272e0c3bd06a74adf16c64671537538add7b0c36c8e90a7a8459b63b5dca82a8

General

Target

0189ede1507e56700a9063b72823d6ba_JaffaCakes118.exe
Size

14KB
MD5

0189ede1507e56700a9063b72823d6ba
SHA1

1892dda9d39f483133829ce58d99e6b14913e09c
SHA256

272e0c3bd06a74adf16c64671537538add7b0c36c8e90a7a8459b63b5dca82a8
SHA512

d33792dd9dfa76f293f8faa8059ed0fce3d230269368166386dc72c622296ce2ad1f9ec36d1cc079e51b73ae81856893d26b46067a3f02dcac37eeaa9a77a5e8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhtQ:hDXWipuE+K3/SSHgxzQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3040	DEM13A0.exe
2292	DEM6900.exe
2776	DEMBE31.exe
1364	DEM147A.exe
1800	DEM69F9.exe
2440	DEMBF49.exe

Loads dropped DLL 6 IoCs

pid	Process
856	0189ede1507e56700a9063b72823d6ba_JaffaCakes118.exe
3040	DEM13A0.exe
2292	DEM6900.exe
2776	DEMBE31.exe
1364	DEM147A.exe
1800	DEM69F9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 3040	856	0189ede1507e56700a9063b72823d6ba_JaffaCakes118.exe	29
PID 856 wrote to memory of 3040	856	0189ede1507e56700a9063b72823d6ba_JaffaCakes118.exe	29
PID 856 wrote to memory of 3040	856	0189ede1507e56700a9063b72823d6ba_JaffaCakes118.exe	29
PID 856 wrote to memory of 3040	856	0189ede1507e56700a9063b72823d6ba_JaffaCakes118.exe	29
PID 3040 wrote to memory of 2292	3040	DEM13A0.exe	31
PID 3040 wrote to memory of 2292	3040	DEM13A0.exe	31
PID 3040 wrote to memory of 2292	3040	DEM13A0.exe	31
PID 3040 wrote to memory of 2292	3040	DEM13A0.exe	31
PID 2292 wrote to memory of 2776	2292	DEM6900.exe	35
PID 2292 wrote to memory of 2776	2292	DEM6900.exe	35
PID 2292 wrote to memory of 2776	2292	DEM6900.exe	35
PID 2292 wrote to memory of 2776	2292	DEM6900.exe	35
PID 2776 wrote to memory of 1364	2776	DEMBE31.exe	37
PID 2776 wrote to memory of 1364	2776	DEMBE31.exe	37
PID 2776 wrote to memory of 1364	2776	DEMBE31.exe	37
PID 2776 wrote to memory of 1364	2776	DEMBE31.exe	37
PID 1364 wrote to memory of 1800	1364	DEM147A.exe	39
PID 1364 wrote to memory of 1800	1364	DEM147A.exe	39
PID 1364 wrote to memory of 1800	1364	DEM147A.exe	39
PID 1364 wrote to memory of 1800	1364	DEM147A.exe	39
PID 1800 wrote to memory of 2440	1800	DEM69F9.exe	41
PID 1800 wrote to memory of 2440	1800	DEM69F9.exe	41
PID 1800 wrote to memory of 2440	1800	DEM69F9.exe	41
PID 1800 wrote to memory of 2440	1800	DEM69F9.exe	41

C:\Users\Admin\AppData\Local\Temp\0189ede1507e56700a9063b72823d6ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0189ede1507e56700a9063b72823d6ba_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\DEM13A0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM13A0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\DEM6900.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6900.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\DEMBE31.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBE31.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Users\Admin\AppData\Local\Temp\DEM147A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM147A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Users\Admin\AppData\Local\Temp\DEM69F9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM69F9.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\DEMBF49.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBF49.exe"
        7⤵
        Executes dropped EXE
        
        PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM13A0.exe

Filesize
14KB

MD5
ff29b7ffefe0f1142649e2943466082b

SHA1
d2286a8412bde8577ca4dabf43de4942c52daf3a

SHA256
7175f07c37e7710b7e2559d76016dc5e6d84d0d00d903d1ed7c87e2ba0b66ad1

SHA512
1cc192cb6c4f38d909c3e316fbab7b3a672b20d3674a8be799f770e847d3687a0c830e8add25b29c71f0b2b1f7049167b16bc3b3d6c0cb5f18acb6e79edfd170

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6900.exe

Filesize
14KB

MD5
dbe2b23430ca95841f82c2873016e58d

SHA1
b443e30ca865595fea102fe4a3fb8c160f85a0ca

SHA256
51b3943086f9706bc9d5605ea0330ebdf0b11bebbe3f2579e15674d618a2ea26

SHA512
027db83d659f35f4202273ed5be2d124bd5db9dce19efd13d3b512526ec56023d177e53eb9c61c32af5580fce2271169f0a7d445db862e6daf9f0d9e38ca59c9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM147A.exe

Filesize
14KB

MD5
c6560402d7e80588fdb12535378bf6d2

SHA1
433338ec7b25f4f6c4b78fda8a17e22768cac01e

SHA256
c0d4f25640bcc3e70d7a413e3982642f9bd011d53896d18d5b6264a50fee3050

SHA512
9b1b11f95bb2d548517fead691405a0d5cd9a641e2abafee710adbfa9fcc35baaa01c4655390f3c44207a11b2ef08fcb35a3d1bdbe3140c5717059861469bbaa

Download Submit
\Users\Admin\AppData\Local\Temp\DEM69F9.exe

Filesize
14KB

MD5
dd93dc600fa7551636a297814f707817

SHA1
13b6c1978b28feba9d240b51702876c55bfe06f1

SHA256
ff347517d0076ab6aa2e9694d2c21dd0f4cb509f83c35db28c5c40a6d6acc72a

SHA512
b1ec5220c0cd52376eb29e67ab8773980c626c4a7ea8d1087217fb96b7028242af896bc82f9cb7361e5a37af40877454e2d1250090b61f00429a61f788e69a47

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBE31.exe

Filesize
14KB

MD5
992e0c56cf1bcb9d17382ac11ed18213

SHA1
da3cabe829f663561eb8fd2759d5a58bb507816e

SHA256
996725a761de1b792122259e16c95561d7dc3fd8b84b22142c3acad8d6d3b07e

SHA512
48497031862eda95e88a417e0046df3a57adf07b2344798d275a5749a9d70e259b1dc7192b7ba81af86741cfbefe4470bb3a9f886b2316342fcc4b8ef789e76f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBF49.exe

Filesize
14KB

MD5
936fa103455fe8ae6115ac3093477b5f

SHA1
844714a26f58b0104320e2266162d88b8e44674d

SHA256
8cb071ed58c30eff608c166ee58ebbdcb42a32c109a4cb16ce45fd90c6923763

SHA512
802a5af2b49d6d501bac9ae83afac0d42c448dc82f8783ff15428f14ca92a598e22764d79cde67fc1de68128bfdc790e1d63f0b7b16f25d185dc8346144d2f8c

Download Submit

Analysis

Sharing