5ae55a196808bcaf6fbde8c0b65e73397157d6854fa4e024e6d3d78a74917f2c

General

Target

0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe
Size

20KB
MD5

0aa50059e9c5744036c27ee7f4465a3c
SHA1

d4a1cd00e08bb86dd169215ebcee22a2ad384566
SHA256

5ae55a196808bcaf6fbde8c0b65e73397157d6854fa4e024e6d3d78a74917f2c
SHA512

77c4be036fc7ab2b681febf8674daaf7e570a5f446fc4b2ac4bbaf0c8b6fa487c9dc9fcf674ecf8bdbc75de6ec855b329dd82e2d38da034f63165dd41ed42f3c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L41qr:hDXWipuE+K3/SSHgxmHZ1e

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2792	DEM6BBE.exe
1708	DEMC34F.exe
2756	DEM1A35.exe
2328	DEM7149.exe
2000	DEMC7E1.exe
1176	DEM1E2B.exe

Loads dropped DLL 6 IoCs

pid	Process
2440	0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe
2792	DEM6BBE.exe
1708	DEMC34F.exe
2756	DEM1A35.exe
2328	DEM7149.exe
2000	DEMC7E1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2792	2440	0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe	29
PID 2440 wrote to memory of 2792	2440	0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe	29
PID 2440 wrote to memory of 2792	2440	0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe	29
PID 2440 wrote to memory of 2792	2440	0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe	29
PID 2792 wrote to memory of 1708	2792	DEM6BBE.exe	33
PID 2792 wrote to memory of 1708	2792	DEM6BBE.exe	33
PID 2792 wrote to memory of 1708	2792	DEM6BBE.exe	33
PID 2792 wrote to memory of 1708	2792	DEM6BBE.exe	33
PID 1708 wrote to memory of 2756	1708	DEMC34F.exe	35
PID 1708 wrote to memory of 2756	1708	DEMC34F.exe	35
PID 1708 wrote to memory of 2756	1708	DEMC34F.exe	35
PID 1708 wrote to memory of 2756	1708	DEMC34F.exe	35
PID 2756 wrote to memory of 2328	2756	DEM1A35.exe	37
PID 2756 wrote to memory of 2328	2756	DEM1A35.exe	37
PID 2756 wrote to memory of 2328	2756	DEM1A35.exe	37
PID 2756 wrote to memory of 2328	2756	DEM1A35.exe	37
PID 2328 wrote to memory of 2000	2328	DEM7149.exe	39
PID 2328 wrote to memory of 2000	2328	DEM7149.exe	39
PID 2328 wrote to memory of 2000	2328	DEM7149.exe	39
PID 2328 wrote to memory of 2000	2328	DEM7149.exe	39
PID 2000 wrote to memory of 1176	2000	DEMC7E1.exe	41
PID 2000 wrote to memory of 1176	2000	DEMC7E1.exe	41
PID 2000 wrote to memory of 1176	2000	DEMC7E1.exe	41
PID 2000 wrote to memory of 1176	2000	DEMC7E1.exe	41

C:\Users\Admin\AppData\Local\Temp\0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\DEM6BBE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6BBE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\DEMC34F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC34F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\DEM1A35.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1A35.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Users\Admin\AppData\Local\Temp\DEM7149.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7149.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Users\Admin\AppData\Local\Temp\DEMC7E1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC7E1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\DEM1E2B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1E2B.exe"
        7⤵
        Executes dropped EXE
        
        PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMC34F.exe

Filesize
20KB

MD5
a7ccd854ee73a9738a2b23162998cb6d

SHA1
1f32419210be048948fa7e94ea0194c49973150f

SHA256
fc800ccd877cf97a938c701e6cad7e043229afd4d98e7b30b53ad61e16907ef5

SHA512
ca14e9484bf19840b216de6bb08d1b41cea2ea64344ce43e796830b87b7b019c65d2294cef3e60ab01b99dd4943244c978711b39c1c686b04c556e85a36e7def

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1A35.exe

Filesize
20KB

MD5
c020c861e21c1b01aba228f79a4a4cda

SHA1
02d8b8b4343dfa0b7a9c2ced6d2b93831b7a6062

SHA256
541d064a66fb2b8ccca2c747cd9311620e8d25584ca441c792d4e980d65e5573

SHA512
55efa853dbea5bfc7acdbe0087824f93e4ce9ae5919f46faf374afaa818b1d4ca37f961e09fe599ec7f36732c6e088df15b851df6404add32c0510fc4db567f3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1E2B.exe

Filesize
20KB

MD5
57e8ce5a13d5e46edda5b48475e0e629

SHA1
960595daf2903d2cd91582f551d24db3e6be217a

SHA256
d8b6e6fcdd4370cc40d12729d971484b4a2ef9a381c9ccd0890c9bb7e843c7e1

SHA512
722ec6f038c3bb8849dd481525297d4cdb678d499ae38ae047a478590456437aac09b37f3f64db6a7df177bb5400b2bc5099ba583220b8384a13c0c44561d8a2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6BBE.exe

Filesize
20KB

MD5
c17be8ca961d28c883b3e59202d20b71

SHA1
db9a49d08ebfa07a36c070377a505fd454d0ee6e

SHA256
f601023a24d43748dd1f67f589570f23706276060543a8fd7498c1ebdd0c9b13

SHA512
4ef15eea635d7a8a6f12590b3d0f5d49a10550a4c8e2bdf3e6fb74c30ac3b6120f75781e5da8a3cfdd2c663e30b93ee99a69f0077fd8ff3fae8231dce20aef23

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7149.exe

Filesize
20KB

MD5
ead02394b4abd914669faa3f187c8b8e

SHA1
c3a68e4263119fdf02b7109dc1d86829f7fe4969

SHA256
d5c114dd2aad94000e203cb7019584f88b87cdade8f4203df48e5a23b6a76273

SHA512
5005608ccde71e675f56b0cc479dabbde67e154e9160872c6ee25f682f53d2b213f730ebbd72f1c53a84607abd60b6f6a80e85c27a80025960c13de8c067b565

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC7E1.exe

Filesize
20KB

MD5
7beedae57b2880eb29b39b64d392956a

SHA1
be208e800a47a240d801afd4f84b707523c38c9e

SHA256
72a19a0895b3d80a68625107c43047d908915892f46b1da2821f75985ef88f12

SHA512
1341ba35b16e934dca988a27d5237854c40377b975d8d43c55abb44f5dc5734bcf22203be709fc9b9f499cf2da11070d08f807b62942cc743dcce13350df5049

Download Submit

Analysis

Sharing