88536141f176da07d5141f80357ebd99bf739c21b76129acce69de6e1a3ec50c

General

Target

34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe
Size

14KB
MD5

34dcf09c98326ca9d077f56c2552a916
SHA1

b529372da8a86eca44d29e6adc54b31ae3bdd4c8
SHA256

88536141f176da07d5141f80357ebd99bf739c21b76129acce69de6e1a3ec50c
SHA512

4a5fe167e47088b0fe58051bc8a3c53162f2da13ccd0c67a1f2e4a978c55372142d52d3ee9cbf8930eeff28ca5a3d1d5e559a9e931cfb489a7c0686d60fb68ae
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlI:hDXWipuE+K3/SSHgxmlI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2332	DEMFC0B.exe
2904	DEM51C8.exe
2616	DEMA757.exe
2088	DEMFD04.exe
2092	DEM52A3.exe
1300	DEMA8BD.exe

Loads dropped DLL 6 IoCs

pid	Process
2324	34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe
2332	DEMFC0B.exe
2904	DEM51C8.exe
2616	DEMA757.exe
2088	DEMFD04.exe
2092	DEM52A3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2332	2324	34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2332	2324	34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2332	2324	34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2332	2324	34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe	32
PID 2332 wrote to memory of 2904	2332	DEMFC0B.exe	34
PID 2332 wrote to memory of 2904	2332	DEMFC0B.exe	34
PID 2332 wrote to memory of 2904	2332	DEMFC0B.exe	34
PID 2332 wrote to memory of 2904	2332	DEMFC0B.exe	34
PID 2904 wrote to memory of 2616	2904	DEM51C8.exe	36
PID 2904 wrote to memory of 2616	2904	DEM51C8.exe	36
PID 2904 wrote to memory of 2616	2904	DEM51C8.exe	36
PID 2904 wrote to memory of 2616	2904	DEM51C8.exe	36
PID 2616 wrote to memory of 2088	2616	DEMA757.exe	38
PID 2616 wrote to memory of 2088	2616	DEMA757.exe	38
PID 2616 wrote to memory of 2088	2616	DEMA757.exe	38
PID 2616 wrote to memory of 2088	2616	DEMA757.exe	38
PID 2088 wrote to memory of 2092	2088	DEMFD04.exe	40
PID 2088 wrote to memory of 2092	2088	DEMFD04.exe	40
PID 2088 wrote to memory of 2092	2088	DEMFD04.exe	40
PID 2088 wrote to memory of 2092	2088	DEMFD04.exe	40
PID 2092 wrote to memory of 1300	2092	DEM52A3.exe	42
PID 2092 wrote to memory of 1300	2092	DEM52A3.exe	42
PID 2092 wrote to memory of 1300	2092	DEM52A3.exe	42
PID 2092 wrote to memory of 1300	2092	DEM52A3.exe	42

C:\Users\Admin\AppData\Local\Temp\34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\DEMFC0B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMFC0B.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\DEM51C8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM51C8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\DEMA757.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA757.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\DEMFD04.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFD04.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Users\Admin\AppData\Local\Temp\DEM52A3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM52A3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\DEMA8BD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA8BD.exe"
        7⤵
        Executes dropped EXE
        
        PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM51C8.exe

Filesize
14KB

MD5
9e87385f25505e79d84cfc5f8eb0b37f

SHA1
b69143c1992f9055c1030cf6391a018afd27bd78

SHA256
2e9780cf9d4db0617d8125243be5a4c4d81e04557766c12efb16b24ebde67eec

SHA512
44ca8eba3d597904e0968f02a0f2c5dafdfa0cf93296ae2e2bf22362bd9eb1ee342d4a53feaaedb0b083ae6f0d0330f2c7618f169b320a8756a86fcf621eb596

Download Submit
\Users\Admin\AppData\Local\Temp\DEM52A3.exe

Filesize
14KB

MD5
ea53c18ad72d6408e931fefc29dc65c5

SHA1
713b8739acc9cf20f3c9a36d271c744494b74667

SHA256
6e39855b7732a196a2b4e2e7e75acbf6ae0aa6c6c775855c0b74e3fdc7e14065

SHA512
e0d88c0a87fb83b9f52ae06429b86721201a54d84b6d5a1e7bd9615a1f94dc815967b196e38608e7ed990b5251903c970b655a739d7405701e37315c542ddd90

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA757.exe

Filesize
14KB

MD5
21a26fbe7d5f1e457f4a37046a47cf86

SHA1
830da58b775d6a0ec16a30ea61f73ca107c4d0ba

SHA256
7b8cb1d7dd64501d916e570986cdde471ddf9ee8e6bf3ef5a09b5c4fa3a8f473

SHA512
d3bc58cc8e50b7ac1b4fb471f0638552525dc02b3485acedfa81f70c1f9ddae452cc4bdf5e92d958180d38c14f206f8b7e4ef7c0736538d046957f6ebeaf34f1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA8BD.exe

Filesize
14KB

MD5
394885fdc585641971f946f507a79cc7

SHA1
394293485f658a4403fec195c0b16cd621734c4c

SHA256
542d84e896c2027d86407c1956df517ab05324528967c7a289d3c36c4a982655

SHA512
4029776e0746d1708079ac2c2ca93169710dd8d515795a19e12591ab759549d8d06106a5a051c30893a3a79bbf3538e2f07052c74520c1b527fb10d3569dab89

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFC0B.exe

Filesize
14KB

MD5
b9f7444171c2c70c72724304f91d896e

SHA1
ab077f1db28f9cc8d8b44ee09d6a8058d109766f

SHA256
00e854f20a2315b6e2be9e13bd5301bb67800b78bc3d0abb89b4a479dd4fef90

SHA512
f3004e5dadc9925022d5c9664651b779c071a7d87f2bd689a3cd791bc01d20c06f6a1435d1b7364f963d2ef6267c7c996970373742089cece5009f8807053d76

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFD04.exe

Filesize
14KB

MD5
5e669e3c93f657a6b61537b2249d4e78

SHA1
12348f6cb70c2b4bedc42b31b684b909dbdc5a87

SHA256
020b37161e678aaa4ab732ec25013451d1b0cfdca54b1a7bf53f0b9ab9e9d53c

SHA512
8dbf414ba813279710756a2f173f3a0068c6fbe8c2dcb8a0b22b9621ea6bc9e3ae73966542ebfd3565a3f55bd52b431726bc53955946dba2c59b7a643df64ae6

Download Submit

Analysis

Sharing