4c25447b768f8569e5f3651841f5cd1d9e60a88ea2c499256eee86ef7333d61f

General

Target

3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe
Size

15KB
MD5

3cf247671286280afaeead77b0bb1cd2
SHA1

85dda666303773e5cec415886a45a5ef565e897b
SHA256

4c25447b768f8569e5f3651841f5cd1d9e60a88ea2c499256eee86ef7333d61f
SHA512

d43a6108516e3a93aeaf91110150d59b59904c5a7a6643e778ec8c8883c6ae9e9808cf877416ffd5af6df26976fcdc761f4eec2744ac069544ca9128f82a34ad
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYln:hDXWipuE+K3/SSHgxmln

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2800	DEM733D.exe
772	DEMC88D.exe
2596	DEM1DCD.exe
2488	DEM72EF.exe
1364	DEMC810.exe
1628	DEM1D41.exe

Loads dropped DLL 6 IoCs

pid	Process
2852	3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe
2800	DEM733D.exe
772	DEMC88D.exe
2596	DEM1DCD.exe
2488	DEM72EF.exe
1364	DEMC810.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2800	2852	3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2800	2852	3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2800	2852	3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2800	2852	3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe	31
PID 2800 wrote to memory of 772	2800	DEM733D.exe	34
PID 2800 wrote to memory of 772	2800	DEM733D.exe	34
PID 2800 wrote to memory of 772	2800	DEM733D.exe	34
PID 2800 wrote to memory of 772	2800	DEM733D.exe	34
PID 772 wrote to memory of 2596	772	DEMC88D.exe	36
PID 772 wrote to memory of 2596	772	DEMC88D.exe	36
PID 772 wrote to memory of 2596	772	DEMC88D.exe	36
PID 772 wrote to memory of 2596	772	DEMC88D.exe	36
PID 2596 wrote to memory of 2488	2596	DEM1DCD.exe	38
PID 2596 wrote to memory of 2488	2596	DEM1DCD.exe	38
PID 2596 wrote to memory of 2488	2596	DEM1DCD.exe	38
PID 2596 wrote to memory of 2488	2596	DEM1DCD.exe	38
PID 2488 wrote to memory of 1364	2488	DEM72EF.exe	40
PID 2488 wrote to memory of 1364	2488	DEM72EF.exe	40
PID 2488 wrote to memory of 1364	2488	DEM72EF.exe	40
PID 2488 wrote to memory of 1364	2488	DEM72EF.exe	40
PID 1364 wrote to memory of 1628	1364	DEMC810.exe	42
PID 1364 wrote to memory of 1628	1364	DEMC810.exe	42
PID 1364 wrote to memory of 1628	1364	DEMC810.exe	42
PID 1364 wrote to memory of 1628	1364	DEMC810.exe	42

C:\Users\Admin\AppData\Local\Temp\3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\DEM733D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM733D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\DEMC88D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC88D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Users\Admin\AppData\Local\Temp\DEM1DCD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1DCD.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Users\Admin\AppData\Local\Temp\DEM72EF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM72EF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Users\Admin\AppData\Local\Temp\DEMC810.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC810.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\DEM1D41.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1D41.exe"
        7⤵
        Executes dropped EXE
        
        PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1DCD.exe

Filesize
15KB

MD5
620d0de44417bcf32114ef7d211089ba

SHA1
1785b9cfd884965bdfc9acd68fc03b3da90efbcc

SHA256
95b969f06670207b64cba0d4dca6120c72fe1ae8ed1a9cdfa336be20cf74b4d1

SHA512
171f8d3d17f16bf232b08d5fe2a705189afb28d5b72072334f2c86de8f53440572d99a3ca309cc8c710e5c9b2249b5ff7bbd716e47d00a4584d9cb1785ac6627

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM72EF.exe

Filesize
15KB

MD5
9327a3912b023e2cdb17f5966489a507

SHA1
7347bfe47898803c313426c8ef1d67d51280dca3

SHA256
5a7c398a72de10909cc7ad24b920a18a43998e2e411a631624f90e7cc4288d2a

SHA512
95a65b688032531af99b45fa88b67d5a889feafcd5b31281e74ad4d0ddfdd0ba0619fa508db56a0335e33c7433d170396c42ba20158adb9fa9ba23aac8c94611

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC810.exe

Filesize
15KB

MD5
1336a9dee4678886f1c5a27677481d20

SHA1
ccd8ad03350960a4e44835de133380b21e571f51

SHA256
f17b87bb27b8fdf8a169639a0f59ade331c2a886d994ea9d5255acb5ed0480b8

SHA512
41afd691d334d9690c5a01c455134721a1b50dd5766d4f362519c8f5d537ce675e053b71cf81ef131cb370649a78176517c034f845dc11ed3fc93257ffe72eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC88D.exe

Filesize
15KB

MD5
0a75bc1aef4a282fc2b71c4222334af5

SHA1
0be8f5310cbbad8dfcee9f1e9518b7c77defe3b6

SHA256
4c9196ba774f0575d8781c7f9389af619c60837f079770531ef4fe71191c80f4

SHA512
1f12897957f9aa5f330b0ccc1b12e70a3da4b809c0e39690426f0e252f7507f9f30074da56933d0c25bb174d8927618fa1debbf5bcaffa7a058435fc245a4184

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1D41.exe

Filesize
15KB

MD5
9c72eab646dddf6942af9b8c92598636

SHA1
c1cee22155e27ae193a9f09241ec0c1e6d8e2f33

SHA256
028f4c17cee90654c063418165c1c195c23fc4ba4e1d796a77c8d7986db2662e

SHA512
fc3d9e5da08cac4216d2b22fe5f5c90be02b51844c2c3b9ff4874e6ff60862d1f149106c6fe632ddbdd17e7ca70cfbf323e193f2af9244932d5094a0a911c9d9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM733D.exe

Filesize
15KB

MD5
54ec9fa08f63b8e9ff2d2223e3d244d3

SHA1
26bd954f5751321c4f42f3269effeb49c1a877d7

SHA256
25d2766b4bd7272f485d0979d5079dd80680427b979f21289f7f20880da767e3

SHA512
5dd8daef606cad4d1ad461ba31f94a7eb604dba94e789fb3917242412ba65225e25de9f0d2907595ff2702308ffdda7bfd818ca270c6b649bb7663576247903d

Download Submit

Analysis

Sharing