66db5f8b36aa1ea9da62a3d944ba382026572afcabd15c9bf88c99db5dab7255

General

Target

0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe
Size

14KB
MD5

0a47fb34dcbb21b5141f2fb00b87beb3
SHA1

eadb4d33eb863ffdc55d8d81588a6d551bbdea58
SHA256

66db5f8b36aa1ea9da62a3d944ba382026572afcabd15c9bf88c99db5dab7255
SHA512

8d6ac2497723668ffc22f032e94632239d62e2044a654ffec4859b3f8d12f828a6c864f93d0e03e8470164526b42d6147da5ba73408bbfabc0af5f00eff5a3e1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhXt0HoV:hDXWipuE+K3/SSHgxgHk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2652	DEMF7B.exe
2536	DEM64BC.exe
2748	DEMBAE6.exe
1904	DEM1056.exe
1564	DEM65E4.exe
2592	DEMBB25.exe

Loads dropped DLL 6 IoCs

pid	Process
2040	0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe
2652	DEMF7B.exe
2536	DEM64BC.exe
2748	DEMBAE6.exe
1904	DEM1056.exe
1564	DEM65E4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2652	2040	0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe	29
PID 2040 wrote to memory of 2652	2040	0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe	29
PID 2040 wrote to memory of 2652	2040	0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe	29
PID 2040 wrote to memory of 2652	2040	0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe	29
PID 2652 wrote to memory of 2536	2652	DEMF7B.exe	31
PID 2652 wrote to memory of 2536	2652	DEMF7B.exe	31
PID 2652 wrote to memory of 2536	2652	DEMF7B.exe	31
PID 2652 wrote to memory of 2536	2652	DEMF7B.exe	31
PID 2536 wrote to memory of 2748	2536	DEM64BC.exe	35
PID 2536 wrote to memory of 2748	2536	DEM64BC.exe	35
PID 2536 wrote to memory of 2748	2536	DEM64BC.exe	35
PID 2536 wrote to memory of 2748	2536	DEM64BC.exe	35
PID 2748 wrote to memory of 1904	2748	DEMBAE6.exe	37
PID 2748 wrote to memory of 1904	2748	DEMBAE6.exe	37
PID 2748 wrote to memory of 1904	2748	DEMBAE6.exe	37
PID 2748 wrote to memory of 1904	2748	DEMBAE6.exe	37
PID 1904 wrote to memory of 1564	1904	DEM1056.exe	39
PID 1904 wrote to memory of 1564	1904	DEM1056.exe	39
PID 1904 wrote to memory of 1564	1904	DEM1056.exe	39
PID 1904 wrote to memory of 1564	1904	DEM1056.exe	39
PID 1564 wrote to memory of 2592	1564	DEM65E4.exe	41
PID 1564 wrote to memory of 2592	1564	DEM65E4.exe	41
PID 1564 wrote to memory of 2592	1564	DEM65E4.exe	41
PID 1564 wrote to memory of 2592	1564	DEM65E4.exe	41

C:\Users\Admin\AppData\Local\Temp\0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\DEMF7B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF7B.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\DEM64BC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM64BC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\DEMBAE6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBAE6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\DEM1056.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1056.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Users\Admin\AppData\Local\Temp\DEM65E4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM65E4.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\DEMBB25.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBB25.exe"
        7⤵
        Executes dropped EXE
        
        PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1056.exe

Filesize
14KB

MD5
81a52247b5be8790b6269b1405b35bb3

SHA1
1c6f74e7e905555989e51a9d9ff270578c769d11

SHA256
60f0b6a75ed27104d79dd6f82f04e6663b6f551597d5ef1b9614f133b5d679f8

SHA512
2091bb8dc0e322135a849a42d86579bb87212acb06072dd20a4bee1107a1c85db8a597028b69ae9ce2bb851b8c689891d4b8a427faec261222cdfd1d1b0f5c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM64BC.exe

Filesize
14KB

MD5
7ed8443041d7d94b923777852e7b3ebe

SHA1
7b558bfd17c11332704bda7ea696f8c4e15ff0a9

SHA256
6c23511b0b4b7fb3c39835f0600b8ee7d842f49e0164342c9fc3be1f4f7c2832

SHA512
e03bf42b293fb9837c6fb0c6d139ab04faf9a18d6f884d2625f68779f9fc441a5c2db72f30c7abbfa1e34dd1e5b8d1edbbdd31671528966ef9676d8200a5f5c0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM65E4.exe

Filesize
14KB

MD5
0de24bc96928ad38419f48b9b3227101

SHA1
e9a94496418580d433ba078b899f9c3168a022b6

SHA256
900500ebc2400c0e95793ca055473ed4c7f8ed235e4accbf068272e683299718

SHA512
8ee50f3884b9cde645acec71cf148bf177081dcdcdd72aa8cd8e2fb033c8ec3681f19018c11216374a90c878b07e412aa59d0e426c246a4cf1b8e5363ce56e45

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBAE6.exe

Filesize
14KB

MD5
183e0bd1385c856d85cfff19037bee34

SHA1
2480e9ad1f4ff5c5931812c4820d0144a0f18c65

SHA256
bc8a4a163920e33e319172a4275410a1deab0217f168a702e9dc4f450e4170af

SHA512
40a7c76f880e113392a9f546dfcc9226415b254a7f03f71eb14543babc779852a1d0ce0151d7ef3e4c25814c1405202c791ffcd9ba8127907aaa94b8a3fdf2aa

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBB25.exe

Filesize
14KB

MD5
2f1674554a27ccf8dc959a8a53a0b2eb

SHA1
bea8de5faf66c69f28f59738f872f4d12b59c46e

SHA256
590b31ce0cdb4f0267d00d8268a601e1166fcdc9a0c73b68f4d1c50a80d33c29

SHA512
052417ea821672084321c1576df3bad5dd3235d152e74c7d93c4349034611c42c9c424ec8f987d9118e6929469ce5d3ac5121113e397f3816774ae2df431124b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF7B.exe

Filesize
14KB

MD5
5d2d9b7f566447187f1486f44a21e118

SHA1
76857173e3b3bc3912f5b53457009fe19d996ecf

SHA256
a2335ee02e097eb852820624ad231a427f2bac298b05f69418b0e2efaa1297a9

SHA512
acd6a3fb9cc77814a51a6f16e2e75349837ebb2e64e62e324a1409d177697598b620ff8171523c7ec7c508d022e42288c63be23d5cd1b6a3011fd9e2f80c9b34

Download Submit

Analysis

Sharing