de6181185003749b5e56e9b3bb855b2b121829e2ab998c41c0b06e610502363e

General

Target

10729b651c3838868f515dc723475d29_JaffaCakes118.exe
Size

15KB
MD5

10729b651c3838868f515dc723475d29
SHA1

b3d8855a1b9a951d6592f642e311f37c007f8dd0
SHA256

de6181185003749b5e56e9b3bb855b2b121829e2ab998c41c0b06e610502363e
SHA512

d03221ad55a52d5eab56d5a8f8052822f0a5a551cfe8690dd3b08d8bf85036874dda3292a132aeebe1df49017ba0a157fd71998dacb99da82460bab026e416f5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyhg:hDXWipuE+K3/SSHgxmyhg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2672	DEM98A7.exe
2472	DEMEE93.exe
1484	DEM44FC.exe
3064	DEM9B17.exe
2368	DEMF113.exe
1628	DEM46EF.exe

Loads dropped DLL 6 IoCs

pid	Process
2072	10729b651c3838868f515dc723475d29_JaffaCakes118.exe
2672	DEM98A7.exe
2472	DEMEE93.exe
1484	DEM44FC.exe
3064	DEM9B17.exe
2368	DEMF113.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2672	2072	10729b651c3838868f515dc723475d29_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2672	2072	10729b651c3838868f515dc723475d29_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2672	2072	10729b651c3838868f515dc723475d29_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2672	2072	10729b651c3838868f515dc723475d29_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2472	2672	DEM98A7.exe	33
PID 2672 wrote to memory of 2472	2672	DEM98A7.exe	33
PID 2672 wrote to memory of 2472	2672	DEM98A7.exe	33
PID 2672 wrote to memory of 2472	2672	DEM98A7.exe	33
PID 2472 wrote to memory of 1484	2472	DEMEE93.exe	35
PID 2472 wrote to memory of 1484	2472	DEMEE93.exe	35
PID 2472 wrote to memory of 1484	2472	DEMEE93.exe	35
PID 2472 wrote to memory of 1484	2472	DEMEE93.exe	35
PID 1484 wrote to memory of 3064	1484	DEM44FC.exe	37
PID 1484 wrote to memory of 3064	1484	DEM44FC.exe	37
PID 1484 wrote to memory of 3064	1484	DEM44FC.exe	37
PID 1484 wrote to memory of 3064	1484	DEM44FC.exe	37
PID 3064 wrote to memory of 2368	3064	DEM9B17.exe	39
PID 3064 wrote to memory of 2368	3064	DEM9B17.exe	39
PID 3064 wrote to memory of 2368	3064	DEM9B17.exe	39
PID 3064 wrote to memory of 2368	3064	DEM9B17.exe	39
PID 2368 wrote to memory of 1628	2368	DEMF113.exe	41
PID 2368 wrote to memory of 1628	2368	DEMF113.exe	41
PID 2368 wrote to memory of 1628	2368	DEMF113.exe	41
PID 2368 wrote to memory of 1628	2368	DEMF113.exe	41

C:\Users\Admin\AppData\Local\Temp\10729b651c3838868f515dc723475d29_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10729b651c3838868f515dc723475d29_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\DEM98A7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM98A7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\DEMEE93.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMEE93.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\DEM44FC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM44FC.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\DEM9B17.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9B17.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Users\Admin\AppData\Local\Temp\DEMF113.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF113.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\DEM46EF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM46EF.exe"
        7⤵
        Executes dropped EXE
        
        PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM44FC.exe

Filesize
15KB

MD5
69ee138b38949418c4167c74798b9abe

SHA1
69a592e309ba995cee2444fe0e7ea197b30d846b

SHA256
bc5054b312bcd6f8d250ab03c3e4654197446ed74503fa73ed6e0580eb3b4809

SHA512
903297b5d70b51a916e56725c705cefdd49e59ed81cead8bca4b2a56f5bc9467a4547460833a8520ab2e574b9e4aa557ab12e0e59ba9644c8e397f19aa84f0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM46EF.exe

Filesize
15KB

MD5
5a71c4379c05e3aafb472df7f9882c89

SHA1
e6038015c92dd5b228c2c379aaf0d5d56819a9ed

SHA256
60bed8b682bf508f7fa274de0eaacdeb673030df1d41f980efdf549992bc9465

SHA512
cc9fbc26ce8e6600993bc49c7e0b2fa22eccf037d27de0e995ad76330075e82171aff6fdc8b8a66e6d16a4df8f78ad8c4119299687f3e1f9f517412aaae9a8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9B17.exe

Filesize
15KB

MD5
6644cae9833f9c066344f618fab31e23

SHA1
01a1cabd6cfdf9b7c62e82b47bf09ef9c082dc42

SHA256
9a4d1e32be85cc0668dd610b5ab37811b14632835faf6501f1e1fd5ab272482e

SHA512
8439972d989761448435b34bb6d6d7155170a4a59c9e3fb8f1fe7828cc5e3eea8de938feeadabf4689e86d9ead0f245d7f3ea2d65d7faec77e04c5b9a429ac83

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEE93.exe

Filesize
15KB

MD5
ebf328ad2f5ff0f8006d95dc1ae2fb28

SHA1
0ed5edd00f8b7e2a7419fa793c78f93e84ff6667

SHA256
1561f880ad6fa7453d7eb938ddca9f03692ffbb28018405b84c893e5c48f1eb8

SHA512
c8fda1a76924e54e9f04c60e42b8a32dc16e3a276bc21d51b4f43d26ba1d853f2befa7bb8d3fdb49f020cec6769dc3f4540d1f92af1b727b521e79a94f5865bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF113.exe

Filesize
15KB

MD5
cdfabd1abce37f3057bd09eb49fde636

SHA1
efe1100e00c2ddc9f448a26b51b58a9dcd27d0cc

SHA256
c5be327700a9b11aacf09e516b48be3a07102f9d8cbcbe884bfebeaafbf82c0c

SHA512
92bc977575456eca2191672845d8468cf0a19a6311f81a097a7355bb7e9595b22ded80f82430ecae14632678f2e7abaf2d0d0b7dc6a82379c409540ed22ee5a2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM98A7.exe

Filesize
15KB

MD5
3eeb68872e9e089fc9ab42dbc3a49c73

SHA1
970cad26f92d00c5a35ca48bdedaa9fba669cab4

SHA256
a5c03b786e28fcc6a03948519f7978afb7d2e7f2722e6528b84bbb422b3b2762

SHA512
bdcf2a2bfee0dab528666b8905ea885c7b17a838c5812bbcbee834a32fb4f4a88aa6ee5de6161927c6ebdc08fb5f25ac323d3a7e89499beb09e6b47750897951

Download Submit

Analysis

Sharing