95e8a905c0407eec857e5340a4bf75a5794b95977181e2d8d0c78d8c86a40a75

General

Target

065c297e7bc1126301e113c7fca602e5_JaffaCakes118.exe
Size

16KB
MD5

065c297e7bc1126301e113c7fca602e5
SHA1

12cdcd7dcecf81c4d4fae025e1f1f1e39455de27
SHA256

95e8a905c0407eec857e5340a4bf75a5794b95977181e2d8d0c78d8c86a40a75
SHA512

13fe1faa74cba378f23c65842c25d5106910e70f235732e61981bb0387094df7b59b7ce4f01a806e3962d504041618ad258c8a5f0c7f41a271aeb91275399d81
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl4d:hDXWipuE+K3/SSHgxmlw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2512	DEM3E29.exe
2436	DEM9647.exe
2504	DEMECCF.exe
1816	DEM429C.exe
1628	DEM9914.exe
2072	DEMEF9C.exe

Loads dropped DLL 6 IoCs

pid	Process
2036	065c297e7bc1126301e113c7fca602e5_JaffaCakes118.exe
2512	DEM3E29.exe
2436	DEM9647.exe
2504	DEMECCF.exe
1816	DEM429C.exe
1628	DEM9914.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2512	2036	065c297e7bc1126301e113c7fca602e5_JaffaCakes118.exe	29
PID 2036 wrote to memory of 2512	2036	065c297e7bc1126301e113c7fca602e5_JaffaCakes118.exe	29
PID 2036 wrote to memory of 2512	2036	065c297e7bc1126301e113c7fca602e5_JaffaCakes118.exe	29
PID 2036 wrote to memory of 2512	2036	065c297e7bc1126301e113c7fca602e5_JaffaCakes118.exe	29
PID 2512 wrote to memory of 2436	2512	DEM3E29.exe	33
PID 2512 wrote to memory of 2436	2512	DEM3E29.exe	33
PID 2512 wrote to memory of 2436	2512	DEM3E29.exe	33
PID 2512 wrote to memory of 2436	2512	DEM3E29.exe	33
PID 2436 wrote to memory of 2504	2436	DEM9647.exe	35
PID 2436 wrote to memory of 2504	2436	DEM9647.exe	35
PID 2436 wrote to memory of 2504	2436	DEM9647.exe	35
PID 2436 wrote to memory of 2504	2436	DEM9647.exe	35
PID 2504 wrote to memory of 1816	2504	DEMECCF.exe	37
PID 2504 wrote to memory of 1816	2504	DEMECCF.exe	37
PID 2504 wrote to memory of 1816	2504	DEMECCF.exe	37
PID 2504 wrote to memory of 1816	2504	DEMECCF.exe	37
PID 1816 wrote to memory of 1628	1816	DEM429C.exe	39
PID 1816 wrote to memory of 1628	1816	DEM429C.exe	39
PID 1816 wrote to memory of 1628	1816	DEM429C.exe	39
PID 1816 wrote to memory of 1628	1816	DEM429C.exe	39
PID 1628 wrote to memory of 2072	1628	DEM9914.exe	41
PID 1628 wrote to memory of 2072	1628	DEM9914.exe	41
PID 1628 wrote to memory of 2072	1628	DEM9914.exe	41
PID 1628 wrote to memory of 2072	1628	DEM9914.exe	41

C:\Users\Admin\AppData\Local\Temp\065c297e7bc1126301e113c7fca602e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\065c297e7bc1126301e113c7fca602e5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\DEM3E29.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3E29.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\DEM9647.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9647.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\DEMECCF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMECCF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Users\Admin\AppData\Local\Temp\DEM429C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM429C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Users\Admin\AppData\Local\Temp\DEM9914.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9914.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\DEMEF9C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEF9C.exe"
        7⤵
        Executes dropped EXE
        
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM9647.exe

Filesize
16KB

MD5
86b794fa861a49aca0f4d6a46a6a789a

SHA1
03fa4c3962c2eb3d2855c6897f501626b05c6846

SHA256
b7576950f1358b0810103d57aa39a15e57e3eddc4175d60c9dd383b3e10369ea

SHA512
26ba7d8643fc9f3a33521bcab4732e86150f52e8bc152e04e1bed5e495a14a9e6cdd25260c2e482a7b81a2f20b68736bc8717303035295dfdcf47e11974c9ef7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3E29.exe

Filesize
16KB

MD5
060d09240e74f623910614dea190cb28

SHA1
31a2db1b5cecb3193b2cf158603e3a5fd24c923c

SHA256
c1f874df0ace1e674b8c379fee3c9015ab3bf587e9cad686bd6f571adcb8c799

SHA512
9ba5bf96fca375e7efc574a9326178b978ac1a1e9e973abab3860e5a72ced5449f9850001c28313944f98ce7cc1a6b5191bd6253ccc68b56678807a79b532750

Download Submit
\Users\Admin\AppData\Local\Temp\DEM429C.exe

Filesize
16KB

MD5
c8fe56e56c91b2c1126af2444562f79f

SHA1
d166f40fbbd8631b7598d61f4c6119a5d93664de

SHA256
96cd47c262e913af30bf587b9be979a89512d02fc7b85047da9d075d9d203b7b

SHA512
c6cfb557f661e24eef8da3821c02b77cb076ce140ac816152e50c652486bb14396e21c14f28eaab13e73d3fb9c6f2cb3693421ab4458c9cebbce616ff7fd76ea

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9914.exe

Filesize
16KB

MD5
c5ade771050139098dbced7dec117a7d

SHA1
bfc47653b5b99e01c21c9572810696e04f0d48d5

SHA256
4ad2818f5818fa3aa62a6a7d677344060d6efc2d5b71443cde0fb8174291dba7

SHA512
5031618617337a65a7307cf80b2c4ff05769783de2023a17b97b157c76dd6b6ef3261ec6748bf0352f11dfec8e46eefc16a808ed2d857e39e2604515fd122e08

Download Submit
\Users\Admin\AppData\Local\Temp\DEMECCF.exe

Filesize
16KB

MD5
85e3862970b4e6d491e166382648d24d

SHA1
407274651ab75bb2b03d48366c5d474fadd03220

SHA256
dc588540717457de85c00a2765a91a3a3913294f00b85862eb25d56e3607f0d8

SHA512
9fdc27d01c2bb13f15236c6e62c9fc8f3995c26e910ada0d1446dcbcc62e503e4b0232f523a084c5574cb5c3e6d3baf62de6ce8f5704f0c62021b7e374655681

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEF9C.exe

Filesize
16KB

MD5
7e23132d1427990720a7ba5759840d80

SHA1
84c436fbca694d331a212a5cdaf07a540bc87bc3

SHA256
ddf4674c1d0627db69f24cf34fe9c77005c0b00a0b188b465104572419eb7348

SHA512
673705b0fec4ace65a76d258c447c6cf13d1f7dafd6f666515c1d12de73318d66b27adfeb870ea19d5018576d47e515c0b5034ca751312b4c68972580a3ab35f

Download Submit

Analysis

Sharing