ee5eec198234968bd985e30330ad089a888dc2ace5d5e6c2f37e60113064846f

General

Target

065679f632c2d1712b084ff4390278fd_JaffaCakes118.exe
Size

20KB
MD5

065679f632c2d1712b084ff4390278fd
SHA1

e147e40d2a0122b21fa4ea207c19d3fe17afa1b0
SHA256

ee5eec198234968bd985e30330ad089a888dc2ace5d5e6c2f37e60113064846f
SHA512

8afb3637a5b460b4f350ec73c8cdfc9cbbb904433646f8be7e5c252febb1dd4dd173caf59f2107be38c6e5859a383d6764b0fa1fe106beb16fce0fc8f89e7f92
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4v:hDXWipuE+K3/SSHgxmHZv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2936	DEM8F06.exe
2620	DEME560.exe
2940	DEM3B2C.exe
1516	DEM91B5.exe
1840	DEME85C.exe
1612	DEM3E29.exe

Loads dropped DLL 6 IoCs

pid	Process
1084	065679f632c2d1712b084ff4390278fd_JaffaCakes118.exe
2936	DEM8F06.exe
2620	DEME560.exe
2940	DEM3B2C.exe
1516	DEM91B5.exe
1840	DEME85C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2936	1084	065679f632c2d1712b084ff4390278fd_JaffaCakes118.exe	31
PID 1084 wrote to memory of 2936	1084	065679f632c2d1712b084ff4390278fd_JaffaCakes118.exe	31
PID 1084 wrote to memory of 2936	1084	065679f632c2d1712b084ff4390278fd_JaffaCakes118.exe	31
PID 1084 wrote to memory of 2936	1084	065679f632c2d1712b084ff4390278fd_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2620	2936	DEM8F06.exe	33
PID 2936 wrote to memory of 2620	2936	DEM8F06.exe	33
PID 2936 wrote to memory of 2620	2936	DEM8F06.exe	33
PID 2936 wrote to memory of 2620	2936	DEM8F06.exe	33
PID 2620 wrote to memory of 2940	2620	DEME560.exe	35
PID 2620 wrote to memory of 2940	2620	DEME560.exe	35
PID 2620 wrote to memory of 2940	2620	DEME560.exe	35
PID 2620 wrote to memory of 2940	2620	DEME560.exe	35
PID 2940 wrote to memory of 1516	2940	DEM3B2C.exe	37
PID 2940 wrote to memory of 1516	2940	DEM3B2C.exe	37
PID 2940 wrote to memory of 1516	2940	DEM3B2C.exe	37
PID 2940 wrote to memory of 1516	2940	DEM3B2C.exe	37
PID 1516 wrote to memory of 1840	1516	DEM91B5.exe	39
PID 1516 wrote to memory of 1840	1516	DEM91B5.exe	39
PID 1516 wrote to memory of 1840	1516	DEM91B5.exe	39
PID 1516 wrote to memory of 1840	1516	DEM91B5.exe	39
PID 1840 wrote to memory of 1612	1840	DEME85C.exe	41
PID 1840 wrote to memory of 1612	1840	DEME85C.exe	41
PID 1840 wrote to memory of 1612	1840	DEME85C.exe	41
PID 1840 wrote to memory of 1612	1840	DEME85C.exe	41

C:\Users\Admin\AppData\Local\Temp\065679f632c2d1712b084ff4390278fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\065679f632c2d1712b084ff4390278fd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\DEM8F06.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8F06.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\DEME560.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME560.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\DEM3B2C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3B2C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\DEM91B5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM91B5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Users\Admin\AppData\Local\Temp\DEME85C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME85C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\DEM3E29.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3E29.exe"
        7⤵
        Executes dropped EXE
        
        PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8F06.exe

Filesize
20KB

MD5
f573b0dd439d94dc8d2481ac7bb92b3c

SHA1
5d87282b4cd13df83fa31b73d1f89d8ebad22424

SHA256
1a02ca235671c497bfac0a4ed0585f1a78ebdcb40926dbed9f2279a1be7cbc86

SHA512
882713cf519cea33b953f12f78de5b027d6198816dccbbc336f5ef783c9a00eca7e8595e51cbe2753ea55a598efffa404a4534e89714fe1e8cfac81edafad132

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM91B5.exe

Filesize
20KB

MD5
39b98ab4a475cc3db60ef9dcfd553c97

SHA1
d84982b97125b4507b0a58dc31fb2227eab9a6a7

SHA256
80e8765916c2e4f6185b2623ce15d15e9b93f7fe9eee84315ea4b53a68d31ef4

SHA512
9f2d0a7a8adcd7f8539b92f38bb79d21c09ca29f17922edac9336415f186ed2b8c290963c8928600fa2e5201f2560b5509c64c27a5a05c1393b332b021d63a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME560.exe

Filesize
20KB

MD5
a2296cb53eee1e2ce570e2bcd1062f67

SHA1
de55a8dc36e74830968f8d9212e900e550a92efd

SHA256
c9521751503f37e9354df7a5ca15d4638ba4eacfd3267d90b3b0853bda58713d

SHA512
68a66127bc20b5b33852b6251b437ac035baaae16529880a6c9598eb58f175fb7720620c8f277cf0e66bee8a69fefd759ea8c9e4483f340f8039996b1c9ff99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME85C.exe

Filesize
20KB

MD5
1d34f49511834904f76a4369339205ec

SHA1
01ad9212b4321153a5aa6023ee98eda29c5a1329

SHA256
6352e67f9047f11210187a8dfb08d2745125303bf2b94e3874b290a124a4cf7f

SHA512
0fcbb88f3034ff6426c83dd8554ea2b5da3c1139eef9b9d25f47a4ffe8f55a3205702a44501301ab8872af9abe69258bdccab3c2c4bd99b656a3c2815c1d5321

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3B2C.exe

Filesize
20KB

MD5
230dc0e194f0071ebb43b1b74585e296

SHA1
eb3a23d3c9dd1530c27a7269ba9ab0ef336ae99c

SHA256
56fd6d81feaa9d6893ed1371018246fca067200fbccfa00b6c26f61992c6607d

SHA512
f71cd5a078cdd5fb9434d28a4dc78f83b41f9b5a0307733a87d771895f0b6a8c651a0388502451b2e082389a2b10aa776257c3c42214ae0e15e8dad0af64e8cf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3E29.exe

Filesize
20KB

MD5
64581e32df1b6a47ca7f0abfc11c374e

SHA1
e0c36b3b005eb0711ac0a59481b935eca5b29958

SHA256
81f90f44f3470988aa62e3bf67aaa6b725c4b9e004da7a9b50053f719fd861f9

SHA512
3f928d6c3d480765ba5336112fdf8c530761aab53fde408da07316a0532dfe6a036233d378b5ac9ec3b6ae605a0831e5592f551fdd87bb79c35442964cb97958

Download Submit

Analysis

Sharing