b2718d570befc61049085c53327d990f3b742b20f950f638e00cfc737ea7cb85

General

Target

41f409f7f853c198ee1a73acc64ca3e4_JaffaCakes118.exe
Size

14KB
MD5

41f409f7f853c198ee1a73acc64ca3e4
SHA1

f52355cd0479094c04cda4e06c4486b206ce4b5f
SHA256

b2718d570befc61049085c53327d990f3b742b20f950f638e00cfc737ea7cb85
SHA512

b3fc5c9349488302b0cd2ddc154128a9275703aa848c36aef593197214b67219b9b3e6e1c89ee7afe46f557d337a1e46b4a94b271f40eaf359176bf705ef4bec
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yho:hDXWipuE+K3/SSHgxW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1388	DEM9DB6.exe
2636	DEMF2D7.exe
2836	DEM47D9.exe
1216	DEM9D0A.exe
948	DEMF23B.exe
2560	DEM475D.exe

Loads dropped DLL 6 IoCs

pid	Process
2204	41f409f7f853c198ee1a73acc64ca3e4_JaffaCakes118.exe
1388	DEM9DB6.exe
2636	DEMF2D7.exe
2836	DEM47D9.exe
1216	DEM9D0A.exe
948	DEMF23B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1388	2204	41f409f7f853c198ee1a73acc64ca3e4_JaffaCakes118.exe	30
PID 2204 wrote to memory of 1388	2204	41f409f7f853c198ee1a73acc64ca3e4_JaffaCakes118.exe	30
PID 2204 wrote to memory of 1388	2204	41f409f7f853c198ee1a73acc64ca3e4_JaffaCakes118.exe	30
PID 2204 wrote to memory of 1388	2204	41f409f7f853c198ee1a73acc64ca3e4_JaffaCakes118.exe	30
PID 1388 wrote to memory of 2636	1388	DEM9DB6.exe	32
PID 1388 wrote to memory of 2636	1388	DEM9DB6.exe	32
PID 1388 wrote to memory of 2636	1388	DEM9DB6.exe	32
PID 1388 wrote to memory of 2636	1388	DEM9DB6.exe	32
PID 2636 wrote to memory of 2836	2636	DEMF2D7.exe	34
PID 2636 wrote to memory of 2836	2636	DEMF2D7.exe	34
PID 2636 wrote to memory of 2836	2636	DEMF2D7.exe	34
PID 2636 wrote to memory of 2836	2636	DEMF2D7.exe	34
PID 2836 wrote to memory of 1216	2836	DEM47D9.exe	36
PID 2836 wrote to memory of 1216	2836	DEM47D9.exe	36
PID 2836 wrote to memory of 1216	2836	DEM47D9.exe	36
PID 2836 wrote to memory of 1216	2836	DEM47D9.exe	36
PID 1216 wrote to memory of 948	1216	DEM9D0A.exe	38
PID 1216 wrote to memory of 948	1216	DEM9D0A.exe	38
PID 1216 wrote to memory of 948	1216	DEM9D0A.exe	38
PID 1216 wrote to memory of 948	1216	DEM9D0A.exe	38
PID 948 wrote to memory of 2560	948	DEMF23B.exe	40
PID 948 wrote to memory of 2560	948	DEMF23B.exe	40
PID 948 wrote to memory of 2560	948	DEMF23B.exe	40
PID 948 wrote to memory of 2560	948	DEMF23B.exe	40

C:\Users\Admin\AppData\Local\Temp\41f409f7f853c198ee1a73acc64ca3e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41f409f7f853c198ee1a73acc64ca3e4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\DEM9DB6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9DB6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\DEMF2D7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF2D7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\DEM47D9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM47D9.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\DEM9D0A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9D0A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1216
      - C:\Users\Admin\AppData\Local\Temp\DEMF23B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF23B.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\DEM475D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM475D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM47D9.exe

Filesize
14KB

MD5
3b3950705be31486c20aecac4b3d3fb8

SHA1
8efc02b5d58b047a824a04bd842470848a914427

SHA256
a5c9448bccea3292c1f28cd7dacaf897f76d1435cb2d455bf4636803f1b32376

SHA512
998dd41abc002c59b4d1020cc497cb786daa2582712bfd1f8552fdce66cb423abe1a9cfeedb2751e1a4b41c8a2f7c474e0767e687688f5bcd0f549534f8a6068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9D0A.exe

Filesize
14KB

MD5
482f54bbf5f60aa5211433fe0c74c2fe

SHA1
c125345fcb2ad1f5935e36e715a93b0952145887

SHA256
4d63e65791836dfe3bb3e0f35f396f106ab1e70db059dc6a5489f3ef4c9e964f

SHA512
f3a6f580ff544f9cc49ac40f5c4b69caabb3747258e217781cc126645ae405aad53fcafb0da3e12e0c26e070f40c7850a28463e0bf2885ba4f03528b0f954ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF23B.exe

Filesize
14KB

MD5
9b1813aa9b26a32b9f1658df56771641

SHA1
6baff2778cf07614bb9a9747cbb0ce6944ef2a1a

SHA256
9f8518a704407e779821652647503f8f8c11d68c6fe24fc2058856d3191b3df4

SHA512
a615fffcf3ba97c66c0fa42fda551373d0a2dd649587774103c8deaa0cbe261c9ae321a505d4beb925cc25799d52ac6556c3681a328824611461df24dfe968fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF2D7.exe

Filesize
14KB

MD5
d36731e85bd44977ef2b44199c11c828

SHA1
8faa2c5a40aa87b048cf1901f3232d1c9e73598a

SHA256
fb314ce69832c384e6b642123e7783f9fc1937aef40863715795dd5289f8bea5

SHA512
63016e8a5976dd7a0d3682d0639973dc95d511b77874dc1fa034fa3d88c1755e693d15349eda96506b0c1440d9e023d33737151f61f8112e13439af1be7f9542

Download Submit
\Users\Admin\AppData\Local\Temp\DEM475D.exe

Filesize
14KB

MD5
aea85d77ec5a2bd679ac01f526d26db8

SHA1
5b6d5fcce2c3bd6f0f5edf14f6e02441a37a9da7

SHA256
a26ecea70b3a0171e6e6b273549187073c1b0e617ee93706e9d66ff3a44a79c1

SHA512
c823e2bd3e44c6be6352d016cd800f012d04c57e980c6022c8c55b8bf184565b9c4b281630344cafc3622a8bfdc64d78034744dfa1ef66c3dfec3d9b8487a0c0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9DB6.exe

Filesize
14KB

MD5
1374f7eac5a16a34068f72f00aa21d24

SHA1
b722e7d5eb53bba3916d76e0cc921d2bc3db11ff

SHA256
67576e2ecb3b24ec235efb016f983e85272580ce42b531490e6a71ad836d83c1

SHA512
e081c3e6e220dc3d2a43fd4cc8d3d6fdf6bfef8326a8fafe9bc640390a81be97033740e582b81b8a0022ee73e1a9c750d3a975edcce3dc00ba3a75e59580a802

Download Submit

Analysis

Sharing