e374e4b3098ccd5ca7eb45bb7ff5e72036a53400aaa97c38788648386c4b7cb0

General

Target

45d355f1a7398ef4df94f08286e6dcf1_JaffaCakes118.exe
Size

14KB
MD5

45d355f1a7398ef4df94f08286e6dcf1
SHA1

99cb681bf7c75f0883f4486f9e8c1730909c5ad5
SHA256

e374e4b3098ccd5ca7eb45bb7ff5e72036a53400aaa97c38788648386c4b7cb0
SHA512

9459cd6945b4e7b8e0d7b6d27ebe64401bfdf87e9ace73c6a24b6030eac0d62291343002341a28a41e085c29120c8fad6718cfaa746a10023efec18e72f3ad08
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv55:hDXWipuE+K3/SSHgxl55

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2412	DEMD22D.exe
2748	DEM27BC.exe
2616	DEM7D0C.exe
880	DEMD28B.exe
1984	DEM2829.exe
2028	DEM7DC7.exe

Loads dropped DLL 6 IoCs

pid	Process
2208	45d355f1a7398ef4df94f08286e6dcf1_JaffaCakes118.exe
2412	DEMD22D.exe
2748	DEM27BC.exe
2616	DEM7D0C.exe
880	DEMD28B.exe
1984	DEM2829.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2412	2208	45d355f1a7398ef4df94f08286e6dcf1_JaffaCakes118.exe	32
PID 2208 wrote to memory of 2412	2208	45d355f1a7398ef4df94f08286e6dcf1_JaffaCakes118.exe	32
PID 2208 wrote to memory of 2412	2208	45d355f1a7398ef4df94f08286e6dcf1_JaffaCakes118.exe	32
PID 2208 wrote to memory of 2412	2208	45d355f1a7398ef4df94f08286e6dcf1_JaffaCakes118.exe	32
PID 2412 wrote to memory of 2748	2412	DEMD22D.exe	34
PID 2412 wrote to memory of 2748	2412	DEMD22D.exe	34
PID 2412 wrote to memory of 2748	2412	DEMD22D.exe	34
PID 2412 wrote to memory of 2748	2412	DEMD22D.exe	34
PID 2748 wrote to memory of 2616	2748	DEM27BC.exe	36
PID 2748 wrote to memory of 2616	2748	DEM27BC.exe	36
PID 2748 wrote to memory of 2616	2748	DEM27BC.exe	36
PID 2748 wrote to memory of 2616	2748	DEM27BC.exe	36
PID 2616 wrote to memory of 880	2616	DEM7D0C.exe	38
PID 2616 wrote to memory of 880	2616	DEM7D0C.exe	38
PID 2616 wrote to memory of 880	2616	DEM7D0C.exe	38
PID 2616 wrote to memory of 880	2616	DEM7D0C.exe	38
PID 880 wrote to memory of 1984	880	DEMD28B.exe	40
PID 880 wrote to memory of 1984	880	DEMD28B.exe	40
PID 880 wrote to memory of 1984	880	DEMD28B.exe	40
PID 880 wrote to memory of 1984	880	DEMD28B.exe	40
PID 1984 wrote to memory of 2028	1984	DEM2829.exe	42
PID 1984 wrote to memory of 2028	1984	DEM2829.exe	42
PID 1984 wrote to memory of 2028	1984	DEM2829.exe	42
PID 1984 wrote to memory of 2028	1984	DEM2829.exe	42

C:\Users\Admin\AppData\Local\Temp\45d355f1a7398ef4df94f08286e6dcf1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45d355f1a7398ef4df94f08286e6dcf1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\DEMD22D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMD22D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\DEM27BC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM27BC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\DEM7D0C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7D0C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\DEMD28B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD28B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:880
      - C:\Users\Admin\AppData\Local\Temp\DEM2829.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2829.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\DEM7DC7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7DC7.exe"
        7⤵
        Executes dropped EXE
        
        PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM27BC.exe

Filesize
14KB

MD5
fe117eb8bec51b28ccfc55e39eca4145

SHA1
49ab02bc8771f0584ac271ce2a1b5fefeb30ea3d

SHA256
cf29dbebf321749a4f2173fe43eed96d8040a87a74408f9be3d4764e4e97d32b

SHA512
1d0f759bf7a71ecb1a2011e43456fd028590e3312bdd67f6e1cada743a60760170b6aed2959dd8e6582ae79193a92767f60955d217f3d2bb30d3351aa221af77

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2829.exe

Filesize
15KB

MD5
fcf906efd839b7191dd07277e1570104

SHA1
9b343fb166a869d6eaf774a49daab457694682b9

SHA256
6f4744593c3a96e247052195452a877e8702a9bcc8aea42e90846cfbc23ff77e

SHA512
816d2111dea1e38c5a29fdd65a1a211056c7b94c299e66ceb8bae4ee6ae8ab31bf3a5d5714d55fe2135775b37a558dfa37d625674f980a623d08eb538de9a03d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7D0C.exe

Filesize
14KB

MD5
fbfea3c327ea85d3a664e5ac463c2926

SHA1
a398a4bc70aad1ce6b932e8aef69d01613b6c3fa

SHA256
79229a0a4ef802ba38f5d0a2c444fa57e99a5c8536a6d078710eee9c11f10c62

SHA512
bcdace9876db95baca576895cb8dfe9079e13ddb2504e14c5739ba4a607d95007b692b3066b56e2eefe02ee2f9809fe1ebbe0ad512df567a8ad21f4cdf486935

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7DC7.exe

Filesize
15KB

MD5
a96eb05c80aba957a8e766dba58b0929

SHA1
1f308cc0287f18ab8ea62c0597ba20bc06557b53

SHA256
5f7d3b7aaf0dcdaa0d12b3ad43bec8536057994edf926d2871134d212363b746

SHA512
7ee75f96e28bbf70d17e5c095b14c1454e82ddca6237dc9d7554c69352380fdf8017e4bd1edfb3132ef22d81e17855c7030d81ab7a6f8262f39440124680ffb8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD22D.exe

Filesize
14KB

MD5
4c538802aa236d72f1cb7fd52e70120b

SHA1
5fb246783f514f48178efee6cd8666090f25bed5

SHA256
987f701fbc680ba52476e6aff553ed78ab7fdda90583917435c603b0bd8e25f4

SHA512
53caae79690256955dbe19a254cfbc826b7233a486810dd1c166140412ee65d02cf7b0eab4dccf93ed276e25e126d60351b176287499dac019b10e6298a08203

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD28B.exe

Filesize
14KB

MD5
018fb1d1fb5be3685bacd71c86130f8f

SHA1
5831aa1f43ac4e39e7418a26ef7086eff2c66ff3

SHA256
dd61c288f89ac8fc39abfe243dbf0f31b6a6d3a2fce4e28a0f35483044b1b444

SHA512
00449f404676b44b4c339c27ce4bb7a813b05dd6c2e3ff938378bb274f11c14c92e9cc1dfdce9ed70ab512baa248d0c7c46520b6e3120f4d4c253b0fb9a92798

Download Submit

Analysis

Sharing