2c3e242ee5a6d94b2b0eef39e63dc90e564bdc15002d391ef6bcea36f34de0cf

General

Target

0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe
Size

14KB
MD5

0a170fd332a6b77161bb4c18c179bded
SHA1

4489d151fe8e984bad6ce708998c874649b22469
SHA256

2c3e242ee5a6d94b2b0eef39e63dc90e564bdc15002d391ef6bcea36f34de0cf
SHA512

a67da547cecd8e46f19f9ddd2a3d3682bca19456a3a18d1bf8b7dc48afd36cef48b41663775d6334b613864c1595eeab75b08dcc3db47b96e4b5cddd8decddb8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv50:hDXWipuE+K3/SSHgxl50

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2640	DEM149A.exe
1976	DEM6AA5.exe
2872	DEMBFE5.exe
1320	DEM1574.exe
1028	DEM6AF3.exe
2040	DEMC033.exe

Loads dropped DLL 6 IoCs

pid	Process
2320	0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe
2640	DEM149A.exe
1976	DEM6AA5.exe
2872	DEMBFE5.exe
1320	DEM1574.exe
1028	DEM6AF3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2640	2320	0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe	29
PID 2320 wrote to memory of 2640	2320	0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe	29
PID 2320 wrote to memory of 2640	2320	0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe	29
PID 2320 wrote to memory of 2640	2320	0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe	29
PID 2640 wrote to memory of 1976	2640	DEM149A.exe	31
PID 2640 wrote to memory of 1976	2640	DEM149A.exe	31
PID 2640 wrote to memory of 1976	2640	DEM149A.exe	31
PID 2640 wrote to memory of 1976	2640	DEM149A.exe	31
PID 1976 wrote to memory of 2872	1976	DEM6AA5.exe	35
PID 1976 wrote to memory of 2872	1976	DEM6AA5.exe	35
PID 1976 wrote to memory of 2872	1976	DEM6AA5.exe	35
PID 1976 wrote to memory of 2872	1976	DEM6AA5.exe	35
PID 2872 wrote to memory of 1320	2872	DEMBFE5.exe	37
PID 2872 wrote to memory of 1320	2872	DEMBFE5.exe	37
PID 2872 wrote to memory of 1320	2872	DEMBFE5.exe	37
PID 2872 wrote to memory of 1320	2872	DEMBFE5.exe	37
PID 1320 wrote to memory of 1028	1320	DEM1574.exe	39
PID 1320 wrote to memory of 1028	1320	DEM1574.exe	39
PID 1320 wrote to memory of 1028	1320	DEM1574.exe	39
PID 1320 wrote to memory of 1028	1320	DEM1574.exe	39
PID 1028 wrote to memory of 2040	1028	DEM6AF3.exe	41
PID 1028 wrote to memory of 2040	1028	DEM6AF3.exe	41
PID 1028 wrote to memory of 2040	1028	DEM6AF3.exe	41
PID 1028 wrote to memory of 2040	1028	DEM6AF3.exe	41

C:\Users\Admin\AppData\Local\Temp\0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\DEM149A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM149A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\DEM6AA5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6AA5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\DEMBFE5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBFE5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Users\Admin\AppData\Local\Temp\DEM1574.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1574.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Users\Admin\AppData\Local\Temp\DEM6AF3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6AF3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\DEMC033.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC033.exe"
        7⤵
        Executes dropped EXE
        
        PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6AA5.exe

Filesize
14KB

MD5
255256a7483da21483ff97b215b893e8

SHA1
9d59f3f7dc1bd00fb0b8fa316067583652efce4d

SHA256
41329ba8dde1b49f2985743b3423222eb7628d5d8e67590a7a2bcc836ca85bb9

SHA512
7bcd7dec2a68d8f21da266a82acbdab09d1b51dc7a204a82964d3c29c5aeabf9746c9f251adc985d439be0967d2aa61fc9e3f2c7b7925c8f40efb1ea8520835c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM149A.exe

Filesize
14KB

MD5
76e87cad7ace7dd6c5a81636071e76cd

SHA1
a72f21712f1ad8c72be3e9113f1067ce318b7e29

SHA256
4d30560fc66b2c4a8f9463292742bae822e96a0799c822eccc67f016fbc98034

SHA512
2cf7f9d812f7bfe8d6810e33756e567bf6fae10ce4a29ee1a044cd544af9287c2c5c8edafd9382de47a6cb2aac5d48cf8c21a4e14b676f6edcc6f48df0beac5f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1574.exe

Filesize
14KB

MD5
f16c5dcfeeff29c34567b7b9b91ace74

SHA1
c1eec27aba2ef3e284609fd77e21217d67c54a4c

SHA256
b3f4ff78d6d7e8fc8a6e134769f17629684c48494106d3df01d8bbcff8883cfb

SHA512
2711cec7393d21f41d353758c8466b6de9e33c4df1e1e1a74439b3941fb1c5375ae70e07c1c39bd25916d465a7e74e79ea4ba476e8378283aa97e6857862d77d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6AF3.exe

Filesize
14KB

MD5
e471d465245645aecfece05504072179

SHA1
2bd2e05102a4b9e9f5776b73447a572278962dd9

SHA256
4e4a5b52a49aa0fdcf4da0c4703fa63c256d341d444f576bd8848ee6a35a36df

SHA512
389625104396a189ac341d46aa07ad8cd5e74ebdc32f952ac0b9a92543f101242bd536608820fca32d0026e10769210210c10a44a924a1cffc57c3458ec58269

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBFE5.exe

Filesize
14KB

MD5
b84ab18217c3479eb6a47e58da24d6d3

SHA1
05720f5419a5c89ce406ab9157809c35bafae65b

SHA256
4dda0d49ffb85bcbf3426cb94adb08353bd20a2e2e8d1c334e24222972ae6a3c

SHA512
a1002b671267e2bf69cbb986098dd056eef1e11c5fcf77075cfd20a4927f9ce511d0ced54807c60bd46f37a944b20599d766353b33e36e3212635f953bd78800

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC033.exe

Filesize
14KB

MD5
200a96cb290b67d3a2c6ceedf428d8a0

SHA1
9792535259e4635f2020f9eb889ed6c848d0c587

SHA256
44890385e1bcb8c2f5744cec3710cd286c55b2d64f2ece3b1892c2d473923480

SHA512
df054e23fef32ef2f965e4a544429246b558a79ca91b0b21576b543bb2d258be890d29ab3d6596d90bc64e62bd9e798cfde14086693062358dade760c04bdde5

Download Submit

Analysis

Sharing