173.exe

Filesize
14KB

MD5
60b93fa22d0265a0c2f9bd888f4c3e5d

SHA1
a2b4fdb3b12719b2a8153119e86db54c2fdc7a93

SHA256
f463f60fe293165fd9673be3c1330ee4dce43f92245dfd0098e2f61fae45634b

SHA512
6f4d04ed7f4fec9238f62cea02a93c0ec490ed24a36feaf28aa49ec8586768976840b2d7b184d38195b06e9bf8ad821710ddf95cc3b9323653fe1594e87bf037

Download Submit
\Users\Admin\AppData\Local\Temp\DEM422F.exe

Filesize
14KB

MD5
0585412c0b955d70e93bdb9a59f68e78

SHA1
580ac2930ca07274fc81e34f549eca0663e27962

SHA256
819acdf23c0c3f2e3ca58c82a7e4d1d9766d8b5367d148d70a1dc80ced4a12dd

SHA512
12a37f37e09a9be0aa0d9e8a0137c430ea6bfdfb17eb565bbaf328d8b104f97d796a2559aa777d18d77abe0867d95405d06a5f9bf0062d1763f222b8e7976f4b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM977F.exe

Filesize
14KB

MD5
a237fee05a70febd403c85bd549e0ef8

SHA1
d7b8bf4f5a34570737f6aef1de9b8be94611a023

SHA256
d8c6f02fbf2d5a005ff87c76a351c150c400032bf412908d393d471fcff0027b

SHA512
41b54141219b93a4486adf95573c1d93f1b8bb9c3e06ba48e20d31a5b1b38dcbb8aa15354e216bb5c85f6b2e2f24ad400ad6587f7eb2b9052ca1d96a7d86f1b3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMECFE.exe

Filesize
14KB

MD5
2bc98c67bde7b750114bb636db9be2c9

SHA1
3809788374700e19aafef4ea944b2560126ad1b0

SHA256
f750f4d4ad517ccecbe0bd0d853fc91ea5db00fc1e35967daa06ca62033bcaea

SHA512
54cef7fba8fb21900073af1c4bf38368f460081800fc51e9c006ee28c11414194c9d8322decb0dde9588b49bc97e77c1c0200b2257e21b48922f6526e0cdc921

Download Submit

Analysis

Sharing