434f722ffdf743a797daafdf030583ea0ecba8ef0c00a3b1919de069b09e31bb

General

Target

0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe
Size

16KB
MD5

0b3e5b5e936df11e5d3626151c19ebe8
SHA1

0622f11bc61e1e1400a91f7cdd51a22c78b20fb2
SHA256

434f722ffdf743a797daafdf030583ea0ecba8ef0c00a3b1919de069b09e31bb
SHA512

d21a45ee4897f69aee3d7aa8d7f763d8a8fe4c4f7c0fb1ef28da029d555fcd6ad5abdcaa1e7e9d7f07729eda97caafd0195eca35d0e471350e5e9615a0b65433
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZll:hDXWipuE+K3/SSHgx3ll

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2708	DEM10E2.exe
1620	DEM6651.exe
1964	DEMBB82.exe
1852	DEM10E3.exe
1828	DEM6642.exe
2656	DEMBB83.exe

Loads dropped DLL 6 IoCs

pid	Process
2832	0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe
2708	DEM10E2.exe
1620	DEM6651.exe
1964	DEMBB82.exe
1852	DEM10E3.exe
1828	DEM6642.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2708	2832	0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2708	2832	0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2708	2832	0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2708	2832	0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe	29
PID 2708 wrote to memory of 1620	2708	DEM10E2.exe	31
PID 2708 wrote to memory of 1620	2708	DEM10E2.exe	31
PID 2708 wrote to memory of 1620	2708	DEM10E2.exe	31
PID 2708 wrote to memory of 1620	2708	DEM10E2.exe	31
PID 1620 wrote to memory of 1964	1620	DEM6651.exe	35
PID 1620 wrote to memory of 1964	1620	DEM6651.exe	35
PID 1620 wrote to memory of 1964	1620	DEM6651.exe	35
PID 1620 wrote to memory of 1964	1620	DEM6651.exe	35
PID 1964 wrote to memory of 1852	1964	DEMBB82.exe	37
PID 1964 wrote to memory of 1852	1964	DEMBB82.exe	37
PID 1964 wrote to memory of 1852	1964	DEMBB82.exe	37
PID 1964 wrote to memory of 1852	1964	DEMBB82.exe	37
PID 1852 wrote to memory of 1828	1852	DEM10E3.exe	39
PID 1852 wrote to memory of 1828	1852	DEM10E3.exe	39
PID 1852 wrote to memory of 1828	1852	DEM10E3.exe	39
PID 1852 wrote to memory of 1828	1852	DEM10E3.exe	39
PID 1828 wrote to memory of 2656	1828	DEM6642.exe	41
PID 1828 wrote to memory of 2656	1828	DEM6642.exe	41
PID 1828 wrote to memory of 2656	1828	DEM6642.exe	41
PID 1828 wrote to memory of 2656	1828	DEM6642.exe	41

C:\Users\Admin\AppData\Local\Temp\0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\DEM10E2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM10E2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\DEM6651.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6651.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\DEMBB82.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBB82.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Users\Admin\AppData\Local\Temp\DEM10E3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM10E3.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Users\Admin\AppData\Local\Temp\DEM6642.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6642.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\DEMBB83.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBB83.exe"
        7⤵
        Executes dropped EXE
        
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM10E3.exe

Filesize
16KB

MD5
5643b7fe26fcf47a4b5ef6e994bce91d

SHA1
86cce02c50f3677a890283dde7ab3e7af8247ec8

SHA256
49dd453fe1bf4901679bde37fe7938a08ecfcfa75f71637abead33c4e8542d17

SHA512
07dd4cff10e6566a769dc1e73e0c40950011cdb437d8259eb48ea1a8403195325b41dc69460484b60d24b9ae4155c646ff187e7120374aefdd0c43f2c3e21053

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6651.exe

Filesize
16KB

MD5
a3457281b45f69b3bf3e90b185a752d6

SHA1
e1cdb344e70e6648a6c3f1a0dcb239b858c54fc2

SHA256
080650f068cdee3c5e7d17bb3f995a568ae394aea5c7f792a83c9da87b387e3a

SHA512
00696e7e87357ba9702faf9260cad18f9cae3b339119d9ef5fba35af6ca551745f26573062575bd150e122dd7b30041f118f751ce56b02bb66579717c7eb3637

Download Submit
\Users\Admin\AppData\Local\Temp\DEM10E2.exe

Filesize
16KB

MD5
a5a9c8160d7f695f44e703f94af7eb7b

SHA1
9ba627e1c82a6492616ad40ace95760a8b2d376d

SHA256
9aae583c0ac9f7d56a9e4ac496cd3212aa2f99368995bdc99dc08a4d843afe1a

SHA512
522b877aecdf8c89935b4d30eddf11fd8c0de5625aadb25f4faa34385a24eb84d4082bf33bb61cebc627130222fbe035c9794dd11f8648133addd84f27cd549b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6642.exe

Filesize
16KB

MD5
0ce4d22f291cb52fb0838e53e5bb9dac

SHA1
f0e1498c6a7ed36857c230692eaa4bbc22803fd1

SHA256
16cf6667fedfe76abeab8c8f6b188f1f4e148a8e8e6c0470a79859fb91649112

SHA512
9bdaec74bb199c2f6ab18b2ebfd852499f14b0d61001b570ee35f998e958ad9151e0c3892d3200ee46cd555a6c3bdf786b33831e0937fe0fbe80baddbc98ce13

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBB82.exe

Filesize
16KB

MD5
e1bde190394440473b929281ec36c93a

SHA1
ddd283c58aef49eccd558ddbfdeec185cff1afab

SHA256
bda95f50605a021c1407a7a0bb3f9a30028e11b8da39ae518e5e0b1757031779

SHA512
45cc21c6c87f03f47abac205f19574eed8fd579725403eed3dc9bee897858c7b60adf48b60dfc865a60d0763fac476283fc2c2d37e8e71bbaef4f731096ab3ed

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBB83.exe

Filesize
16KB

MD5
6c268be848f3da476204bafe98c01b9f

SHA1
5d57ddc1a6a4c2ffaf01d3118c594ce2fdd36e00

SHA256
7d93a5310b4c1f54560018b26a2af5f2d9c14d27ee186023e1c4eae80eb46da4

SHA512
2f555f3684d28feff63af21ac5d98bd82f540e97f4e8538ea609e8e467b2409c40085cf3127ca4277d16f575f9669d7c3677c5361224af932f168f9e5cb98b24

Download Submit

Analysis

Sharing