dd0d2692b08efb40a5d2adcf2bc382f136406e2fe2124765adfd6ec3eaa00125

General

Target

05e37214be0c33a2b685bcb2b4fb520f_JaffaCakes118.exe
Size

15KB
MD5

05e37214be0c33a2b685bcb2b4fb520f
SHA1

d0f0d082e1c83f5c78c2de5e48fed052b54a972a
SHA256

dd0d2692b08efb40a5d2adcf2bc382f136406e2fe2124765adfd6ec3eaa00125
SHA512

a5afdae9e48f3f38909cfc3826fd67d9bc8db5255463ba4722c78b19bacbf763b52974b0951e86b2bd3f2b283f474f232643fbce534435386d40c09dee49dc9c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvoZ:hDXWipuE+K3/SSHgxmAZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2660	DEM4BC0.exe
2468	DEMA583.exe
2796	DEMFB11.exe
1996	DEM5080.exe
576	DEMA61F.exe
1844	DEMFB9E.exe

Loads dropped DLL 6 IoCs

pid	Process
1444	05e37214be0c33a2b685bcb2b4fb520f_JaffaCakes118.exe
2660	DEM4BC0.exe
2468	DEMA583.exe
2796	DEMFB11.exe
1996	DEM5080.exe
576	DEMA61F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2660	1444	05e37214be0c33a2b685bcb2b4fb520f_JaffaCakes118.exe	29
PID 1444 wrote to memory of 2660	1444	05e37214be0c33a2b685bcb2b4fb520f_JaffaCakes118.exe	29
PID 1444 wrote to memory of 2660	1444	05e37214be0c33a2b685bcb2b4fb520f_JaffaCakes118.exe	29
PID 1444 wrote to memory of 2660	1444	05e37214be0c33a2b685bcb2b4fb520f_JaffaCakes118.exe	29
PID 2660 wrote to memory of 2468	2660	DEM4BC0.exe	33
PID 2660 wrote to memory of 2468	2660	DEM4BC0.exe	33
PID 2660 wrote to memory of 2468	2660	DEM4BC0.exe	33
PID 2660 wrote to memory of 2468	2660	DEM4BC0.exe	33
PID 2468 wrote to memory of 2796	2468	DEMA583.exe	35
PID 2468 wrote to memory of 2796	2468	DEMA583.exe	35
PID 2468 wrote to memory of 2796	2468	DEMA583.exe	35
PID 2468 wrote to memory of 2796	2468	DEMA583.exe	35
PID 2796 wrote to memory of 1996	2796	DEMFB11.exe	37
PID 2796 wrote to memory of 1996	2796	DEMFB11.exe	37
PID 2796 wrote to memory of 1996	2796	DEMFB11.exe	37
PID 2796 wrote to memory of 1996	2796	DEMFB11.exe	37
PID 1996 wrote to memory of 576	1996	DEM5080.exe	39
PID 1996 wrote to memory of 576	1996	DEM5080.exe	39
PID 1996 wrote to memory of 576	1996	DEM5080.exe	39
PID 1996 wrote to memory of 576	1996	DEM5080.exe	39
PID 576 wrote to memory of 1844	576	DEMA61F.exe	41
PID 576 wrote to memory of 1844	576	DEMA61F.exe	41
PID 576 wrote to memory of 1844	576	DEMA61F.exe	41
PID 576 wrote to memory of 1844	576	DEMA61F.exe	41

C:\Users\Admin\AppData\Local\Temp\05e37214be0c33a2b685bcb2b4fb520f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05e37214be0c33a2b685bcb2b4fb520f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\DEM4BC0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4BC0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\DEMA583.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA583.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\DEMFB11.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFB11.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Users\Admin\AppData\Local\Temp\DEM5080.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5080.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\DEMA61F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA61F.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\DEMFB9E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFB9E.exe"
        7⤵
        Executes dropped EXE
        
        PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA583.exe

Filesize
15KB

MD5
668cff73978f5a63cfa2644a39a31609

SHA1
2890733d0d67902d12c7b4dd8d1df8bcd3ec86cb

SHA256
23904a9ad0cebd75ff85c00ad35a147c8888c4525eaa5f14f6b28a58d609374a

SHA512
e0711724af90dee6f90b66ee335030204d33c7eafb26f4d77bec3d99001180cf1a6bfd16fe28366b9642570efae2b267d71a4bf08dcdfafe2d8102a389a5a9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFB11.exe

Filesize
15KB

MD5
618ff7d78344dfc516d3cb05d5cf42f6

SHA1
e07aa73a10cd5f9b6ab49e19e3ea2da4d5aa95e8

SHA256
15b36b96d42c6fe82457fabba13c94f37eca93eeea9d15356d62e41206ee108a

SHA512
2376736a557b331e57e29e2075640e50c8f2c244fdb2fe9e3b34db9d3f1775cd0cf074aeb256453b10df60475f974333f0f73f591d5eea2136c9a43ab6f78619

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4BC0.exe

Filesize
15KB

MD5
4ffe08b898c70bca187decbc92655571

SHA1
4894fb4e6605a5423a1c3f5864151a5e0ef134f4

SHA256
8c7e42dcdc057d66806635e193cf9fee5d7a0b78dff7395ec79ec23e55501cbd

SHA512
f82a4c8510421580685c5cdb0596c2226c0cd024b90855d9bcc9d7d5d9ccf2d0d3810434dd8232253422dbadc42e5cb4164234777591e232bfd50b9789a90a55

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5080.exe

Filesize
15KB

MD5
0a5a6bc743b07c58cf9bb77dd5fbc384

SHA1
a40f878ec06942477ff6631092b9d837fcf8e945

SHA256
6031360968ff27981e76b74bd7a37f5912cb2d391a8eeff13d6ebfe3f0711784

SHA512
c6ec8f75c8dc7381977827592ea8d0f76b9e31c9315b1c6f7ba71e98996ba1750032094f2d59faad0d4c5d27b76458434151b475deb8608a6157df529f5f7bee

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA61F.exe

Filesize
15KB

MD5
625aeeeb3ae2bfe0970d186543b8667b

SHA1
9b7dd417bb4cf047c7fe432ea8eedff9804e0b1d

SHA256
b2da9919cc0a6fea6aaeb404b992ec707f21ebf8eee561f634f4216612f20721

SHA512
39ff52e3b9e0611e3d5721d1d0173f409d24321125e009ccf282bd0649655b66c4be90c669095a62cd845a57b1392f12346cda0b21ed6834366dde4d588db3a1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFB9E.exe

Filesize
15KB

MD5
5bfd48921f4e4aa9fe403122ba57ce9d

SHA1
127722338407d1a14a88de10e20473d332d8a4a9

SHA256
997342a8147774b0f81f582d7f1415194914cecb1af57762b02d0e75767ac2fb

SHA512
46d0552555d7b5a5453a3389d389ac3deefd9c365eadc5741fe47b006e1d0e6fea5a1fa89948d7c4410a41c9d49d2f999e6287c62576a9303ae4eb7543a73432

Download Submit

Analysis

Sharing