fed5291c2443e49e70d89de0f944621a4dead8e16e023947a0f3923598aac816

General

Target

06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe
Size

16KB
MD5

06e931b42b33ab3a95c666b5fc2ae6fa
SHA1

97d8d1909fe36851133a65228c14b58b922b8367
SHA256

fed5291c2443e49e70d89de0f944621a4dead8e16e023947a0f3923598aac816
SHA512

98bac124308982722c3f848db8bd2f56f739d73449a035f06f059f67a099afe2ce164208d63906fd557a6f62f9311166ac21b0dcda1e4b3d2dc5d7f46528443d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5Z7+K:hDXWipuE+K3/SSHgxl50K

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3040	DEMC9E.exe
2892	DEM623C.exe
3004	DEMB73E.exe
1588	DEMCDC.exe
1376	DEM6317.exe
2364	DEMB8A5.exe

Loads dropped DLL 6 IoCs

pid	Process
756	06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe
3040	DEMC9E.exe
2892	DEM623C.exe
3004	DEMB73E.exe
1588	DEMCDC.exe
1376	DEM6317.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 3040	756	06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe	29
PID 756 wrote to memory of 3040	756	06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe	29
PID 756 wrote to memory of 3040	756	06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe	29
PID 756 wrote to memory of 3040	756	06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe	29
PID 3040 wrote to memory of 2892	3040	DEMC9E.exe	31
PID 3040 wrote to memory of 2892	3040	DEMC9E.exe	31
PID 3040 wrote to memory of 2892	3040	DEMC9E.exe	31
PID 3040 wrote to memory of 2892	3040	DEMC9E.exe	31
PID 2892 wrote to memory of 3004	2892	DEM623C.exe	35
PID 2892 wrote to memory of 3004	2892	DEM623C.exe	35
PID 2892 wrote to memory of 3004	2892	DEM623C.exe	35
PID 2892 wrote to memory of 3004	2892	DEM623C.exe	35
PID 3004 wrote to memory of 1588	3004	DEMB73E.exe	37
PID 3004 wrote to memory of 1588	3004	DEMB73E.exe	37
PID 3004 wrote to memory of 1588	3004	DEMB73E.exe	37
PID 3004 wrote to memory of 1588	3004	DEMB73E.exe	37
PID 1588 wrote to memory of 1376	1588	DEMCDC.exe	39
PID 1588 wrote to memory of 1376	1588	DEMCDC.exe	39
PID 1588 wrote to memory of 1376	1588	DEMCDC.exe	39
PID 1588 wrote to memory of 1376	1588	DEMCDC.exe	39
PID 1376 wrote to memory of 2364	1376	DEM6317.exe	41
PID 1376 wrote to memory of 2364	1376	DEM6317.exe	41
PID 1376 wrote to memory of 2364	1376	DEM6317.exe	41
PID 1376 wrote to memory of 2364	1376	DEM6317.exe	41

C:\Users\Admin\AppData\Local\Temp\06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\DEMC9E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC9E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\DEM623C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM623C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\DEMB73E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB73E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Users\Admin\AppData\Local\Temp\DEMCDC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCDC.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Users\Admin\AppData\Local\Temp\DEM6317.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6317.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\DEMB8A5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB8A5.exe"
        7⤵
        Executes dropped EXE
        
        PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM623C.exe

Filesize
16KB

MD5
306cdb4d4b0f2a39106e8f2d810fdbdb

SHA1
4a76a2ad05b7aaf46824f83228c1a21d4633f188

SHA256
3083e52972d2b7af1ec62c0387f330955e8ab1a8e68fb94b6a8d04520721e19a

SHA512
eb9550e2731b2ca76990ede32546bc01de13441b825e7c6ab15fc3a21a4cdb23c1149ef36ae20ee9477a2009cb4cc1c9d2696f6ba311758b05ab113123e037cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6317.exe

Filesize
16KB

MD5
9507620e9e990a6af53b17b711537f8b

SHA1
73af51a88b6efecc9eb0ed75e22952432e85bbb8

SHA256
32fcac1bc8d79ead5e5046a30d056d920cbad330b9da60ab4158e2e00fcd62f6

SHA512
9fb352522cc6c76ecfc8c19550b392f00e527579ede4f8fb7a5f28b1c5c9398147adfdfa2227827cdcf8d8a9b28c58da5b1baf7b7d61cdb0b644f6c7128ddcf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB73E.exe

Filesize
16KB

MD5
25999499bac63bc0ceaa6ef50d95c25d

SHA1
3fc35768e39c393ec5e76ca1945f30fbca16ca30

SHA256
eee35442fd743705abb05f002c8cbc155d2b28600e304c0dbe9be3ff16cfa75b

SHA512
30e1ea1db99f850c84edc1aa67f73a29c6367bf68dcd94c361dc9a935eb6eb407a0de4ad02727ab3f1d935452cbdd1115d5e237a3f596499a13bce2efb537bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC9E.exe

Filesize
16KB

MD5
0093a5d4b37cbbc86cc7d9a085504025

SHA1
9fec29813f17369b181197757ec130412d1dcaff

SHA256
fd40c1a47c489f5d4c6577bae8bbd14462a8eebc874fcdd209efe3f77527f252

SHA512
fb5d78ad75c6d17f90a07920e7a7b7cc036f6a3f95aacd27fbd1644449ba2d13b636cae7a2af76a503bd006b3de88bc95b6ba0c118a22730937d24b0c4b8cc01

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB8A5.exe

Filesize
16KB

MD5
a4608fddaef9903f708a33243fa0707f

SHA1
42c471b2f9ccd39b92306e9b6060ab92378abc20

SHA256
4501a182928b2b0f0f4f84ade0f691b7768b24927ccf17e3e8af1169d4417825

SHA512
8184d29bb8ed7efbeaab75f5933058ee9562da99ce0cb152fc691eccca3c2b69a4c6a874ddeab798513b9a125f4efb5baf5eea331c84cf1e5647168dc869a4de

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCDC.exe

Filesize
16KB

MD5
3dde8902a784d192f4ac894e73e77d91

SHA1
085a10f52e7002b4ee043d58946cfdb53b38e70b

SHA256
e330ef25fc84a3f031e83e239d3d4bdfe0c9cbf0f4af1def57b411c6f28042c4

SHA512
6747bf55c1f1ddc249652102bde39f7424b399071573ed54c8ef262c43f446550cff299234e33fcc68929dfe1ab130654abad0f42cfd48321a121c86dbd860b6

Download Submit

Analysis

Sharing