0f51b6c2f5ae1eef21dda2036a57113f5cb7a739e372bb904b906173ad97d6a9

General

Target

02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe
Size

15KB
MD5

02630073f2a232321dfd12ceafeef987
SHA1

8b0ad259468cb47211417feb342dc6abc16fa97a
SHA256

0f51b6c2f5ae1eef21dda2036a57113f5cb7a739e372bb904b906173ad97d6a9
SHA512

a98098c76165211f793eef67c54b89f77e9dce3ca3c6fec647e5b9cdfa21fb000b8e1ce0a7ba4d3ed44d7bdc36a59e8c67b1b834e2c1348cd38136ea5caec960
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnwK:hDXWipuE+K3/SSHgx/wK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2616	DEM1989.exe
2444	DEM6EE9.exe
2644	DEMC439.exe
1452	DEM196A.exe
1208	DEM6EAB.exe
2060	DEMC3EB.exe

Loads dropped DLL 6 IoCs

pid	Process
2488	02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe
2616	DEM1989.exe
2444	DEM6EE9.exe
2644	DEMC439.exe
1452	DEM196A.exe
1208	DEM6EAB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2616	2488	02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe	29
PID 2488 wrote to memory of 2616	2488	02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe	29
PID 2488 wrote to memory of 2616	2488	02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe	29
PID 2488 wrote to memory of 2616	2488	02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe	29
PID 2616 wrote to memory of 2444	2616	DEM1989.exe	31
PID 2616 wrote to memory of 2444	2616	DEM1989.exe	31
PID 2616 wrote to memory of 2444	2616	DEM1989.exe	31
PID 2616 wrote to memory of 2444	2616	DEM1989.exe	31
PID 2444 wrote to memory of 2644	2444	DEM6EE9.exe	35
PID 2444 wrote to memory of 2644	2444	DEM6EE9.exe	35
PID 2444 wrote to memory of 2644	2444	DEM6EE9.exe	35
PID 2444 wrote to memory of 2644	2444	DEM6EE9.exe	35
PID 2644 wrote to memory of 1452	2644	DEMC439.exe	37
PID 2644 wrote to memory of 1452	2644	DEMC439.exe	37
PID 2644 wrote to memory of 1452	2644	DEMC439.exe	37
PID 2644 wrote to memory of 1452	2644	DEMC439.exe	37
PID 1452 wrote to memory of 1208	1452	DEM196A.exe	39
PID 1452 wrote to memory of 1208	1452	DEM196A.exe	39
PID 1452 wrote to memory of 1208	1452	DEM196A.exe	39
PID 1452 wrote to memory of 1208	1452	DEM196A.exe	39
PID 1208 wrote to memory of 2060	1208	DEM6EAB.exe	41
PID 1208 wrote to memory of 2060	1208	DEM6EAB.exe	41
PID 1208 wrote to memory of 2060	1208	DEM6EAB.exe	41
PID 1208 wrote to memory of 2060	1208	DEM6EAB.exe	41

C:\Users\Admin\AppData\Local\Temp\02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\DEM1989.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1989.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\DEM6EE9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6EE9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\DEMC439.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC439.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\DEM196A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM196A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1452
      - C:\Users\Admin\AppData\Local\Temp\DEM6EAB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6EAB.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\DEMC3EB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC3EB.exe"
        7⤵
        Executes dropped EXE
        
        PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM196A.exe

Filesize
15KB

MD5
ddf250616e189dd6b9edc34f7d6a5b1c

SHA1
e04ce8c9e099f61e37deed4e9bdfb984ce907c70

SHA256
bd84053a5bf00f9cf3879a670cce19e9cd6f6bb06250c2a044d7602e3deefab7

SHA512
b29968b3358a5917ff697927add26f4e0d25cf73cd3bf2bbb32d52f0bee1ad0489dfc41451586eaf70563a93259edc4a4205c2e187f4c08f51ef0b9adff7085d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6EE9.exe

Filesize
15KB

MD5
b720b590e77b0872a4195bbb8b31032f

SHA1
6ae11d02f2eb9966af2ad989a5082656e41c359b

SHA256
a4f6e6d116c3bc5e9be44002c99d59c7be1c40bae38f21d4b174ce6f54fdba8d

SHA512
ee6092ed6ec516002b1131ca212ef1e73ab5844d82a049fd9b1fa2d94530c77157cb16274da8efa77c6ff81a42889a0adec901976bdd4bcb6fca6ea87188d097

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC439.exe

Filesize
15KB

MD5
88ddf34fc458fd8141ebd9e6382f847a

SHA1
f8ae536adeb7e9f25975ed841af8b117546fe27e

SHA256
b5d1f7bed2bad031484e63c02ae7a5f8f1939e6ba8c959dd7a5bfec57f7b63cb

SHA512
ead2132c96783283379a6960e802b031f6919be2b73c1baac68c55eb6f2193b5202507d5d2dea0d105bfa78e4c910b689f8da663f61789b66414104437dbe693

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1989.exe

Filesize
15KB

MD5
8055a51efa976c26302f68917584cab9

SHA1
a2d50a07e439acf3acbb8a9ad8725f5ebe03f88d

SHA256
9856591d03c1a26f7ba3075caa08883fef79093fb0eacaf3450665a458e3000a

SHA512
d5e5def79ef492fd3b365b61c2347ccb907e3dd371820a280b0c07488c155b0395101bf4ee5d45f56b8be904c10cdb75e7cdf6d4dc5c5e791d916a0a5dd96419

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6EAB.exe

Filesize
15KB

MD5
fac87caa9ed1ef546c5688572fd51d0e

SHA1
a1d494d28625ce243a909d95cd56d79d116f5572

SHA256
7558e91c959981544ebd2be56b976437c577554d953fc1a2fe0d1b8b1e0d393d

SHA512
c80e1e2dc39e7caca456a92f6a2ed95821e410b5754dc2a7f234fbe058becd5f28c625a963e69bb7b3e6cfb47270d8423543ef40c44f2cf24cd8e03c767c14e0

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC3EB.exe

Filesize
15KB

MD5
b9afe097a55927a84ab4273f97805ee6

SHA1
cb505bec0d55896e323021b4e59787ddf50e4e07

SHA256
1a83f40f7b7fa86e6f10a8af7a86610d90444c46a3d0a55cbdf3f3f9fa258db9

SHA512
b32148e9c62e166c286f3b7b585506dd801717dbe1e5ddd5232f75df74284349145448ffcfce231e98ede7909158eb0953803e7156fec0f81f36649759aa5f1d

Download Submit

Analysis

Sharing