04ca7f4583896b615ebb662c8e7c6eb36ede6c05f836ab1457b3d0c9d10dc302

General

Target

67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe
Size

14KB
MD5

67e9a242f98b89b2e9b97c6b18fa52a4
SHA1

a1ff53748f8519c80d12d653abfee750026910bb
SHA256

04ca7f4583896b615ebb662c8e7c6eb36ede6c05f836ab1457b3d0c9d10dc302
SHA512

f269c6f964d6119965148ffcd4464f75a05ca680dbc011b6789e479b8b939fe2600ecfebf7396cf5d6f935b125b6068d9b027414468a5d1d1d6dd3d0021fd753
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/Q:hDXWipuE+K3/SSHgxm/Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2520	DEM1362.exe
2676	DEM68F0.exe
2696	DEMBE31.exe
2380	DEM144C.exe
708	DEM694E.exe
1944	DEMBE8E.exe

Loads dropped DLL 6 IoCs

pid	Process
1820	67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe
2520	DEM1362.exe
2676	DEM68F0.exe
2696	DEMBE31.exe
2380	DEM144C.exe
708	DEM694E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2520	1820	67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2520	1820	67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2520	1820	67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2520	1820	67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2676	2520	DEM1362.exe	32
PID 2520 wrote to memory of 2676	2520	DEM1362.exe	32
PID 2520 wrote to memory of 2676	2520	DEM1362.exe	32
PID 2520 wrote to memory of 2676	2520	DEM1362.exe	32
PID 2676 wrote to memory of 2696	2676	DEM68F0.exe	34
PID 2676 wrote to memory of 2696	2676	DEM68F0.exe	34
PID 2676 wrote to memory of 2696	2676	DEM68F0.exe	34
PID 2676 wrote to memory of 2696	2676	DEM68F0.exe	34
PID 2696 wrote to memory of 2380	2696	DEMBE31.exe	36
PID 2696 wrote to memory of 2380	2696	DEMBE31.exe	36
PID 2696 wrote to memory of 2380	2696	DEMBE31.exe	36
PID 2696 wrote to memory of 2380	2696	DEMBE31.exe	36
PID 2380 wrote to memory of 708	2380	DEM144C.exe	38
PID 2380 wrote to memory of 708	2380	DEM144C.exe	38
PID 2380 wrote to memory of 708	2380	DEM144C.exe	38
PID 2380 wrote to memory of 708	2380	DEM144C.exe	38
PID 708 wrote to memory of 1944	708	DEM694E.exe	40
PID 708 wrote to memory of 1944	708	DEM694E.exe	40
PID 708 wrote to memory of 1944	708	DEM694E.exe	40
PID 708 wrote to memory of 1944	708	DEM694E.exe	40

C:\Users\Admin\AppData\Local\Temp\67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\DEM1362.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1362.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\DEM68F0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM68F0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\DEMBE31.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBE31.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\DEM144C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM144C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Users\Admin\AppData\Local\Temp\DEM694E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM694E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\DEMBE8E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBE8E.exe"
        7⤵
        Executes dropped EXE
        
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM68F0.exe

Filesize
14KB

MD5
1ba955e88a1dc867dff93e3d1f48c817

SHA1
98e45c49eb6dc3f1aae191df6c3e98b660aae99e

SHA256
12c97a8cbad32aff94a1d50717e529fb5f42b6a1deb371b9120258c1426db01e

SHA512
9611f9c59acdd67549bc4ce98130aa82b9eca091b2ad824221fb5090edadc97b14a95571b4ae8e1c7e762a21d895aad8bd447e909765a878396b1b9e195162f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM694E.exe

Filesize
14KB

MD5
907ff0e1628a26313dde68b3c02e93c7

SHA1
f3cc5c6ab1ef6b5a7d48f3d324fe5707da7e2c5e

SHA256
a8951987824ffae897dcccd5c7809fa2a284d75f15912c2fda286f214573cca6

SHA512
df461dc15c19af7171a7f386412cc2f22a3cfab429a81c99ed37fff8a60cbae2175a0919aff05a7099457dfb9fe68e213d7f0a9cd92cc4c76a5028b7b4edcf93

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBE31.exe

Filesize
14KB

MD5
4ad62207f481c4e4aadb733f8c292950

SHA1
14c41bc8286cd587486b54536e58b7450820723e

SHA256
40f47975deb693f199a727f7e1f4a9c0c00d6225c2df0a52c76f3167051cb353

SHA512
e1c5bb1ff8b2494ebaca764c852094638f5140444e4a971dee1c7b1f4f11ebc1160b6a5d4fff36f99baf2295834aa51aff5ba1d3fe1b20666136abb54f0c7a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBE8E.exe

Filesize
14KB

MD5
3c26541f8be88228629977777874d30c

SHA1
764802c51a558119c0e35dd0e7327e632cfe59c9

SHA256
230a41f2aadb86560466fa844837963db4b35d15ec8f434ce2b3ef16e4956633

SHA512
0acb9198732b73178fbd33413fa63ea590041698e532cbf37d05f6bee766967d4606fe900167d085a74b75a008ba3ca58b55ad1c10e2c0e6a916039e624b1b14

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1362.exe

Filesize
14KB

MD5
149e37b3e844b370af39e795a106dc52

SHA1
a53d97e2d07c08c7e04b7528875065447f606222

SHA256
59acd5e8cd2ee07d8404ee1190b92c7d1264785faa0446504eabb172213c08e3

SHA512
5e097c623f1c4ddeae0dec35c8f8e0d67e967118715a6bfd509550e886a01df0ac68b5b72f21753544925b1019b6c8a561812088d484385ef0403e24d640c957

Download Submit
\Users\Admin\AppData\Local\Temp\DEM144C.exe

Filesize
14KB

MD5
abd5f80350fc67daa5d7aa72957a5dc1

SHA1
5ea13b8268d839d38f987c85e0281e1ddba59406

SHA256
2821c442af554c25dcf7332440c2bbc03b06d44fd0c2c134dc3a63c7f1c49162

SHA512
c52be91a6dc0dfe94d85e2d12e5638151804622dcba3c776e58a175bd11935d9028c140e92b9452a5a42cea2335a09bfb5323eb4a23b12d57fd844a955e11521

Download Submit

Analysis

Sharing