7ceb6e19e6392bc2b057c462a40504ebb2b4aae0b819f04090e37119e7956c5f

General

Target

1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe
Size

16KB
MD5

1214eb7ef069fc2d751934f233e2fb50
SHA1

cd38d08b64069a158fd798a2ca69da3b0f1a370a
SHA256

7ceb6e19e6392bc2b057c462a40504ebb2b4aae0b819f04090e37119e7956c5f
SHA512

1d14395efdf9325935f52f1ca400def14b8e4b5ef5ee4c63852710441c58bd5bf2d20baba62b829c80395807c698ca1ba05f622ba6bb0ad39a8eb763becf2ada
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxB:hDXWipuE+K3/SSHgxmHD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2900	DEM5BB.exe
2276	DEM5B1B.exe
2956	DEMB03C.exe
2692	DEM638.exe
1956	DEM5BB7.exe
1824	DEMB155.exe

Loads dropped DLL 6 IoCs

pid	Process
2912	1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe
2900	DEM5BB.exe
2276	DEM5B1B.exe
2956	DEMB03C.exe
2692	DEM638.exe
1956	DEM5BB7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2900	2912	1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2900	2912	1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2900	2912	1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2900	2912	1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe	29
PID 2900 wrote to memory of 2276	2900	DEM5BB.exe	31
PID 2900 wrote to memory of 2276	2900	DEM5BB.exe	31
PID 2900 wrote to memory of 2276	2900	DEM5BB.exe	31
PID 2900 wrote to memory of 2276	2900	DEM5BB.exe	31
PID 2276 wrote to memory of 2956	2276	DEM5B1B.exe	35
PID 2276 wrote to memory of 2956	2276	DEM5B1B.exe	35
PID 2276 wrote to memory of 2956	2276	DEM5B1B.exe	35
PID 2276 wrote to memory of 2956	2276	DEM5B1B.exe	35
PID 2956 wrote to memory of 2692	2956	DEMB03C.exe	37
PID 2956 wrote to memory of 2692	2956	DEMB03C.exe	37
PID 2956 wrote to memory of 2692	2956	DEMB03C.exe	37
PID 2956 wrote to memory of 2692	2956	DEMB03C.exe	37
PID 2692 wrote to memory of 1956	2692	DEM638.exe	39
PID 2692 wrote to memory of 1956	2692	DEM638.exe	39
PID 2692 wrote to memory of 1956	2692	DEM638.exe	39
PID 2692 wrote to memory of 1956	2692	DEM638.exe	39
PID 1956 wrote to memory of 1824	1956	DEM5BB7.exe	41
PID 1956 wrote to memory of 1824	1956	DEM5BB7.exe	41
PID 1956 wrote to memory of 1824	1956	DEM5BB7.exe	41
PID 1956 wrote to memory of 1824	1956	DEM5BB7.exe	41

C:\Users\Admin\AppData\Local\Temp\1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\DEM5BB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5BB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\DEM5B1B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5B1B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\DEMB03C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB03C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\DEM638.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM638.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Users\Admin\AppData\Local\Temp\DEM5BB7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5BB7.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\DEMB155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB155.exe"
        7⤵
        Executes dropped EXE
        
        PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5B1B.exe

Filesize
16KB

MD5
743a632bdd0b85267e422c24fd3bd15d

SHA1
f0d98c2b099712fce59c9a3fc9d23e744b26277c

SHA256
b70a0eeff67936b2deb4b3565c09e6969df5482a6ac4d435469ac3787518a97e

SHA512
a89ea35f2979ce9d84e0b781e878a413f1faf26af62c9dcf3975e59af801f6058b8228edcc765e44b2afbfa973279caf66d45119707fa4eb4cfea73b04b85f6c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5BB.exe

Filesize
16KB

MD5
2a9fa1aa4e26b7dfece01ba81b637356

SHA1
f46f131609d4fd4ee2850a114ab6692849e6644d

SHA256
c55e4229bab4d6fe899e425a0fea28e47990a52ae02f3de0414902d96b10bf55

SHA512
58bb95682a73e3cc2fcaf0be271f3b01537afdf97bcc90adb401f43dca16ddc1be413f01a76c8ca8b810a088e1b0237bfc8d33fc5036d9296df931b426a97dba

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5BB7.exe

Filesize
16KB

MD5
77f43e64a0ea9ae49a57ddeb4e232068

SHA1
5af9e01ce347a742030f44a6277d7224c5ca0dde

SHA256
23bed34b4bb5a7330943bba33878da39b1329214b3204fd9755075bb434c1662

SHA512
d7f17e706bae69d452f838d56924d7c4fb0dbabc9da02de6b5ae3d1fc0d19ac03a5809eb74ea31c4c0ccccc72480e2106623ae97ae9b8ca8234289068313fe0a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM638.exe

Filesize
16KB

MD5
10a249cc85f5de3023be4a77d13a7729

SHA1
0623736d62f87b1e8b95bb4328af9b3e43562ce3

SHA256
d50c5511845ef9bd8295d46c8f1235d61eb926270f2abaffeb28d690c975e165

SHA512
e5a3236dddbcbb1dc6ba970d537fa298d3ab88194cc098cb7e090e09b7c40e88c0b9dc5f5f001b9278e8ddf5f6c1e838152d016c24c36c7f5cd9a2dcc2a4baeb

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB03C.exe

Filesize
16KB

MD5
4c305f1a14fef024e40f417ee9d5696e

SHA1
61d71edb8f53d89d13a15d3eaddbfdef77148f4e

SHA256
062d316f861650b3a5fadeea10bbc3de35e1dac5309aa1a4565c07795ed228c4

SHA512
f26371dbd9afa6f664d409f3da1ccdc92f6ca09a291168446dca1147a9405772fff90f2d61f7bd210532cdb882dc0e68b8e30711b405d4bb796b7cfbf49aae58

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB155.exe

Filesize
16KB

MD5
507c95efaa647329a2a45f944f480b9e

SHA1
daab307ccbf9311ec08c9d14b05d116ccd20dcf0

SHA256
9932737a76647a35a4f547479dc13d1853af77e66b2c02988bc7f51808592d0b

SHA512
cc3cfeaf153913c9a38b612263d6f4481440f55bd58a2d27c2f043ec87975425eaeead498638a9e82d999f177517ee6b099ab8b5fa455b93a05e9fa441d113af

Download Submit

Analysis

Sharing