4e5cc11d9e9f1c0b3b31fd6cbc62b8343d7a08bbbaf741ca7d06328c94b1f639

General

Target

3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe
Size

14KB
MD5

3f94514c101fbbd6c5e48627c1fec6ba
SHA1

8d6fa8f2874188f56b7760e11e44118504212e02
SHA256

4e5cc11d9e9f1c0b3b31fd6cbc62b8343d7a08bbbaf741ca7d06328c94b1f639
SHA512

0c0078e80b6624e22c0533bcd381dd044f73d93b655d3251b6d5c30681754c687e60b73082c13d68f95ea35fe381c6fd960b8c3c68fc31349876345e25fc9a1e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJGD:hDXWipuE+K3/SSHgxmwD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2752	DEM1842.exe
2732	DEM6D73.exe
1776	DEMC275.exe
2880	DEM17A6.exe
1668	DEM6CB7.exe
536	DEMC1F8.exe

Loads dropped DLL 6 IoCs

pid	Process
2364	3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe
2752	DEM1842.exe
2732	DEM6D73.exe
1776	DEMC275.exe
2880	DEM17A6.exe
1668	DEM6CB7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2752	2364	3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2752	2364	3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2752	2364	3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2752	2364	3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe	31
PID 2752 wrote to memory of 2732	2752	DEM1842.exe	33
PID 2752 wrote to memory of 2732	2752	DEM1842.exe	33
PID 2752 wrote to memory of 2732	2752	DEM1842.exe	33
PID 2752 wrote to memory of 2732	2752	DEM1842.exe	33
PID 2732 wrote to memory of 1776	2732	DEM6D73.exe	35
PID 2732 wrote to memory of 1776	2732	DEM6D73.exe	35
PID 2732 wrote to memory of 1776	2732	DEM6D73.exe	35
PID 2732 wrote to memory of 1776	2732	DEM6D73.exe	35
PID 1776 wrote to memory of 2880	1776	DEMC275.exe	37
PID 1776 wrote to memory of 2880	1776	DEMC275.exe	37
PID 1776 wrote to memory of 2880	1776	DEMC275.exe	37
PID 1776 wrote to memory of 2880	1776	DEMC275.exe	37
PID 2880 wrote to memory of 1668	2880	DEM17A6.exe	39
PID 2880 wrote to memory of 1668	2880	DEM17A6.exe	39
PID 2880 wrote to memory of 1668	2880	DEM17A6.exe	39
PID 2880 wrote to memory of 1668	2880	DEM17A6.exe	39
PID 1668 wrote to memory of 536	1668	DEM6CB7.exe	41
PID 1668 wrote to memory of 536	1668	DEM6CB7.exe	41
PID 1668 wrote to memory of 536	1668	DEM6CB7.exe	41
PID 1668 wrote to memory of 536	1668	DEM6CB7.exe	41

C:\Users\Admin\AppData\Local\Temp\3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\DEM1842.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1842.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\DEM6D73.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6D73.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\DEMC275.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC275.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\DEM17A6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM17A6.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Users\Admin\AppData\Local\Temp\DEM6CB7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6CB7.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\DEMC1F8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC1F8.exe"
        7⤵
        Executes dropped EXE
        
        PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM17A6.exe

Filesize
14KB

MD5
b1a8a16f62580197310abff4dd6977c0

SHA1
dfe1b6d6c2b5b31f0d7f4ae400d0a5e504229962

SHA256
2b3e140c80efcd8526c9530ae9d2e160ab42d5fd6fc2bf70cfec1bac5390c4dd

SHA512
a7f0975d8ce89efc6696ba6f0d280ea6167421d2daaf8256967c79502e88965586ec97308b3597ee47efdf5b4c721c433772c0847176e4a8e58a31a76a3b8c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6D73.exe

Filesize
14KB

MD5
a7e3e641aeb43d27c562950445c5bf6b

SHA1
c6f74adea2e6554abf5f4bf6c56215fede3612fd

SHA256
9f3ad8bd747d7f8ebe77076c1c79aeb6fb9aab2920497c86843d2363298db43b

SHA512
647aa66728eada3724e80d63052dfb279154f2d2515c9f7f8c2e4caa79e5f9255a7d5e495c29a11b1152a8bd66f6ea93d463238ea1a06c060c9480af9d66bb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC275.exe

Filesize
14KB

MD5
c6f7b20e93de2f33f2388b78c74acdb5

SHA1
9fde5ce3ad767b16ad4de9c3890db6412e4d1c07

SHA256
4f7a91ba0619368a1c183b76abc8ed1852b3a03b09169a99b3843d4d7f99a5f8

SHA512
8a41f3b78d6509096ffc0c5226a63f55096e44159a0a8768de869998eb1f157d600c8d54c13670783788b6fedb5bd5b798515931b94cab9c11b76e19ff55ad07

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1842.exe

Filesize
14KB

MD5
79c88c5437c04ed2e9abab4ff6a1a479

SHA1
220533c97e97d883ea42b9d334db38daf5cf36c8

SHA256
b22688eb4611bd646c24ba6dadcd49806f5f355b08fdc2da309ba6a3d159b058

SHA512
559d598343650b7537c89bb03df6030419b774c1cf895a9e2dd23e156c0db78f728638d19db1421ea187f948c4437d74057a6c8a749cef59894c62d2bd9d10a9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6CB7.exe

Filesize
14KB

MD5
30d93c5de411bdf77d5694e363b37e18

SHA1
979252f8ab7073ff37e75ed62ed9b2c6b7129ffc

SHA256
c1407839903aa871be0038cc9d652ab6cb412889cd360989708295584383fd4e

SHA512
23bb44e276f4c339624babd9e3fc45645a8763a03ee00298bd27c4dc7addc2d80fea07af610eafe093e5da44eb1437a87f2a0c95cbc93b973d6fefaf278fc34f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC1F8.exe

Filesize
14KB

MD5
0c3a67caf99c901e6d389f005ee63d00

SHA1
44396c90e3d324fcc74e7a310f723ece4b72b7d2

SHA256
005540ab6ca78812d789063850822272f6d6d83a9063a0e188f1326674e63bed

SHA512
417c3c99f52ade9429bb743ba0f95bf07c87615aa16fd4d51a828d4efc50ba107e7227198b2b6cd4e164800a679cb8ce415e2832bc252aac44d0b549cae8fd32

Download Submit

Analysis

Sharing