4eb30f9ef046ff8cc420c6fd54a77d7595b7544b6f5b28dd9b9dc9da896840d3

General

Target

09f612804dc52cb93587c62135351097_JaffaCakes118.exe
Size

15KB
MD5

09f612804dc52cb93587c62135351097
SHA1

7810ff828c246e9354172f17f54bf30c79031b3e
SHA256

4eb30f9ef046ff8cc420c6fd54a77d7595b7544b6f5b28dd9b9dc9da896840d3
SHA512

53f3e0952e21fd4c9b6bfca34812a3e7261dc07b6a10e1c07e3990df92bf8088305e7329658882407e1e11944136a4030976d8bde78c567c662c0b420b9d432e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvAhV:hDXWipuE+K3/SSHgxm4T

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3068	DEM1FE0.exe
2776	DEM7530.exe
2736	DEMCA9F.exe
1644	DEM1FC0.exe
2428	DEM74C3.exe
536	DEMC9D4.exe

Loads dropped DLL 6 IoCs

pid	Process
2524	09f612804dc52cb93587c62135351097_JaffaCakes118.exe
3068	DEM1FE0.exe
2776	DEM7530.exe
2736	DEMCA9F.exe
1644	DEM1FC0.exe
2428	DEM74C3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3068	2524	09f612804dc52cb93587c62135351097_JaffaCakes118.exe	29
PID 2524 wrote to memory of 3068	2524	09f612804dc52cb93587c62135351097_JaffaCakes118.exe	29
PID 2524 wrote to memory of 3068	2524	09f612804dc52cb93587c62135351097_JaffaCakes118.exe	29
PID 2524 wrote to memory of 3068	2524	09f612804dc52cb93587c62135351097_JaffaCakes118.exe	29
PID 3068 wrote to memory of 2776	3068	DEM1FE0.exe	31
PID 3068 wrote to memory of 2776	3068	DEM1FE0.exe	31
PID 3068 wrote to memory of 2776	3068	DEM1FE0.exe	31
PID 3068 wrote to memory of 2776	3068	DEM1FE0.exe	31
PID 2776 wrote to memory of 2736	2776	DEM7530.exe	35
PID 2776 wrote to memory of 2736	2776	DEM7530.exe	35
PID 2776 wrote to memory of 2736	2776	DEM7530.exe	35
PID 2776 wrote to memory of 2736	2776	DEM7530.exe	35
PID 2736 wrote to memory of 1644	2736	DEMCA9F.exe	37
PID 2736 wrote to memory of 1644	2736	DEMCA9F.exe	37
PID 2736 wrote to memory of 1644	2736	DEMCA9F.exe	37
PID 2736 wrote to memory of 1644	2736	DEMCA9F.exe	37
PID 1644 wrote to memory of 2428	1644	DEM1FC0.exe	39
PID 1644 wrote to memory of 2428	1644	DEM1FC0.exe	39
PID 1644 wrote to memory of 2428	1644	DEM1FC0.exe	39
PID 1644 wrote to memory of 2428	1644	DEM1FC0.exe	39
PID 2428 wrote to memory of 536	2428	DEM74C3.exe	41
PID 2428 wrote to memory of 536	2428	DEM74C3.exe	41
PID 2428 wrote to memory of 536	2428	DEM74C3.exe	41
PID 2428 wrote to memory of 536	2428	DEM74C3.exe	41

C:\Users\Admin\AppData\Local\Temp\09f612804dc52cb93587c62135351097_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09f612804dc52cb93587c62135351097_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\DEM1FE0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1FE0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\DEM7530.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7530.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\DEMCA9F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCA9F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\DEM1FC0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1FC0.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Users\Admin\AppData\Local\Temp\DEM74C3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM74C3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\DEMC9D4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC9D4.exe"
        7⤵
        Executes dropped EXE
        
        PID:536

Network

No results found

10.180.0.115:1337

09f612804dc52cb93587c62135351097_JaffaCakes118.exe

152 B
3
10.180.0.115:1337

DEM1FE0.exe

152 B
3
10.180.0.115:1337

DEM7530.exe

152 B
3
10.180.0.115:1337

DEMCA9F.exe

152 B
3
10.180.0.115:1337

DEM1FC0.exe

152 B
3
10.180.0.115:1337

DEM74C3.exe

152 B
3
10.180.0.115:1337

DEMC9D4.exe

152 B
3

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1FC0.exe

Filesize
15KB

MD5
db63fac063e53480eefe551204200d72

SHA1
08785bc2f8109474235c54df109d623e9105c0be

SHA256
4d1a38d0c374026ae590cd75fead0251affccf2144c5bee6100d5ce1a11c78fe

SHA512
e39363cfc1bf6210c3ae5f84459176d7f2688c8b12df8dbd3fe43d8f4051297f524a884524232bb6250a0f8baccc84b1b862aa7a7daff84bf1a62ef1b13da271

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1FE0.exe

Filesize
15KB

MD5
55b1fe2ebf20f82b82c92de127090ae8

SHA1
e24f8b2e7778898c786ebb9d962fc9f5ae0a9cfb

SHA256
c40b9416c16f450d1d72c7751e28cc0b631b362e1772d811e23ad690d10061f7

SHA512
58c980b9cba3d7eb389306f7de8a5e699eb047a1008abeaa8ba48a1fb00f5bf644a21c5d44e8e123f573ffd293a9a218e2cbdef15e68996fc93b4c7e26189f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7530.exe

Filesize
15KB

MD5
5c49d7ed59557e5623b3530804e5dd84

SHA1
278d8067fd15c019944a3d7f239deec4dcae994f

SHA256
5526f0d8064e5c8f1ca28b7f04bdd62062bc9a857cf900ffd757b97c7bae7055

SHA512
c5cdea57399d6aad02fd9582d8ac77ef3c61c86797d3fab904a12bbdeb301cf038f3abbdda8d12cacf9557813d76200b39bc9ae89cba63b9b506cabf7c510f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCA9F.exe

Filesize
15KB

MD5
edf403f5f10ab752de0931aaa0aaf3bf

SHA1
a32eee5d53835bdfbc972f63774b31babe0369c0

SHA256
593a6bbab9da2c6a8e3eb3c2436ff056d8c866493296c984354d390df8ce05ae

SHA512
df00aac8f3b8507d0d2c2fe6de3f573861e8fbaf7fdc35e88a5489cae96d27dbd04b294d366cbed58647d611fe10a2f43a6998fb73cd805e6fea2ce7863f6197

Download Submit
\Users\Admin\AppData\Local\Temp\DEM74C3.exe

Filesize
15KB

MD5
fa7e9f57fccfb2241c3037d00e975fbf

SHA1
ef2978dca8b212ac54ce63bcdf3239671045cbae

SHA256
facc0b73808908f1efc1e4424fb3b110b5bca7a5b6aa0cd2a6b1c8a650d91748

SHA512
8edaaf57199d3bf482cc85f1d90df9031ce8d086a6b9f669fff7bb8e77fe01bfff2758ff01b00e22d188bf6a72d66068ddf86b525e1f2455c9fdcdf4e334e074

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC9D4.exe

Filesize
15KB

MD5
59a40c8f7604a281cb83291c73f2d3f9

SHA1
666bea8f245085509ae122658b1025f4cbe30b55

SHA256
6ab9ee4b11c6ed25cd567681ad8d2c68ff85aa15a358b9bcfa12c589b9692371

SHA512
baa9e7f146cdea655eca204a98a6406bd03eab15645426ed28ccecff050dbde5751e744f85794552801a43b543c220fe46754d683a04da38f9b630b781a8d058

Download Submit

Analysis

Sharing