5340fa00d94dad020cd738c7953f2993ee2409bb1a3a9d31f1393e358eb285b3

General

Target

016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe
Size

16KB
MD5

016eca0dcdd25213cf26abb261fca666
SHA1

a3742fc23c3d072f77f93cd22827de5d1fd357d1
SHA256

5340fa00d94dad020cd738c7953f2993ee2409bb1a3a9d31f1393e358eb285b3
SHA512

9575e604658b8be5e64a28f25c5b9cad5f1800c848cb0be964e4a3e529110a37734e8494e558c89213921a48eab77b3a6a22f9453b5a705ada5e6b6f185a2a93
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl0:hDXWipuE+K3/SSHgxml0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2580	DEME43.exe
3048	DEM6384.exe
2868	DEMB912.exe
2764	DEME82.exe
2180	DEM645E.exe
2912	DEMB9CD.exe

Loads dropped DLL 6 IoCs

pid	Process
2204	016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe
2580	DEME43.exe
3048	DEM6384.exe
2868	DEMB912.exe
2764	DEME82.exe
2180	DEM645E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2580	2204	016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2580	2204	016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2580	2204	016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2580	2204	016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe	29
PID 2580 wrote to memory of 3048	2580	DEME43.exe	31
PID 2580 wrote to memory of 3048	2580	DEME43.exe	31
PID 2580 wrote to memory of 3048	2580	DEME43.exe	31
PID 2580 wrote to memory of 3048	2580	DEME43.exe	31
PID 3048 wrote to memory of 2868	3048	DEM6384.exe	35
PID 3048 wrote to memory of 2868	3048	DEM6384.exe	35
PID 3048 wrote to memory of 2868	3048	DEM6384.exe	35
PID 3048 wrote to memory of 2868	3048	DEM6384.exe	35
PID 2868 wrote to memory of 2764	2868	DEMB912.exe	37
PID 2868 wrote to memory of 2764	2868	DEMB912.exe	37
PID 2868 wrote to memory of 2764	2868	DEMB912.exe	37
PID 2868 wrote to memory of 2764	2868	DEMB912.exe	37
PID 2764 wrote to memory of 2180	2764	DEME82.exe	39
PID 2764 wrote to memory of 2180	2764	DEME82.exe	39
PID 2764 wrote to memory of 2180	2764	DEME82.exe	39
PID 2764 wrote to memory of 2180	2764	DEME82.exe	39
PID 2180 wrote to memory of 2912	2180	DEM645E.exe	41
PID 2180 wrote to memory of 2912	2180	DEM645E.exe	41
PID 2180 wrote to memory of 2912	2180	DEM645E.exe	41
PID 2180 wrote to memory of 2912	2180	DEM645E.exe	41

C:\Users\Admin\AppData\Local\Temp\016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\DEME43.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME43.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\DEM6384.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6384.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\DEMB912.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB912.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\DEME82.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME82.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Users\Admin\AppData\Local\Temp\DEM645E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM645E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\DEMB9CD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB9CD.exe"
        7⤵
        Executes dropped EXE
        
        PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6384.exe

Filesize
16KB

MD5
93632305aacfabe9d9a4f48ceef8c78f

SHA1
219ea90906bb362399f988d61f26cd882d6378b1

SHA256
694bc70fe86d6f56c7a4d5a2558aa7f2022edddfb801eb6638a04449de71ea45

SHA512
c0c16d8a30af64c1b86b127049fcdcf80bce09a725113ce29449e8d3495dc230e5ee21a5769b79fe99d65f5d9d10bb22b4610b0aa12696313143870f4329ce5f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM645E.exe

Filesize
16KB

MD5
e7663bea328ee9a7661dea8b9c56cd2b

SHA1
b03cc917b164fa8524ab3ce301bc4f36d753ec56

SHA256
be73c8f089977186b2d75dc661b50588bcba236082e62a0fb265c2bcabafda3e

SHA512
6280009d87bfcf9ffe1dbdbf5cf419797749c3b191afa44c12246b9af86a6d6f7a1254acf6915b85ab9fc49e62e3a710301e3bd65b23d2e2f18cff68c438e76c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB912.exe

Filesize
16KB

MD5
95e3cb10e7289d0a8c8f3ee762babedd

SHA1
9062ac6446c01098df82dc7e084f3af29a7d2de4

SHA256
5291117a90490bff27953b3bd491f9c2f8f797dae0a9eae9f110701e88cd2015

SHA512
b003c0e4cc7ef0e35d5cb754dfdec958af1b9897c689ecb169abe7772096e3d27bdac05f5acafb51a7baa95bd1707a7bdeab58cc337a5059ce11f90173a45dfc

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB9CD.exe

Filesize
16KB

MD5
3c672b3472aba4923972542dfd18d2b7

SHA1
28e9d355a15a5bd65a6e1e9d195195495e4ef0e9

SHA256
b287e2ea162f20deb9b7be45812af695bb931b0c29a8fffeaf8d016e106372e4

SHA512
c5dc2b391f5ba3a7e4f25cc4418c4381e791e9c4f620fe6c12dd7d7e7e2f0bed31c52db2f803877883c8e830fbaaedb2e5f4859f2fd5c8bac923057a5c5fd0c2

Download Submit
\Users\Admin\AppData\Local\Temp\DEME43.exe

Filesize
16KB

MD5
57d0909c7da55bbb7a3e3d9812f2b276

SHA1
cbf5e01be5736af828ddafc4404edf6291ea3cbd

SHA256
406135d4b65603be761efcab3deeebc5653bcd98fbc3fb524314f4599028fd72

SHA512
8a0a3a525b7195dc18432cb0f8c7a001223dd2d07d4807ec6e70c39cc6e02b1a2a029eff967b1245fc79c3f332c0fdcc9b8dfe8353b6a9138f1cb31e59f6e209

Download Submit
\Users\Admin\AppData\Local\Temp\DEME82.exe

Filesize
16KB

MD5
d01265f05717855c453e0285c953c9cb

SHA1
7853f6fd2e3056ded131fe38c430709d86378685

SHA256
98c949a483d32a860cff6178c93c7f86e4d9e0999babda54bfdd72e2c1319cfa

SHA512
b6920a4ae1e10a367e8ab7662e91414a7bfbcf85a847b1dceadb1450443649825c612804bc1a38a9ba78322a1f7426bc2bb27b746f70d8a46e5a8342128216cb

Download Submit

Analysis

Sharing