52f996b3921589209fe2be0ee13e5b54823732bc18b03285e5eaf9b231e9f0d4

General

Target

37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe
Size

14KB
MD5

37bc1ced5a42019420b7c9688785457c
SHA1

df03f5f489db503b2a87e9da2cb4e844a6f94ffa
SHA256

52f996b3921589209fe2be0ee13e5b54823732bc18b03285e5eaf9b231e9f0d4
SHA512

59aeff12f71227a384d778d9787878cbf6719e9d44b53956401cd9055b41b208cfa0c591b276b15789476a2debbe2a1346188da09271ac4394ed17352e626930
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhT:hDXWipuE+K3/SSHgx5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2412	DEMD21E.exe
2620	DEM275E.exe
2608	DEM7CFD.exe
1544	DEMD27C.exe
1812	DEM27EB.exe
2844	DEM7D4B.exe

Loads dropped DLL 6 IoCs

pid	Process
2552	37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe
2412	DEMD21E.exe
2620	DEM275E.exe
2608	DEM7CFD.exe
1544	DEMD27C.exe
1812	DEM27EB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2412	2552	37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe	32
PID 2552 wrote to memory of 2412	2552	37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe	32
PID 2552 wrote to memory of 2412	2552	37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe	32
PID 2552 wrote to memory of 2412	2552	37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe	32
PID 2412 wrote to memory of 2620	2412	DEMD21E.exe	34
PID 2412 wrote to memory of 2620	2412	DEMD21E.exe	34
PID 2412 wrote to memory of 2620	2412	DEMD21E.exe	34
PID 2412 wrote to memory of 2620	2412	DEMD21E.exe	34
PID 2620 wrote to memory of 2608	2620	DEM275E.exe	36
PID 2620 wrote to memory of 2608	2620	DEM275E.exe	36
PID 2620 wrote to memory of 2608	2620	DEM275E.exe	36
PID 2620 wrote to memory of 2608	2620	DEM275E.exe	36
PID 2608 wrote to memory of 1544	2608	DEM7CFD.exe	38
PID 2608 wrote to memory of 1544	2608	DEM7CFD.exe	38
PID 2608 wrote to memory of 1544	2608	DEM7CFD.exe	38
PID 2608 wrote to memory of 1544	2608	DEM7CFD.exe	38
PID 1544 wrote to memory of 1812	1544	DEMD27C.exe	40
PID 1544 wrote to memory of 1812	1544	DEMD27C.exe	40
PID 1544 wrote to memory of 1812	1544	DEMD27C.exe	40
PID 1544 wrote to memory of 1812	1544	DEMD27C.exe	40
PID 1812 wrote to memory of 2844	1812	DEM27EB.exe	42
PID 1812 wrote to memory of 2844	1812	DEM27EB.exe	42
PID 1812 wrote to memory of 2844	1812	DEM27EB.exe	42
PID 1812 wrote to memory of 2844	1812	DEM27EB.exe	42

C:\Users\Admin\AppData\Local\Temp\37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\DEMD21E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMD21E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\DEM275E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM275E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\DEM7CFD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7CFD.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\DEMD27C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD27C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Users\Admin\AppData\Local\Temp\DEM27EB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM27EB.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\DEM7D4B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7D4B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM275E.exe

Filesize
14KB

MD5
490f8dfa332745d1dfb7367e5cf46b91

SHA1
dd634b7052e8758d2d87d98639a89163d4b15330

SHA256
6a1f9eda5330fdf03cc6014040ca7dac191fce781e806b3df610990091b5ec58

SHA512
994d5b6c518b4def7047db24ff158de470147dc4f83d423792adeaef0724d4f0384c42a794e654365179be55ed6f36be65ca67e0a4a6b067cfd17e22ee464456

Download Submit
\Users\Admin\AppData\Local\Temp\DEM27EB.exe

Filesize
14KB

MD5
00c5c0d10c4b0509a56b5a93c2e85aec

SHA1
3f3bc0b36369118d3fd2c7c9f6352aff091035da

SHA256
a36a1fed2906a28752af4243d4c24d9ff342d37401f7d045cd385bd2a146281d

SHA512
c28012ec06dcc8632df143d3f8d24c271d593a636b03bbd510cb95b107b80c4b15dadc00b122d2123a5a0cfa450f9b8ce8a09b19204d08a8b069c046c7bbf965

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7CFD.exe

Filesize
14KB

MD5
eab4084d1ac37f57b327accd7cb2de99

SHA1
3b6e4e49b828232324ec8bf8abb49f714655747b

SHA256
af67e585404fda199d1322b4fb02cb5c7e1779d848cd90f257e64f542bf5c411

SHA512
2c6c08da3062c3a60f868da8106ddf99efc9847029934121fcadc6b483baad1637d74de4bd32f8fc8048d5bd8d68b3aa98dfaba813eca80339cfd2175eae37b8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7D4B.exe

Filesize
14KB

MD5
3802530792578a361f23dfee6ddfb5e0

SHA1
a4e29965306c723b7f9b37f402395da984e1fad7

SHA256
358d221f0b52c6cbcdbb3fd14381560be2ff1d279b30d23daaefdc6a9f70fa88

SHA512
961c9603fd865256c1d14e434f45f8503d86513559776196f55fd418dabc4701c3fc9d5d281ed478d7868f8a6172d574f2951cc398783741e96972831b8489be

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD21E.exe

Filesize
14KB

MD5
ede286f4f789c44aef56a9793cf999d2

SHA1
16310e6c6bf438cb6dbd3d81ac059b892b696e9e

SHA256
9d5d5ac9c3c183c85c48864784df203d63c0d7c6affdd4ded398f67a62c3760f

SHA512
63d368b011f6ca8ecf8e5db3fee5e50947cf293aedda3f3460263e5518543a71b636a184814c6ffa568b60dbc66d4d176d58f9cfea1cb8f1ba1ac402aebb4750

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD27C.exe

Filesize
14KB

MD5
81d48e445443d9c104a29b3984ba86e8

SHA1
5b42df772cf8e88482455a9879c243e45455c0ca

SHA256
24cecec572ec77efeb23f02bc9f2ef15d1d1e9d522a86d93c291cfcf5fba4cd4

SHA512
50da6e3478eb68e21441133b91b46fd8bcc1db90ff1eda9a60c55d465869b1ea94ec40e8ad0827434de8245597d9bd32a2b9c87b715dc5ff8859d1c207910225

Download Submit

Analysis

Sharing