d610127347f554f34c4622bb8817df666b98bfc8c276ac2159d170d927acf908

General

Target

06a8bf5856b5715892dbb8d4de73b13a_JaffaCakes118.exe
Size

14KB
MD5

06a8bf5856b5715892dbb8d4de73b13a
SHA1

248e58e182bca59a6ab3a88857492ecace9e163c
SHA256

d610127347f554f34c4622bb8817df666b98bfc8c276ac2159d170d927acf908
SHA512

ee2804b97d6aba2822656ac0b949f51abbadc9c0f864474ca5b5eae0e0d6acc49a55fd0cbb0d56bb86e125129605432f8fc171cdda9b11a9f304bd3ec94c2836
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhiV:hDXWipuE+K3/SSHgxLiV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1316	DEM230B.exe
2436	DEM78A9.exe
2812	DEMCE76.exe
1960	DEM2388.exe
1620	DEM78C8.exe
3028	DEMCE77.exe

Loads dropped DLL 6 IoCs

pid	Process
2088	06a8bf5856b5715892dbb8d4de73b13a_JaffaCakes118.exe
1316	DEM230B.exe
2436	DEM78A9.exe
2812	DEMCE76.exe
1960	DEM2388.exe
1620	DEM78C8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1316	2088	06a8bf5856b5715892dbb8d4de73b13a_JaffaCakes118.exe	29
PID 2088 wrote to memory of 1316	2088	06a8bf5856b5715892dbb8d4de73b13a_JaffaCakes118.exe	29
PID 2088 wrote to memory of 1316	2088	06a8bf5856b5715892dbb8d4de73b13a_JaffaCakes118.exe	29
PID 2088 wrote to memory of 1316	2088	06a8bf5856b5715892dbb8d4de73b13a_JaffaCakes118.exe	29
PID 1316 wrote to memory of 2436	1316	DEM230B.exe	33
PID 1316 wrote to memory of 2436	1316	DEM230B.exe	33
PID 1316 wrote to memory of 2436	1316	DEM230B.exe	33
PID 1316 wrote to memory of 2436	1316	DEM230B.exe	33
PID 2436 wrote to memory of 2812	2436	DEM78A9.exe	35
PID 2436 wrote to memory of 2812	2436	DEM78A9.exe	35
PID 2436 wrote to memory of 2812	2436	DEM78A9.exe	35
PID 2436 wrote to memory of 2812	2436	DEM78A9.exe	35
PID 2812 wrote to memory of 1960	2812	DEMCE76.exe	37
PID 2812 wrote to memory of 1960	2812	DEMCE76.exe	37
PID 2812 wrote to memory of 1960	2812	DEMCE76.exe	37
PID 2812 wrote to memory of 1960	2812	DEMCE76.exe	37
PID 1960 wrote to memory of 1620	1960	DEM2388.exe	39
PID 1960 wrote to memory of 1620	1960	DEM2388.exe	39
PID 1960 wrote to memory of 1620	1960	DEM2388.exe	39
PID 1960 wrote to memory of 1620	1960	DEM2388.exe	39
PID 1620 wrote to memory of 3028	1620	DEM78C8.exe	41
PID 1620 wrote to memory of 3028	1620	DEM78C8.exe	41
PID 1620 wrote to memory of 3028	1620	DEM78C8.exe	41
PID 1620 wrote to memory of 3028	1620	DEM78C8.exe	41

C:\Users\Admin\AppData\Local\Temp\06a8bf5856b5715892dbb8d4de73b13a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06a8bf5856b5715892dbb8d4de73b13a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\DEM230B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM230B.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\DEM78A9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM78A9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\DEMCE76.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCE76.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\DEM2388.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2388.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\DEM78C8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM78C8.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\DEMCE77.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCE77.exe"
        7⤵
        Executes dropped EXE
        
        PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM230B.exe

Filesize
14KB

MD5
24a6067a783c706acab3185d69a3f5dd

SHA1
85adf4be4e905df1f41c64d43a75a2ecfc6111c0

SHA256
30ca10b3032592a30937aab43983a287a2220b2e88a88108a38efdb7ad9e8760

SHA512
f0879813102a2714e858eedc89b81de3f9dd19dfd1210ccdf49cdec339a4aa15e165445884496fa567c41ccb8138a406eb89dabc4419bd8d2a4d1c3d282d8803

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2388.exe

Filesize
14KB

MD5
9a53d704fc018467766a40555294bf94

SHA1
be173451c3dda1ad232c93c0996c736cba7538b7

SHA256
39e244d12075e85ec9d383e8ed09ae48a1a0d29a0d8435df575c25cfd9cd8f4a

SHA512
fdd90445a797a39d6087db59032b9db7e4dd74ed69a7ad3d39954eddb1ee44f74d2f08497aafd3fab34501d51ad0199628705a4aba7535aed2be707e24d26567

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM78A9.exe

Filesize
14KB

MD5
070e7dc8199b288b9ae90f8955a36067

SHA1
9cb9a38a18b0b0591a7c7a8394a1ec4f8933c60a

SHA256
ad437e7f392fba63247565c136fabec2fb917b2c48965caa6cb22d02a8fb2eca

SHA512
a2a75242b004a39bae8439ef03a805571d28db32a596cb8d025ccd6a912d0b79cc087229f4e313c42dceaf8eccbf423f8ec7c01a5b6c986019ab7dc752f7db4a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM78C8.exe

Filesize
14KB

MD5
a9df538d37de792fcbddc42a01f33a72

SHA1
436accbc92bacda57cf8bfc6e33b1fb55768e05e

SHA256
da152d55e530f30e3e8a30485fcabf6aed2e34e2703ba3f382a5b40922089ba3

SHA512
b2273d6a271bb5f4144a7d80b9a6de8473100507eb551860d795c8cc2ced5e2446209283dad678f631574dda696ce6f730466818b3272617a54a81fba5684d05

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCE76.exe

Filesize
14KB

MD5
d580639814932159d47e0ffa1335201c

SHA1
2382484dee89f364a013066c05c15052466e9add

SHA256
a76021ef3bab807fd7886463188d23bb819358ae5b66f464c5050d0a0b5aeb81

SHA512
7f8441e3209415e62e851d193ff3a55518c1119b46927a7309979f5b3563d4eadc514e4d5605a8fa111bfc3e57e615b29587cf0ddd6bb4c03a5145f3a87dddd5

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCE77.exe

Filesize
14KB

MD5
d22e95f41869a1807c1cc5df4bd8a24f

SHA1
c823da03ab628db8d45ad475fd0a9f9fd6e98d67

SHA256
fba20ec99ad815b9233070fe16186d36a8cb9eaf9e4083ce6f7eb8712a0c0aae

SHA512
3447389300632d6f33c3b9ccf5d2dada754fc6d904920f00f3600b6750c292bcb975bf28b69e39937d8257c5c1a88706762640fa698f8f5bfee58dd669792115

Download Submit

Analysis

Sharing