56697b254e8af68aeb8a6940dfff89088f1e96b43e36bdb062c0fb63f938092a

General

Target

0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe
Size

14KB
MD5

0a845cefe0ae5cb677c9f1b6cce7aa17
SHA1

4af06678f4e6e2614ecdb78d4b567763911dd6c2
SHA256

56697b254e8af68aeb8a6940dfff89088f1e96b43e36bdb062c0fb63f938092a
SHA512

96460cc081f0f6bdc08c9ff025dde992b9dff91d238ac7a4061d62a0638dc62f26c4409a46d624faf5611ff9804deacaee25c023cfa18af8800ea17e47f092a2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhXc5:hDXWipuE+K3/SSHgxq5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2760	DEM1239.exe
2416	DEM67F7.exe
1828	DEMBD75.exe
2328	DEM1278.exe
3036	DEM67E7.exe
2788	DEMBD18.exe

Loads dropped DLL 6 IoCs

pid	Process
2748	0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe
2760	DEM1239.exe
2416	DEM67F7.exe
1828	DEMBD75.exe
2328	DEM1278.exe
3036	DEM67E7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2760	2748	0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe	29
PID 2748 wrote to memory of 2760	2748	0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe	29
PID 2748 wrote to memory of 2760	2748	0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe	29
PID 2748 wrote to memory of 2760	2748	0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe	29
PID 2760 wrote to memory of 2416	2760	DEM1239.exe	31
PID 2760 wrote to memory of 2416	2760	DEM1239.exe	31
PID 2760 wrote to memory of 2416	2760	DEM1239.exe	31
PID 2760 wrote to memory of 2416	2760	DEM1239.exe	31
PID 2416 wrote to memory of 1828	2416	DEM67F7.exe	35
PID 2416 wrote to memory of 1828	2416	DEM67F7.exe	35
PID 2416 wrote to memory of 1828	2416	DEM67F7.exe	35
PID 2416 wrote to memory of 1828	2416	DEM67F7.exe	35
PID 1828 wrote to memory of 2328	1828	DEMBD75.exe	37
PID 1828 wrote to memory of 2328	1828	DEMBD75.exe	37
PID 1828 wrote to memory of 2328	1828	DEMBD75.exe	37
PID 1828 wrote to memory of 2328	1828	DEMBD75.exe	37
PID 2328 wrote to memory of 3036	2328	DEM1278.exe	39
PID 2328 wrote to memory of 3036	2328	DEM1278.exe	39
PID 2328 wrote to memory of 3036	2328	DEM1278.exe	39
PID 2328 wrote to memory of 3036	2328	DEM1278.exe	39
PID 3036 wrote to memory of 2788	3036	DEM67E7.exe	41
PID 3036 wrote to memory of 2788	3036	DEM67E7.exe	41
PID 3036 wrote to memory of 2788	3036	DEM67E7.exe	41
PID 3036 wrote to memory of 2788	3036	DEM67E7.exe	41

C:\Users\Admin\AppData\Local\Temp\0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\DEM1239.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1239.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\DEM67F7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM67F7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\DEMBD75.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBD75.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Users\Admin\AppData\Local\Temp\DEM1278.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1278.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Users\Admin\AppData\Local\Temp\DEM67E7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM67E7.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\DEMBD18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBD18.exe"
        7⤵
        Executes dropped EXE
        
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM67F7.exe

Filesize
14KB

MD5
e5eb8d6c699f49fe2d888c662ff29227

SHA1
c6052475582b93ab3e954dd8b9f4bfc9ae587fee

SHA256
86ced92826159438881c50bd75ba14adfdbb6756604ed75b087df8a8d383bbb4

SHA512
ed5dc4ffcd8ccb9d567415142606f61d4d4949ba87aed65e782725d2d2cdd84084539cdf1a54cf9e77e3efd188ce5aedc5515f671f2dd950aa3e6f79b2a7ac60

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1239.exe

Filesize
14KB

MD5
6b9a46d43b318bf684f3028d37bc0402

SHA1
782c034b9ba3c5b98e7b2d33b6a57547989f9c0d

SHA256
64568a629024fc90f394489c42208a053a126b2da14d2584425e3c37ccb2201a

SHA512
d9e2ae568d8ab778e9ecda82a9f1d29aa0715e7a5ae7694c204bf0648f7e425be085a01c9a2999d57ae0dda9a613fc50f07dec74a10bfffdf9262729b3884993

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1278.exe

Filesize
14KB

MD5
e4fea9cb438eca7333c358356e2e3f3d

SHA1
40767d2aebd1275fd3e1d6466aefddeda42dd525

SHA256
20ca775f0b2c34e7d8ab28ca61dc35741098f70d48d27f4fdfb6bace628d5e2b

SHA512
29c5274a5642362799fa7093d91101a9f39cec24cb30bc2b0eeb8959ecf292e901814b779674ed4a744ef78626c79c124264be5921bb8e89c4f413600e2d7227

Download Submit
\Users\Admin\AppData\Local\Temp\DEM67E7.exe

Filesize
14KB

MD5
fbce21c9a41218a91eb02dd54cdd67ba

SHA1
013b01e2b3e210fe999c39d55f0dd43ac4db0e2d

SHA256
7b968544bad2f457e8b42b91e9a133346d64bb170fb06a65d7fc0d113c4bb08c

SHA512
cdc47660c56341ea5f5c6c8cc38df5154ee1b207b0d85da46cf1f224f983a23719f01a3fb3efdffa71e7ee77e68c00c4f57ae220af48935b5024c8a20d4382c0

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBD18.exe

Filesize
14KB

MD5
dd47601311aac5acad534d8b72dc3d86

SHA1
fecaa30ced314c9ce45a36ddf27986cb6088a69f

SHA256
69bdb3a182ceccd2c8de1c313c3d7f2c8950f273f9cf2c08b7a2fcd9766b2beb

SHA512
36e87c83f95b54250b83c19a2f749844e6daf270782c8c6b169000a2adfb92e2af582cbc99cfa20762a26c34cfccd98c5e88dd9336b00705c28a2fa9707e13cc

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBD75.exe

Filesize
14KB

MD5
4e108fe4c36ddc33521e0ea5434a911a

SHA1
f09712fe44889dcd915376e7a00c1633c4bf8b0f

SHA256
34a154bf4ffd2079b1a00c8453518b8158335aa1a8780368970067626e38e537

SHA512
d3b7fd590740db8f46be0c4013e140bee407f49ffbf0d493ae1624397d4b4dd968019009732fde4ca7d193fa95b7f94cfd312bf95e9d6128ca1c155a86993cd1

Download Submit

Analysis

Sharing