e15fe97fe55e1da5c472cab396e6feee25db3bfe0f8e6b5e05231b4e4bd89623

General

Target

0bd772410b6d9f28a056502d6ae7f2b2_JaffaCakes118.exe
Size

16KB
MD5

0bd772410b6d9f28a056502d6ae7f2b2
SHA1

fac20b34445b134d19e444bdb575b49b94fe1b33
SHA256

e15fe97fe55e1da5c472cab396e6feee25db3bfe0f8e6b5e05231b4e4bd89623
SHA512

4cbd1e6df841782905af998407b5a09359a68d19eaae0c3c6044b45a3ca0164eb45a5f7f1b5755b3f34df2136a136d7d7e1f73170682683e0414e1f1bed27557
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhayP25:hDXWipuE+K3/SSHgxZq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2564	DEM12B6.exe
2484	DEM6816.exe
2752	DEMBD75.exe
1972	DEM12C6.exe
2524	DEM6864.exe
2828	DEMBE11.exe

Loads dropped DLL 6 IoCs

pid	Process
856	0bd772410b6d9f28a056502d6ae7f2b2_JaffaCakes118.exe
2564	DEM12B6.exe
2484	DEM6816.exe
2752	DEMBD75.exe
1972	DEM12C6.exe
2524	DEM6864.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2564	856	0bd772410b6d9f28a056502d6ae7f2b2_JaffaCakes118.exe	29
PID 856 wrote to memory of 2564	856	0bd772410b6d9f28a056502d6ae7f2b2_JaffaCakes118.exe	29
PID 856 wrote to memory of 2564	856	0bd772410b6d9f28a056502d6ae7f2b2_JaffaCakes118.exe	29
PID 856 wrote to memory of 2564	856	0bd772410b6d9f28a056502d6ae7f2b2_JaffaCakes118.exe	29
PID 2564 wrote to memory of 2484	2564	DEM12B6.exe	31
PID 2564 wrote to memory of 2484	2564	DEM12B6.exe	31
PID 2564 wrote to memory of 2484	2564	DEM12B6.exe	31
PID 2564 wrote to memory of 2484	2564	DEM12B6.exe	31
PID 2484 wrote to memory of 2752	2484	DEM6816.exe	35
PID 2484 wrote to memory of 2752	2484	DEM6816.exe	35
PID 2484 wrote to memory of 2752	2484	DEM6816.exe	35
PID 2484 wrote to memory of 2752	2484	DEM6816.exe	35
PID 2752 wrote to memory of 1972	2752	DEMBD75.exe	37
PID 2752 wrote to memory of 1972	2752	DEMBD75.exe	37
PID 2752 wrote to memory of 1972	2752	DEMBD75.exe	37
PID 2752 wrote to memory of 1972	2752	DEMBD75.exe	37
PID 1972 wrote to memory of 2524	1972	DEM12C6.exe	39
PID 1972 wrote to memory of 2524	1972	DEM12C6.exe	39
PID 1972 wrote to memory of 2524	1972	DEM12C6.exe	39
PID 1972 wrote to memory of 2524	1972	DEM12C6.exe	39
PID 2524 wrote to memory of 2828	2524	DEM6864.exe	41
PID 2524 wrote to memory of 2828	2524	DEM6864.exe	41
PID 2524 wrote to memory of 2828	2524	DEM6864.exe	41
PID 2524 wrote to memory of 2828	2524	DEM6864.exe	41

C:\Users\Admin\AppData\Local\Temp\0bd772410b6d9f28a056502d6ae7f2b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bd772410b6d9f28a056502d6ae7f2b2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\DEM12B6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM12B6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\DEM6816.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6816.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\DEMBD75.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBD75.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\DEM12C6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM12C6.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Users\Admin\AppData\Local\Temp\DEM6864.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6864.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\DEMBE11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBE11.exe"
        7⤵
        Executes dropped EXE
        
        PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6816.exe

Filesize
16KB

MD5
be720272bc95f576cc3d37272346de15

SHA1
90a72a8f419180cf9b5cd41419cc9820dad60f8b

SHA256
6fda6a0f9c87ffd8ba570801bc7516af2b27823dc48a9515a4e26f0bf103da09

SHA512
05f73f2c6fe723b02faf6c19200e58e56b4843d91832bb5c96567e6ebdbbbce78799ef0e87f24c6e99f035a478f0097438ac138281e3682c0a1f4ca31232c1bc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM12B6.exe

Filesize
16KB

MD5
6e70000fed60ada6111bc87f8742b96d

SHA1
580f12d3749d7ff1c94f222517b75b7327e67929

SHA256
6594e701e4bb6a1caf811fa6d0702f21bf8f920e39d8dce60c97ebce9d1bb34c

SHA512
45cc278a2f23944def76577f004d318fbdd7995850dac1b9348a78fd59109d0e73eb9a36b183b6c6d3931df946f71ae9df9a4a2199abc0cfe1741e86ee21fa41

Download Submit
\Users\Admin\AppData\Local\Temp\DEM12C6.exe

Filesize
16KB

MD5
61ef4ac831ad1ddb29a7b9489c7d60e8

SHA1
2e8515bdd3464b22808cf5c47caf1fe1a8489f7c

SHA256
3f73d2e7df99ccbba72ace2aecd3e6f6ae80e620165ce9267775a1f2ad88054e

SHA512
7bbd2bfae48d1cb5525594a56947c98ad620c55a8987ba42584ab22cb091dc434f51aba497cbd1a3255fab92dcc240387b2bf9dafae4cf9660a69ed2ba37f15c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6864.exe

Filesize
16KB

MD5
e05e77c3977481092d81632669d63b4c

SHA1
896a40252eb2c00b017d04d86239f89189367819

SHA256
1daad47c17f6507fc139daecfc5b2b9987d145c0bea5ea1b11dbe8341923eab6

SHA512
c8d771592154dbda5da62a2c81a1c1422a2cfb2ae6b3c92e31c3ff4cbeaad08e741d06aaa3c40ffb8e19e2a94ab2f2ffe4c3d8760644128ba93a694782a85144

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBD75.exe

Filesize
16KB

MD5
2b31f17e8bbd59d44e0c040d4584d14d

SHA1
a1caf0159f18ccb071566367fc838f2d779fb293

SHA256
4525b132dbb1c7b4cc0748e9142933769c045fd084667fe2809611bd84d4d45a

SHA512
372b37be56ff6a1e1b557b036a615bba2dabce933c6f026837f194f47d726ae0239bbac30988e27a225c35ca4cae188ea9cbda1c8a6521c126bc7582f30658ff

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBE11.exe

Filesize
16KB

MD5
d4f87492ae40f0240926adfd50541ff8

SHA1
40899fb7c2f11c0277c2ef9b8a017fdbc2cb1853

SHA256
403f8d0671274c8bce324371c7acfc68ca90a9d07215d0ac4569f79478e7ffd9

SHA512
b7d517447eb8e38705dc26c27db0a9d50cd91cf7b1be1445198739224c3ef283ed5ecf64dd108eb24c69338660f5f9fed396284e18007111117132442c7865ce

Download Submit

Analysis

Sharing