5433923231b71ac9066ca601bbf2737e52f335b3d0fe7866afd37b90d5da398f

General

Target

0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe
Size

15KB
MD5

0bed5566318e9c699bfef7d0a1ff0de9
SHA1

c33becbe980b8822c26e21311a217673fd25f420
SHA256

5433923231b71ac9066ca601bbf2737e52f335b3d0fe7866afd37b90d5da398f
SHA512

5b4fa781ba238d63fe04b678b1d4b748cf3dba03ac858fdf84bf63c56f7d04b74d07ce07f2daf53bb09e0e31aa8e8e81ab776b2b06e021e7b19beed5c4b24654
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4lCKn97:hDXWipuE+K3/SSHgxmqN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2612	DEM1610.exe
2452	DEM6C0C.exe
2796	DEMC16B.exe
1516	DEM16AC.exe
864	DEM6BFC.exe
1880	DEMC13D.exe

Loads dropped DLL 6 IoCs

pid	Process
2992	0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe
2612	DEM1610.exe
2452	DEM6C0C.exe
2796	DEMC16B.exe
1516	DEM16AC.exe
864	DEM6BFC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2612	2992	0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe	29
PID 2992 wrote to memory of 2612	2992	0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe	29
PID 2992 wrote to memory of 2612	2992	0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe	29
PID 2992 wrote to memory of 2612	2992	0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe	29
PID 2612 wrote to memory of 2452	2612	DEM1610.exe	31
PID 2612 wrote to memory of 2452	2612	DEM1610.exe	31
PID 2612 wrote to memory of 2452	2612	DEM1610.exe	31
PID 2612 wrote to memory of 2452	2612	DEM1610.exe	31
PID 2452 wrote to memory of 2796	2452	DEM6C0C.exe	35
PID 2452 wrote to memory of 2796	2452	DEM6C0C.exe	35
PID 2452 wrote to memory of 2796	2452	DEM6C0C.exe	35
PID 2452 wrote to memory of 2796	2452	DEM6C0C.exe	35
PID 2796 wrote to memory of 1516	2796	DEMC16B.exe	37
PID 2796 wrote to memory of 1516	2796	DEMC16B.exe	37
PID 2796 wrote to memory of 1516	2796	DEMC16B.exe	37
PID 2796 wrote to memory of 1516	2796	DEMC16B.exe	37
PID 1516 wrote to memory of 864	1516	DEM16AC.exe	39
PID 1516 wrote to memory of 864	1516	DEM16AC.exe	39
PID 1516 wrote to memory of 864	1516	DEM16AC.exe	39
PID 1516 wrote to memory of 864	1516	DEM16AC.exe	39
PID 864 wrote to memory of 1880	864	DEM6BFC.exe	41
PID 864 wrote to memory of 1880	864	DEM6BFC.exe	41
PID 864 wrote to memory of 1880	864	DEM6BFC.exe	41
PID 864 wrote to memory of 1880	864	DEM6BFC.exe	41

C:\Users\Admin\AppData\Local\Temp\0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\DEM1610.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1610.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\DEM6C0C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6C0C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\DEMC16B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC16B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Users\Admin\AppData\Local\Temp\DEM16AC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM16AC.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Users\Admin\AppData\Local\Temp\DEM6BFC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6BFC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\DEMC13D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC13D.exe"
        7⤵
        Executes dropped EXE
        
        PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1610.exe

Filesize
15KB

MD5
e55ee4dcbcf0d8391f7da2ee196a075c

SHA1
c4d031a8891850e84b89ddc2014bf1b489eee7a7

SHA256
ac5c42e40bfc75357f3734821c6bcb65261ef3a1d1159fc06cd6590d9abf1144

SHA512
dc3b2b98439513a0b5c271059850a86342a5e8feff806578ea9eaea262ffcd20a99f2b4928621deb7caa6edb54e7b10ec14021d52645562649cd5b15ebbedbc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6C0C.exe

Filesize
15KB

MD5
f6fea42167413065dc92d48dde8da7e7

SHA1
fced1a07043e032a7a0517fe1429e19da11e98b6

SHA256
0f30c960ffa68d5d45508d2a230a0c9ebbe35b8dbfd578ac896152ad87b5c44f

SHA512
366a0a1c26d96d731a5de80cbd7fa0f8ddbb6a71ce0ce9237995d4aa1c70247a8c4d15fadca07d1dfd9e5adb7baaddb8ef23349caf5ad3063ce978d37195e9da

Download Submit
\Users\Admin\AppData\Local\Temp\DEM16AC.exe

Filesize
15KB

MD5
4892eff3edcdea73368ba7bdd0ac3d86

SHA1
0703eca7141c807e2720a2dc3f3c00dd2022a617

SHA256
330a220e95a9617ac07e16d7aa081a62f3ee54c0f95beb1c6f1a8b6d8e9f4f03

SHA512
9e647b0bb0b09576196a1f9751ef4a50cd4021690c3e1032e3f053bc597e3f470e6527c1de28fc89c832ad622d556d241db9c95d578a6c58a94ed56f422a1253

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6BFC.exe

Filesize
15KB

MD5
820052c80fef706e8864c598b2f82592

SHA1
2b6d695a75c115018f43463715b30d565960b5bc

SHA256
72e2f67e06a59bbc071727ab19224da7f1efec07823eb05afe573c780f50b395

SHA512
45836b4c8ab6ec5aa607c4326b0aa749e070ca4c1b557e8348eac69b43febe6b5ff18519ebac92e2c76d96090016dcbfbc82e77e81875e4b5508edae5998bf10

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC13D.exe

Filesize
15KB

MD5
de67f5b3b3105f8eec1843d4a2e000e5

SHA1
8687ee6bd8e08b320bf08f118741985b1abb3376

SHA256
d3e252ca75a84ac50480893f3c6ca8a35def71b00900d1ea50cdb52939da7208

SHA512
f885eee814a495465e8220e427c99853c545cac702a3e06aff104ba8d412dece15a6c8bd7e146968f2362e487a08e0f17de7c536c3ceb18ce8ca5311123a05b5

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC16B.exe

Filesize
15KB

MD5
01525cba301a495bca30754fc2a5289f

SHA1
d96f4cc1b77b919c594e218c1b62561ac2bc4980

SHA256
0157d2aef9206cb44441441fab1506950fa8f0a07e080a39324fafc283b70436

SHA512
f7d404513d0ebc942e2d9f8b9344f5b743d2518863862ac9dbe8eb5ba6289bbaa763d761f4bb25af3870584c245e8370b8115bcaca1ff5ff8c4107f30292a509

Download Submit

Analysis

Sharing