28dfb8ab52d6227622e6e3100d824cf1db0d025f73b9f412e41039f4cb87b4a4

General

Target

3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe
Size

14KB
MD5

3b888ddf6ec5dc8e648f32b51937629e
SHA1

0b34813b3d2753ea948ebd4da1af8c51a5a6ec34
SHA256

28dfb8ab52d6227622e6e3100d824cf1db0d025f73b9f412e41039f4cb87b4a4
SHA512

0e2a5765bf18e9090b3fb50050f81a3b9decdd7af8140b6be9c9190dc977113a54303bc538c74635ca150672444f7c325e7130451154185b3e194936a3876768
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhT3:hDXWipuE+K3/SSHgxN3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2632	DEM4FD5.exe
2544	DEMA583.exe
1044	DEMFB11.exe
2828	DEM5061.exe
3032	DEMA563.exe
1460	DEMFB7E.exe

Loads dropped DLL 6 IoCs

pid	Process
2824	3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe
2632	DEM4FD5.exe
2544	DEMA583.exe
1044	DEMFB11.exe
2828	DEM5061.exe
3032	DEMA563.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2632	2824	3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe	31
PID 2824 wrote to memory of 2632	2824	3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe	31
PID 2824 wrote to memory of 2632	2824	3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe	31
PID 2824 wrote to memory of 2632	2824	3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe	31
PID 2632 wrote to memory of 2544	2632	DEM4FD5.exe	33
PID 2632 wrote to memory of 2544	2632	DEM4FD5.exe	33
PID 2632 wrote to memory of 2544	2632	DEM4FD5.exe	33
PID 2632 wrote to memory of 2544	2632	DEM4FD5.exe	33
PID 2544 wrote to memory of 1044	2544	DEMA583.exe	35
PID 2544 wrote to memory of 1044	2544	DEMA583.exe	35
PID 2544 wrote to memory of 1044	2544	DEMA583.exe	35
PID 2544 wrote to memory of 1044	2544	DEMA583.exe	35
PID 1044 wrote to memory of 2828	1044	DEMFB11.exe	37
PID 1044 wrote to memory of 2828	1044	DEMFB11.exe	37
PID 1044 wrote to memory of 2828	1044	DEMFB11.exe	37
PID 1044 wrote to memory of 2828	1044	DEMFB11.exe	37
PID 2828 wrote to memory of 3032	2828	DEM5061.exe	39
PID 2828 wrote to memory of 3032	2828	DEM5061.exe	39
PID 2828 wrote to memory of 3032	2828	DEM5061.exe	39
PID 2828 wrote to memory of 3032	2828	DEM5061.exe	39
PID 3032 wrote to memory of 1460	3032	DEMA563.exe	41
PID 3032 wrote to memory of 1460	3032	DEMA563.exe	41
PID 3032 wrote to memory of 1460	3032	DEMA563.exe	41
PID 3032 wrote to memory of 1460	3032	DEMA563.exe	41

C:\Users\Admin\AppData\Local\Temp\3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\DEM4FD5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4FD5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\DEMA583.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA583.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\DEMFB11.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFB11.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\DEM5061.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5061.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\DEMA563.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA563.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\DEMFB7E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFB7E.exe"
        7⤵
        Executes dropped EXE
        
        PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA583.exe

Filesize
14KB

MD5
5d4c20c82b6ccd047db1439113a78ee9

SHA1
ae047ad0881ca9c605b10e08932b7ceeef4a2de9

SHA256
8f0d81259308f637549da1b9181aefe7e2b82dd41c905958c6922838a61686a7

SHA512
5f9dad4ecb8aec9cb8c26a8f99463aae171d2fc749f4687b8c81991720db53d0a5a350c2e02ac9e443cd18e1235e31fca88f231d96505a24c3e03fb7421ae240

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4FD5.exe

Filesize
14KB

MD5
6143310c173647bc1d35f73bed63fbad

SHA1
89e454e106c9dad257cedc9b1b3ab722b468c590

SHA256
506c28b15c62dd0b36ac5fd1c55ba697c97227e30c3e01a30702370b9e151e7c

SHA512
c87cfee775262585d9342c434ea55d9737fb319b535cf1632e63ee3bf0acbebb5f2ce5757e5936822695ba9b731cd82c242f5848b46bbd0c3dbcb9ac53d07aaf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5061.exe

Filesize
14KB

MD5
96273f87843668843ae9205a6ef59ebd

SHA1
c1c64cd463dccdc80e2a0cc7d36d407f67784d41

SHA256
d62e5f9ffe76bf7753319cc56bc48374010e2a1215069d7092bc1ee3d00d0517

SHA512
f704fb77a4adab76a8201c1df53ff37ba99e34ff9e938d57b50a1a5eb3eb40433582e9cbb304ac74eb1066e5a48a2492cc6351c968a540295c2274e848db3395

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA563.exe

Filesize
14KB

MD5
a08310b7c6ae83cafc535daeb11c274c

SHA1
0e4faad34df3089f377e5507d3d658373533ef01

SHA256
b0eec99ca16706917079961c7b6f61101394f68e998ed0f3e597036a3c4b152a

SHA512
79d1641b8c44fc98d852a3842ec96971615eeeb48cd873081f57564f2fa8faa8a916e3b3e1b3a6db4bc67ded88e4b111cf0590c35d8f199ab0cf8d336c9ad59a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFB11.exe

Filesize
14KB

MD5
1ee2d6ff58b542132a2301c56de53caa

SHA1
344a8a210a93f54ccebad25eb8eeb720472bafeb

SHA256
31c3e51bf6ef18eebc4b4d867ff5774a9d5b69e658682d4acc6d036dc9b4fdac

SHA512
fb7ec6f1b6831b4e2a5050d5c4e3742430ed9ad73e61d633cd1183f5d11bcdb3525585bc8f621e8cf9594444ce7560f5c4d74cd136f7a9d4b35162bedfa62f57

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFB7E.exe

Filesize
14KB

MD5
59aee7d5441c11885f7a9e2fac33b035

SHA1
fcf952013e620d0b3d40fd1b7f386d9762dd8391

SHA256
9bcce6af1cdae98b866eef9fdfd916cccbde1c67c8f3fb0b56d6354929eb6f97

SHA512
7d7298756d0d79cdadd7adec19465fbbd4ab08015cecb9b4cbf493e0acdf12562b048e5dfc64eb1c875977aea0fbfbda9294b007b04daf2e671f26c3180ecdbc

Download Submit

Analysis

Sharing