a8054060ea7a103dc8d2943aea79c5cfed3645c23c1027fcfd042e6d14daf847

General

Target

06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe
Size

15KB
MD5

06d39b248619f7fda87fc5847d7a6ef2
SHA1

9b80ecd44a4c26020bd38bc75358ff9d684e1477
SHA256

a8054060ea7a103dc8d2943aea79c5cfed3645c23c1027fcfd042e6d14daf847
SHA512

b8d11cd602a5ef4bfd7419950666e5c80f3023070554b4825e41d8e37a258f4ec5811942a0d28c5315eb49633da66cab30c90fc6c292fa211a1932cfaff7a8a2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvAz2d:hDXWipuE+K3/SSHgxm4U

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2624	DEM147A.exe
2556	DEM69EA.exe
2688	DEMBFC6.exe
2280	DEM14E8.exe
2028	DEM6A38.exe
2764	DEMBF97.exe

Loads dropped DLL 6 IoCs

pid	Process
1836	06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe
2624	DEM147A.exe
2556	DEM69EA.exe
2688	DEMBFC6.exe
2280	DEM14E8.exe
2028	DEM6A38.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2624	1836	06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe	29
PID 1836 wrote to memory of 2624	1836	06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe	29
PID 1836 wrote to memory of 2624	1836	06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe	29
PID 1836 wrote to memory of 2624	1836	06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe	29
PID 2624 wrote to memory of 2556	2624	DEM147A.exe	31
PID 2624 wrote to memory of 2556	2624	DEM147A.exe	31
PID 2624 wrote to memory of 2556	2624	DEM147A.exe	31
PID 2624 wrote to memory of 2556	2624	DEM147A.exe	31
PID 2556 wrote to memory of 2688	2556	DEM69EA.exe	35
PID 2556 wrote to memory of 2688	2556	DEM69EA.exe	35
PID 2556 wrote to memory of 2688	2556	DEM69EA.exe	35
PID 2556 wrote to memory of 2688	2556	DEM69EA.exe	35
PID 2688 wrote to memory of 2280	2688	DEMBFC6.exe	37
PID 2688 wrote to memory of 2280	2688	DEMBFC6.exe	37
PID 2688 wrote to memory of 2280	2688	DEMBFC6.exe	37
PID 2688 wrote to memory of 2280	2688	DEMBFC6.exe	37
PID 2280 wrote to memory of 2028	2280	DEM14E8.exe	39
PID 2280 wrote to memory of 2028	2280	DEM14E8.exe	39
PID 2280 wrote to memory of 2028	2280	DEM14E8.exe	39
PID 2280 wrote to memory of 2028	2280	DEM14E8.exe	39
PID 2028 wrote to memory of 2764	2028	DEM6A38.exe	41
PID 2028 wrote to memory of 2764	2028	DEM6A38.exe	41
PID 2028 wrote to memory of 2764	2028	DEM6A38.exe	41
PID 2028 wrote to memory of 2764	2028	DEM6A38.exe	41

C:\Users\Admin\AppData\Local\Temp\06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\DEM147A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM147A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\DEM69EA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM69EA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\DEMBFC6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBFC6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\DEM14E8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM14E8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Users\Admin\AppData\Local\Temp\DEM6A38.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6A38.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\DEMBF97.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBF97.exe"
        7⤵
        Executes dropped EXE
        
        PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM69EA.exe

Filesize
15KB

MD5
dc6a0447edbfd0a9ecf39150e5643170

SHA1
5de4d159a577d3742e36601dbd563bd775e1826e

SHA256
008d4bc550e2d2527bb019d3b03c6597ee44c38bfa5ea078c9b85a3e032c3f51

SHA512
6eb95fe022f7885a8c2676a2b40047e4fd360b31f524a22febe7ef75af6449140653c84359c5ab25a71245944d7137b0c268afc2911bec20eb7e390e6acffac2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM147A.exe

Filesize
15KB

MD5
80e1a33b6dc417bffa0f9f9b85ce9fe3

SHA1
2a1df707db718186d67dffef60cb8182abc46ca5

SHA256
15a0d0bbfe03668f2111be7c6f72ff19e70fc56f9db4b9fa8a3d500b12663806

SHA512
421b8720901cf7be9decc634b4f44e773a9207d16a6a9204caa650c6474a2df633aa02f151d3d123749ca71da13ed457774efae8086e4977f6b0fa1c00dfd209

Download Submit
\Users\Admin\AppData\Local\Temp\DEM14E8.exe

Filesize
15KB

MD5
296c45af1ca00b215e9ba14b94bff9df

SHA1
f7384a3117eea381da46788978a4ac02a49555a0

SHA256
f9c3b7dde56ccd5cf1b811051e22b3278c07e46109db51f7a8306bfaafa4aec4

SHA512
90a7bb9fb4aadfd02c062527ff40e4e07a68b2f9b5384545d1bc48c2c3b44578736e713b439b297baf345b3d2f3887b108776179393a62b36df16f2dfe44364e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6A38.exe

Filesize
15KB

MD5
a6997e8858fd9ccb9adfa7d9108f1cf2

SHA1
e1839638a0adadff2aaf635193443981e0f0f881

SHA256
82b6f274c79d5ffd058c3e3174449a1a18066ae88740ef60b8b7f19e9371f969

SHA512
b25322bb7361108bfd638daf4ed5a5de838488f73c7862e937e94828063fb2059d78b4ab4c09123549167d0320b97018f864836481d5ab5dff9c1051e3eb746e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBF97.exe

Filesize
15KB

MD5
430cf4e017c91638e638c56a4a609cc5

SHA1
c0d2dbe8427023fcbaeb026f948eb78cd1c7da80

SHA256
24faa394a70597bcc5e4bbde2dc7eb737fd1512b1fcf5b382163c088b7f65e99

SHA512
86582d43b97d976032d2bcef07d329ce95b8fa87a92f1a23027771446aabc6b238beb8d5f2c7fb961cd7d9043ff3fffcf0f80080f6f96ecdf449f4d621937582

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBFC6.exe

Filesize
15KB

MD5
23f1b19b804c4b3457ee31ff90fc9676

SHA1
6833706725459c1b8cd0478d9a007e3265389ea1

SHA256
d5a0c87c9d29eed377c802cd25e7d00c04c1756c7e215f2bf37c991886210e0d

SHA512
c0b3b2c81485b750754edd97e56180ab6f3a12ebc351c2b855dd55ddf511333e84ecb4803af1f99272b5818b28d69d8169038fb6f7df89ecf636c17c29e68f12

Download Submit

Analysis

Sharing