7a32ee3d2c39bef305d908f01d728e18f10ff8a000968e3a31604bc2ce1e9ad7

General

Target

0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe
Size

16KB
MD5

0753273de4214a1dd437b9d487587efa
SHA1

65dc8ef10aae6634441c178014c91e52631ac60f
SHA256

7a32ee3d2c39bef305d908f01d728e18f10ff8a000968e3a31604bc2ce1e9ad7
SHA512

3e1fb07a06552999f22a6986c953563375bd154d04dc131f9738b4eef47aedd50dd8050713779cee9113305d0191a2b4184053805c886ef58cdc9470efe00aff
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4XL:hDXWipuE+K3/SSHgxmML

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2556	DEM68E1.exe
2424	DEMBFD6.exe
1624	DEM16AC.exe
2428	DEM6DD0.exe
1064	DEMC439.exe
2924	DEM1AA2.exe

Loads dropped DLL 6 IoCs

pid	Process
2180	0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe
2556	DEM68E1.exe
2424	DEMBFD6.exe
1624	DEM16AC.exe
2428	DEM6DD0.exe
1064	DEMC439.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2556	2180	0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe	29
PID 2180 wrote to memory of 2556	2180	0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe	29
PID 2180 wrote to memory of 2556	2180	0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe	29
PID 2180 wrote to memory of 2556	2180	0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2424	2556	DEM68E1.exe	33
PID 2556 wrote to memory of 2424	2556	DEM68E1.exe	33
PID 2556 wrote to memory of 2424	2556	DEM68E1.exe	33
PID 2556 wrote to memory of 2424	2556	DEM68E1.exe	33
PID 2424 wrote to memory of 1624	2424	DEMBFD6.exe	35
PID 2424 wrote to memory of 1624	2424	DEMBFD6.exe	35
PID 2424 wrote to memory of 1624	2424	DEMBFD6.exe	35
PID 2424 wrote to memory of 1624	2424	DEMBFD6.exe	35
PID 1624 wrote to memory of 2428	1624	DEM16AC.exe	37
PID 1624 wrote to memory of 2428	1624	DEM16AC.exe	37
PID 1624 wrote to memory of 2428	1624	DEM16AC.exe	37
PID 1624 wrote to memory of 2428	1624	DEM16AC.exe	37
PID 2428 wrote to memory of 1064	2428	DEM6DD0.exe	39
PID 2428 wrote to memory of 1064	2428	DEM6DD0.exe	39
PID 2428 wrote to memory of 1064	2428	DEM6DD0.exe	39
PID 2428 wrote to memory of 1064	2428	DEM6DD0.exe	39
PID 1064 wrote to memory of 2924	1064	DEMC439.exe	41
PID 1064 wrote to memory of 2924	1064	DEMC439.exe	41
PID 1064 wrote to memory of 2924	1064	DEMC439.exe	41
PID 1064 wrote to memory of 2924	1064	DEMC439.exe	41

C:\Users\Admin\AppData\Local\Temp\0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\DEM68E1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM68E1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\DEMBFD6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBFD6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\DEM16AC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM16AC.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\DEM6DD0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6DD0.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Users\Admin\AppData\Local\Temp\DEMC439.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC439.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\DEM1AA2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1AA2.exe"
        7⤵
        Executes dropped EXE
        
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMBFD6.exe

Filesize
16KB

MD5
d5edb931dbd02cdfc71e645a3dcbc3da

SHA1
29fb07e5017d2ae6c6c638374b2f83e745ba0e2f

SHA256
200e69092763ddd3391da9f5b017badc8c71418946b0ef6457db90b5211c6aec

SHA512
20adc61f1cf13bfba6f470f532e9aef6531b8f6267e6b9db219a80623a3c2692ab8ee27de4e91c4010f86421cb1e47624775aeeb5f21abc58be8bdfd7f33cc1a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM16AC.exe

Filesize
16KB

MD5
95258e4303ebe4f6aaf34451bfeba918

SHA1
2f5eb8bf302de6a2808dd7e0e093cde7c096124b

SHA256
38b49e1f5536e4f6ebfc9a849f1c195859035f7a5d16e9fdeba5fb20c0ecb051

SHA512
76202c553073e766b34884ef0932b135e6a0ca9b5609787a372cdaacf800449915f47347b9f00a48304ce1cb85603275f23d197907a1875d71713a58c582b669

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1AA2.exe

Filesize
16KB

MD5
3c47ddec4eee0b07b31b779720afcba9

SHA1
b89ecc5801bc9179361ab10442ed13cfe9a55e36

SHA256
09d60668ee88303bf4d397e51a27776dfa02212a6eba99a93c75707eb24944a2

SHA512
ce5b7ab7e1c4e5b55f7e407d9d19f7b2bd1d08f5fe1d268dbab1a59ec9c891c2b5cdec6783f0fe8088192b85f0e94b780facf7a693b1d58a2c9e8614ad755599

Download Submit
\Users\Admin\AppData\Local\Temp\DEM68E1.exe

Filesize
16KB

MD5
9481bb4328b76f627d8b68ef2b197e54

SHA1
7aab9b356ed7ad66c2f60297a0748cbdcbaaea63

SHA256
99becc6193b0207ffb04a3c334c9e0331a0f9e64631c37d0cd0942986845399c

SHA512
437891613bbf54ae6217824e4f69fa39d3e49bd4af2a4ec73facb59918df770a3af777f67b7f5ba1c7a1a12aebedbe4eb8559959438759aa8c36c2c59984c26b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6DD0.exe

Filesize
16KB

MD5
b37b6a83e49e34049f42bad9991f512c

SHA1
51a7d0de2ebb116d52e81fdb237265f7205b2b01

SHA256
ae0c6182fc80a7c946559f947da5c3e2f5f0c629a822830e21debfe0842ac00a

SHA512
e45b1aa4a915247c174b4f0b1dd41db3cf597e35e51e5f55b1ed694e72bfa0278339a8bed1d6e2f3c6b9e8fc24b4b3c94338d6d28984a9c14060148cc7b99a63

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC439.exe

Filesize
16KB

MD5
99de515caf76c89ffdecf0f7666ea287

SHA1
86cbf8ce1e8e67c49a0505ae5fab5b4255da90a7

SHA256
f2f44b9bdd8a6de570abb44fa1abc119be135647f280697ec703bb6cee52f09f

SHA512
f8ffd7d5f74164359d12eeb9e56119fc7955a3310fe7418dc023fd0ef6b33f592397cbb6cb348b01532493faef8f81c5da27bc0c7abfc2d2f191843d81be9827

Download Submit

Analysis

Sharing