7d7c0024d937fd9b3150ffb61116b3c1dfcd55a4835e40beff216bb4e134584f

General

Target

3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe
Size

14KB
MD5

3d074426b1e62deb53df423539bfb19e
SHA1

a789216a0888725858b04398ce5057669270816a
SHA256

7d7c0024d937fd9b3150ffb61116b3c1dfcd55a4835e40beff216bb4e134584f
SHA512

419c49ad0af62ee6265888b7494c3e9b0a355919ccf48d83f515f385d7b4cf8d248b5ea7a0d4f83088cc4819d6ad67e91c20895d0fed6c231c183ff19e409517
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhvGg:hDXWipuE+K3/SSHgxlGg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2268	DEMB4DE.exe
2916	DEMA4D.exe
2684	DEM5F7E.exe
1676	DEMB4DF.exe
2016	DEMA1E.exe
2644	DEM5FCC.exe

Loads dropped DLL 6 IoCs

pid	Process
2076	3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe
2268	DEMB4DE.exe
2916	DEMA4D.exe
2684	DEM5F7E.exe
1676	DEMB4DF.exe
2016	DEMA1E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2268	2076	3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe	32
PID 2076 wrote to memory of 2268	2076	3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe	32
PID 2076 wrote to memory of 2268	2076	3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe	32
PID 2076 wrote to memory of 2268	2076	3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2916	2268	DEMB4DE.exe	34
PID 2268 wrote to memory of 2916	2268	DEMB4DE.exe	34
PID 2268 wrote to memory of 2916	2268	DEMB4DE.exe	34
PID 2268 wrote to memory of 2916	2268	DEMB4DE.exe	34
PID 2916 wrote to memory of 2684	2916	DEMA4D.exe	36
PID 2916 wrote to memory of 2684	2916	DEMA4D.exe	36
PID 2916 wrote to memory of 2684	2916	DEMA4D.exe	36
PID 2916 wrote to memory of 2684	2916	DEMA4D.exe	36
PID 2684 wrote to memory of 1676	2684	DEM5F7E.exe	38
PID 2684 wrote to memory of 1676	2684	DEM5F7E.exe	38
PID 2684 wrote to memory of 1676	2684	DEM5F7E.exe	38
PID 2684 wrote to memory of 1676	2684	DEM5F7E.exe	38
PID 1676 wrote to memory of 2016	1676	DEMB4DF.exe	40
PID 1676 wrote to memory of 2016	1676	DEMB4DF.exe	40
PID 1676 wrote to memory of 2016	1676	DEMB4DF.exe	40
PID 1676 wrote to memory of 2016	1676	DEMB4DF.exe	40
PID 2016 wrote to memory of 2644	2016	DEMA1E.exe	42
PID 2016 wrote to memory of 2644	2016	DEMA1E.exe	42
PID 2016 wrote to memory of 2644	2016	DEMA1E.exe	42
PID 2016 wrote to memory of 2644	2016	DEMA1E.exe	42

C:\Users\Admin\AppData\Local\Temp\3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\DEMB4DE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB4DE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\DEMA4D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA4D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\DEM5F7E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5F7E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Users\Admin\AppData\Local\Temp\DEMB4DF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB4DF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Users\Admin\AppData\Local\Temp\DEMA1E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA1E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\DEM5FCC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5FCC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA4D.exe

Filesize
14KB

MD5
5e0e853a785256fdc5b2c601d3737daa

SHA1
8901f64d123418a694c81ea97fea5f546c123615

SHA256
e12832b347bbd21fe11750ae13d21003c6396b81f200ff7e2b44639e70281160

SHA512
726abaf60a0312a296f151c38dc805a078b09f0d85073141526f368492588ec5bafd392312b1ebfbc636b46c60d1bbf88ced2d7edbae9256588b97d9526cf121

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB4DE.exe

Filesize
14KB

MD5
fe1c44a75086342295b8232c26857e57

SHA1
c5f632c27f0639efee5216c3fd57d87812de691f

SHA256
2d0078b09681ef4fa1386ae7409caf3da7edc140b0b43f0a54198a62c343449e

SHA512
47f85800fe74c576ee29fd84adac43291608c2f9d197767d48caf39e591c056a98be44b84925cdb47e826bec854fd9140ee437ff2b6be9a7aaf76e6b7fcf70c5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5F7E.exe

Filesize
14KB

MD5
44b5cc6a16c6df28e57a4cfe0d1be143

SHA1
d745a252ff4247f27833f04f0eaaac8f4e28aa87

SHA256
4363256d7334722ba25620cdfed3ee4a799f07d9447ff5f634d39220317b09b4

SHA512
053e17919e46ec25ecd1381bb7cf5e0872db1670d44dfdcdbffa9652ab03a0898d0f9c9e4420b1613bddafe8175bb7fbb87216cb25a3238fc9b782407705f198

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5FCC.exe

Filesize
14KB

MD5
8f9985feaf4cb60cdc42034165db5294

SHA1
b37b8c43c47e0349fb6f3434f202070b4463a285

SHA256
9e98c596dcec76cf564782e19b8d27a0f46ddc7b9d669940eca98066e41177a5

SHA512
53a78456f264d296ed5d6cc6169a74c38f10f3409926fdd6e60da5395c9f2ff25814482ac728e3e13d04c488efd693afa5261f0fe0c69dc30cbd6045c0da077a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA1E.exe

Filesize
14KB

MD5
9b8c36ad42aacbc6ec285f43f4dddda8

SHA1
8d8ea839d1951f60700e098d6b04d1a6d9e9617d

SHA256
dc9a32196de499ac93b7ad8b62733a802a3ba7275b711e809390da0362b19b4d

SHA512
093f9dcfd7a39a9594414e3c7192d82bdd19fbd689e370ded126b7384735f4b3b57789709a3936118d44f4bfb0372edbc166312173984d38cd149e18e8d86644

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB4DF.exe

Filesize
14KB

MD5
eb1dc009754010c672d41be94411be8a

SHA1
657b75c025f06e47eed057201a3b7407c7f06aad

SHA256
74e25ecb1c00e0ebc9da197eb231cb80907b21375f99378a1168680bdce82b5e

SHA512
ab841e76bec063f43b0746e5bc076c71be3daf42dc277b04d84e56c1681397b20ed4e1e2804d5f28c00d0f370fc5d8d88c0191ce02a2460069779a766846926d

Download Submit

Analysis

Sharing