5c0d3b8c26b55ea82e432bd5b125f5a0659f99fb459e77629a8a84c2c1a2de7e

General

Target

35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe
Size

14KB
MD5

35dd25c590ee4de5137c3b36a1af1c66
SHA1

bdc36e0effb2fe58c79be5be25117781d75850e4
SHA256

5c0d3b8c26b55ea82e432bd5b125f5a0659f99fb459e77629a8a84c2c1a2de7e
SHA512

f5231281046e94e73015172724935b4a9726d83ebfc531b23613b105dede4ac5e3bcaf8814f46907b74dfea32dfbbe1638dd0926ff3206f4e7e9dedb5c839b33
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlp:hDXWipuE+K3/SSHgxmlp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2152	DEM2166.exe
2592	DEM77EE.exe
2328	DEMCE47.exe
2788	DEM2462.exe
376	DEM7ABB.exe
2184	DEMD134.exe

Loads dropped DLL 6 IoCs

pid	Process
2220	35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe
2152	DEM2166.exe
2592	DEM77EE.exe
2328	DEMCE47.exe
2788	DEM2462.exe
376	DEM7ABB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2152	2220	35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2152	2220	35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2152	2220	35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2152	2220	35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2592	2152	DEM2166.exe	33
PID 2152 wrote to memory of 2592	2152	DEM2166.exe	33
PID 2152 wrote to memory of 2592	2152	DEM2166.exe	33
PID 2152 wrote to memory of 2592	2152	DEM2166.exe	33
PID 2592 wrote to memory of 2328	2592	DEM77EE.exe	35
PID 2592 wrote to memory of 2328	2592	DEM77EE.exe	35
PID 2592 wrote to memory of 2328	2592	DEM77EE.exe	35
PID 2592 wrote to memory of 2328	2592	DEM77EE.exe	35
PID 2328 wrote to memory of 2788	2328	DEMCE47.exe	37
PID 2328 wrote to memory of 2788	2328	DEMCE47.exe	37
PID 2328 wrote to memory of 2788	2328	DEMCE47.exe	37
PID 2328 wrote to memory of 2788	2328	DEMCE47.exe	37
PID 2788 wrote to memory of 376	2788	DEM2462.exe	39
PID 2788 wrote to memory of 376	2788	DEM2462.exe	39
PID 2788 wrote to memory of 376	2788	DEM2462.exe	39
PID 2788 wrote to memory of 376	2788	DEM2462.exe	39
PID 376 wrote to memory of 2184	376	DEM7ABB.exe	41
PID 376 wrote to memory of 2184	376	DEM7ABB.exe	41
PID 376 wrote to memory of 2184	376	DEM7ABB.exe	41
PID 376 wrote to memory of 2184	376	DEM7ABB.exe	41

C:\Users\Admin\AppData\Local\Temp\35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\DEM2166.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2166.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\DEM77EE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM77EE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\DEMCE47.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCE47.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Users\Admin\AppData\Local\Temp\DEM2462.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2462.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Users\Admin\AppData\Local\Temp\DEM7ABB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7ABB.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\DEMD134.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD134.exe"
        7⤵
        Executes dropped EXE
        
        PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2166.exe

Filesize
14KB

MD5
ffa05d28a9d1b2a4a78e9746442f8761

SHA1
9839b055e33d0d1cb0f202d369ca9932c47f0fa0

SHA256
0c0f12aeec6cd22b3ff8e4f500e144f98efdb8da32c64798c5ad3fc37672bf4a

SHA512
e93a1a2266c43626395c128c4a28080b9f17766387210e7015467f51336fe60d954e21438ee1e8236911c30035e1155cec937ca9eb82d76d528bbb851ddd4a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM77EE.exe

Filesize
14KB

MD5
54569c21f40b935dbbf5ae99639cca4a

SHA1
24b77e4b4f463c355304f8c46e2d59126c1e2f58

SHA256
2bd7bf0840632da4a8705bced37bc6242b8fc5795c5d7804aa0c2e16e4b50b9f

SHA512
9094a0ff6c7ae39f5b39bcd41a8237e5f3dfa46240de6529c3cf675d30f9893179d2856b319f1a3bbba171d132a9865e074f86d30cacc499a0b513ae9460b463

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2462.exe

Filesize
15KB

MD5
198e401cd8c7bac2efcca5406300a9f9

SHA1
5e2c47e2b52c33034992fbf146fbe5de9359cacf

SHA256
6a3c9f21a8ff6dc77973f5e39eb44c5d824366f08cb13ca10ef10a27a7fee3e1

SHA512
9a1f2bc2dffa7f68ee607d57ee5c28f8e9a02eca8292577bee574ef1a16a140bc6a2a7f9828a7022c92cddcb5ee74618859eb91e094124e9bf74b312f8bf1504

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7ABB.exe

Filesize
15KB

MD5
98a8ae57ae5b0fb482730adc59b62b65

SHA1
297b4137f2499d690f6e9181282008f1786881bc

SHA256
6ead4349fee3a73b574e2064c1d7ae47dd592e9013e4ec9b254a848ac408ba3b

SHA512
80d6d57ce569f9cb9c991d5586748654bf207cd9bd10042524b00417cf55771e7be2fff1371e698ed942fa519e543f5a64889cc8a3601d926dc8f47692e8e34d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCE47.exe

Filesize
14KB

MD5
977f9a28ce2f39fc34fc058c8bb6f922

SHA1
9340f59062c0b49055350a7a0b1cc911da426357

SHA256
cf5e66b6c4ced38cbc8fa15dd51e4351ec276c0790c02538a73b20c491b96fc1

SHA512
dd7d742b773269c00fa58259b656eaf9b4442c1e446004a33c7e19b8ff9ecc1c04946684a65a7bdbe89eb61042cdb1185fd75795c2f7c47d879f9eedd34af336

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD134.exe

Filesize
15KB

MD5
bb4f02ac7c28785f985bb5541a19ed7f

SHA1
59ca251e1c91229517a9fc75d35e4b3ab681b7db

SHA256
db9a3d15ca4011df15d8270baf07c81c292f0e38624a47d8bc3ee6aca174ddf2

SHA512
3a5fbd6adc3cad31cbeae8672424c25af11a4cfd020ff6a73a6fb7912e53dfa846d16d486c1eb512a357302c1ccc291da634f364c9bd1c376ef8d2e1620d13af

Download Submit

Analysis

Sharing