fa8bd7973c6d475b9d0059d08b188ca74c75ea99b2f9ca6d3f56edf8662d9565

General

Target

3957490d7c9f65597277d9bf2a6fefcd_JaffaCakes118.exe
Size

14KB
MD5

3957490d7c9f65597277d9bf2a6fefcd
SHA1

3bd21d5887a5b17ae4dc273016fff988e82aebd4
SHA256

fa8bd7973c6d475b9d0059d08b188ca74c75ea99b2f9ca6d3f56edf8662d9565
SHA512

5281fa6941e372a1b05db643311be64db5299199aaadab5b6144123174b5c8d1f8a109ad0e66765883d5e0ea829a2af24fe5760b027726a2dd9ad0a0f115ab94
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh97A:hDXWipuE+K3/SSHgxjc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2864	DEMBC7C.exe
2664	DEM11BC.exe
2704	DEM66DE.exe
684	DEMBC1E.exe
2400	DEM1130.exe
1920	DEM6671.exe

Loads dropped DLL 6 IoCs

pid	Process
2348	3957490d7c9f65597277d9bf2a6fefcd_JaffaCakes118.exe
2864	DEMBC7C.exe
2664	DEM11BC.exe
2704	DEM66DE.exe
684	DEMBC1E.exe
2400	DEM1130.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2864	2348	3957490d7c9f65597277d9bf2a6fefcd_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2864	2348	3957490d7c9f65597277d9bf2a6fefcd_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2864	2348	3957490d7c9f65597277d9bf2a6fefcd_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2864	2348	3957490d7c9f65597277d9bf2a6fefcd_JaffaCakes118.exe	31
PID 2864 wrote to memory of 2664	2864	DEMBC7C.exe	33
PID 2864 wrote to memory of 2664	2864	DEMBC7C.exe	33
PID 2864 wrote to memory of 2664	2864	DEMBC7C.exe	33
PID 2864 wrote to memory of 2664	2864	DEMBC7C.exe	33
PID 2664 wrote to memory of 2704	2664	DEM11BC.exe	35
PID 2664 wrote to memory of 2704	2664	DEM11BC.exe	35
PID 2664 wrote to memory of 2704	2664	DEM11BC.exe	35
PID 2664 wrote to memory of 2704	2664	DEM11BC.exe	35
PID 2704 wrote to memory of 684	2704	DEM66DE.exe	37
PID 2704 wrote to memory of 684	2704	DEM66DE.exe	37
PID 2704 wrote to memory of 684	2704	DEM66DE.exe	37
PID 2704 wrote to memory of 684	2704	DEM66DE.exe	37
PID 684 wrote to memory of 2400	684	DEMBC1E.exe	39
PID 684 wrote to memory of 2400	684	DEMBC1E.exe	39
PID 684 wrote to memory of 2400	684	DEMBC1E.exe	39
PID 684 wrote to memory of 2400	684	DEMBC1E.exe	39
PID 2400 wrote to memory of 1920	2400	DEM1130.exe	41
PID 2400 wrote to memory of 1920	2400	DEM1130.exe	41
PID 2400 wrote to memory of 1920	2400	DEM1130.exe	41
PID 2400 wrote to memory of 1920	2400	DEM1130.exe	41

C:\Users\Admin\AppData\Local\Temp\3957490d7c9f65597277d9bf2a6fefcd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3957490d7c9f65597277d9bf2a6fefcd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\DEMBC7C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBC7C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\DEM11BC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM11BC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\DEM66DE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM66DE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\DEMBC1E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBC1E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:684
      - C:\Users\Admin\AppData\Local\Temp\DEM1130.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1130.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\DEM6671.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6671.exe"
        7⤵
        Executes dropped EXE
        
        PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM11BC.exe

Filesize
14KB

MD5
7cdb9ff1f871e61ede18eb91477369f4

SHA1
238d6227ba00eb94b82281161ee0d7d54142e544

SHA256
6a3ef7eb99cd888a77a21df2adcd01ba0e26834322c6a6617ee607fc1b179a46

SHA512
e0d805193be4ba1df53b3585c4085fa52ec12d5e890691f8a47b543f56a55fe5c254e34880fbecd6d91919aae18245124a36c13addba52be07be1b2420030ff3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1130.exe

Filesize
14KB

MD5
a31c0945cce824313b6adbccf4545dbb

SHA1
2fdbad0ccd6a1e6fb3cdd1aa6d73429982b382e0

SHA256
d6897fef98fcfed3b7ff9ffc6d7eb0453158fbda7443cc5e6750e86c4cc9968d

SHA512
d23dd0ce2a7e3f0c9f182d025c8219665a79587ddd686b50a0081e2ad5a5c48d568bf8018cb2d163dd885272cd343318e05a1e28db46c1ca2e9df44ff42b011f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6671.exe

Filesize
14KB

MD5
246eba53e7ae7e8ca725b46c8eff08a2

SHA1
da1bf837337f38684682715b8ea8dc1876c6a41b

SHA256
ae30fbb469cc23158d493e09f0b7cd9f949e1ee8977b18f0c0512436c6cec4db

SHA512
47760e7bd5cae356e0e81fc89c93c63ede2d5f7a0c0e864237a5e6317ca94cfa0e6c04ae6ea6dce5dad78b05e81bd61a07ed80802ab19aacf636b7e8b10eb372

Download Submit
\Users\Admin\AppData\Local\Temp\DEM66DE.exe

Filesize
14KB

MD5
1ad7be84f332474f83c4815cecc2cb53

SHA1
ada01ebca23c144eebe8e9fd1fa50bbe4c0fe505

SHA256
c40fb447999fe486d29d8762d9543ee11e8f042ec0270375386a8f8bc06c91aa

SHA512
adfbed83fb1aa2e3a6cfccee45892b404393ae55850ae191ea704e6a42abd422fcf1e8cf7e263decf63a6e1c5b1e2906b79ac56b16c4bd62cd5df05d07f803a8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBC1E.exe

Filesize
14KB

MD5
bbc309ac8ffef4c608f83156a531b72e

SHA1
858238646d20027315bf7efe75413aed9a3c61b6

SHA256
19ffb05dee7b6675e5a6157906da89e87ee76172aa61b8d29dfa5e75a71df8a2

SHA512
d025812871927230b625b4e020c48d1c29ccb74e7207393646ced9106ce4bf86e4d4e769a14ffc44456bc4c7cee60afd5ad4c51c6f8e5b5f51afc1720dbcae3d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBC7C.exe

Filesize
14KB

MD5
c277ed5da40713504b0fa1f2e2adc122

SHA1
02f253a08008faf2d1b910be43db445fff9da4c9

SHA256
83e49703810ac25de42f743da63c09b68306678b8f917c19752ca72a8dcb3f7c

SHA512
e20812928a3b14652a51f36dd92dd48066dd44fb654bc16b998eebc8768d1e1b4fa6376070f8b54fa8b856fc78aa5455cc21b3ce32d0506844bec7a1c7c8a2c7

Download Submit

Analysis

Sharing