bc2d94a40c4e6fce234c0b3cd1f8c453a7b3b7125a710a0c887f83a50a84a1b7

General

Target

02137704a058604a65e67aa48a3e0e24_JaffaCakes118.exe
Size

15KB
MD5

02137704a058604a65e67aa48a3e0e24
SHA1

3d80ec16462f4169e0f1f947a8f013be3ff2b1c1
SHA256

bc2d94a40c4e6fce234c0b3cd1f8c453a7b3b7125a710a0c887f83a50a84a1b7
SHA512

510964baf5e30ff36960230c2ab36efa05f655a307ffa993aee2b90db91c9269150461d0fc5f6321171976e26bd4dd7a0bdf91ca090eef00256d68e1524aa74d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhd:hDXWipuE+K3/SSHgxzd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2596	DEM1B7C.exe
2468	DEM70FB.exe
2700	DEMC6A9.exe
1692	DEM1BCA.exe
2236	DEM7149.exe
2316	DEMC6B9.exe

Loads dropped DLL 6 IoCs

pid	Process
2864	02137704a058604a65e67aa48a3e0e24_JaffaCakes118.exe
2596	DEM1B7C.exe
2468	DEM70FB.exe
2700	DEMC6A9.exe
1692	DEM1BCA.exe
2236	DEM7149.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2596	2864	02137704a058604a65e67aa48a3e0e24_JaffaCakes118.exe	29
PID 2864 wrote to memory of 2596	2864	02137704a058604a65e67aa48a3e0e24_JaffaCakes118.exe	29
PID 2864 wrote to memory of 2596	2864	02137704a058604a65e67aa48a3e0e24_JaffaCakes118.exe	29
PID 2864 wrote to memory of 2596	2864	02137704a058604a65e67aa48a3e0e24_JaffaCakes118.exe	29
PID 2596 wrote to memory of 2468	2596	DEM1B7C.exe	31
PID 2596 wrote to memory of 2468	2596	DEM1B7C.exe	31
PID 2596 wrote to memory of 2468	2596	DEM1B7C.exe	31
PID 2596 wrote to memory of 2468	2596	DEM1B7C.exe	31
PID 2468 wrote to memory of 2700	2468	DEM70FB.exe	35
PID 2468 wrote to memory of 2700	2468	DEM70FB.exe	35
PID 2468 wrote to memory of 2700	2468	DEM70FB.exe	35
PID 2468 wrote to memory of 2700	2468	DEM70FB.exe	35
PID 2700 wrote to memory of 1692	2700	DEMC6A9.exe	37
PID 2700 wrote to memory of 1692	2700	DEMC6A9.exe	37
PID 2700 wrote to memory of 1692	2700	DEMC6A9.exe	37
PID 2700 wrote to memory of 1692	2700	DEMC6A9.exe	37
PID 1692 wrote to memory of 2236	1692	DEM1BCA.exe	39
PID 1692 wrote to memory of 2236	1692	DEM1BCA.exe	39
PID 1692 wrote to memory of 2236	1692	DEM1BCA.exe	39
PID 1692 wrote to memory of 2236	1692	DEM1BCA.exe	39
PID 2236 wrote to memory of 2316	2236	DEM7149.exe	41
PID 2236 wrote to memory of 2316	2236	DEM7149.exe	41
PID 2236 wrote to memory of 2316	2236	DEM7149.exe	41
PID 2236 wrote to memory of 2316	2236	DEM7149.exe	41

C:\Users\Admin\AppData\Local\Temp\02137704a058604a65e67aa48a3e0e24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02137704a058604a65e67aa48a3e0e24_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\DEM1B7C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1B7C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\DEM70FB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM70FB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\DEMC6A9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC6A9.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Users\Admin\AppData\Local\Temp\DEM1BCA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1BCA.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Users\Admin\AppData\Local\Temp\DEM7149.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7149.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\DEMC6B9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC6B9.exe"
        7⤵
        Executes dropped EXE
        
        PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM70FB.exe

Filesize
15KB

MD5
09698f2829702f4ab562b86331eacbfb

SHA1
34b873cad1ab6c26d990e53203072c4f76336830

SHA256
38af6600b83f62db3486de1845ea2cd89c5172a1f88ead001a05fa5d224ea162

SHA512
d137b44050f86f7bd40663fb3cda70760e480de5bfc7329625277389b2ba89d2653aa1ce8bfdebf582bf9845d83e844d09c6fbbbfd4bf9a103cf34cf64fb37bc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1B7C.exe

Filesize
15KB

MD5
7661aea4b54ad9f0b9c9b869856a38c2

SHA1
53de5eb2a5bac62a6038e3b09a2773c6fa3813d8

SHA256
972ac04c89150781b738c0e1a7c6a782cf985c374ccfa9a9caac31032f25d25e

SHA512
05b0814cb0d372f95ef473c708e7448f0ef3bcbde527fbd1debbf7613e5c5b14f327f6430be92bfa744302311fd32a6b290b9c58bd3462a9ea357de2faaf72da

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1BCA.exe

Filesize
15KB

MD5
2b45b35141e39edce83455413265b2f5

SHA1
916921490227f0674477a6b5ac683a54c66fce83

SHA256
3319e94f8a26529dd7c334c0901c3464635c38ed8fa0dacb7a77440beee72077

SHA512
5a3a4c73c6e550fc266d6cf5f9e4ad843a897a77c1556d4973caf5c039b91f935157b885e2c02876beb9fd696ced9c1bdfc93f7e4944f816e595927a73a59df5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7149.exe

Filesize
15KB

MD5
fed7f089977df2f19fc5062dd8a96186

SHA1
5f4535eefccac897c86a52da2ad1f448633fd797

SHA256
bf796997382a13bf362c3be5f9c26814a41acabeb64cc9fcd279769b2fb57f9e

SHA512
281296e59d2af7e1f286dd3e36fb0f3aed5e0e63c81d5e4cdd8a751ec529c80777dd68688eccf85c384a83156ca3938b9aa3da33d4ee25bd69a9942c1bd2f912

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC6A9.exe

Filesize
15KB

MD5
84814c5b3099ed94ea5968de2e7863ec

SHA1
acfe803332225a0531554ebff4a6abd858adefda

SHA256
a02f8f177cc8f95d4dab0bf313e21b3967603a7b0ce83534abd6822257431f02

SHA512
1307cf889d964ab9aca5e9c6109893c391e15378667892c76a6380fa3e7e55c22b4fff50a32b386857fa75d07e3f37541053a088139c35c424226a242afef0ae

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC6B9.exe

Filesize
15KB

MD5
ab0e542d9ab13ea53224eac327147f06

SHA1
ed71ce8209b50d7d378a6c8503346afa3358de79

SHA256
202e0462a4beaea4e0d28118607a2ea0fc977f3ba51b1e0d4fcee2c122ed334a

SHA512
ed0af19368da43469babf35b7da4a14ec13b9e986821c71e5a087fe5bd594f53523491fd2725b5f223c3f160ed91aa8bb2902a3b2463c0e09e631317ae28ac62

Download Submit

Analysis

Sharing