ee66bed3f91e3c44d53ff8f25acf6c4b3b7035b14fb66544624e62cc997fadc4

General

Target

0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe
Size

16KB
MD5

0b6b226a6a0670501eee05d0ec8ec82f
SHA1

7af2cbb1ba2933e09c6a70cd59001d9f8a968ce8
SHA256

ee66bed3f91e3c44d53ff8f25acf6c4b3b7035b14fb66544624e62cc997fadc4
SHA512

a5b800b4e95a3f8bdc74ca28ea1757d9220032798d931be7869bfef3aea80100bb7682ea3abd76a3740cd834db9d4f1b13eaf94c00435e1a6722f755c388f3da
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlgJ:hDXWipuE+K3/SSHgxmlgJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3020	DEM7B57.exe
2564	DEMD1A1.exe
528	DEM2730.exe
2336	DEM7CFD.exe
1596	DEMD337.exe
752	DEM2913.exe

Loads dropped DLL 6 IoCs

pid	Process
1152	0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe
3020	DEM7B57.exe
2564	DEMD1A1.exe
528	DEM2730.exe
2336	DEM7CFD.exe
1596	DEMD337.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 3020	1152	0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe	29
PID 1152 wrote to memory of 3020	1152	0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe	29
PID 1152 wrote to memory of 3020	1152	0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe	29
PID 1152 wrote to memory of 3020	1152	0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe	29
PID 3020 wrote to memory of 2564	3020	DEM7B57.exe	33
PID 3020 wrote to memory of 2564	3020	DEM7B57.exe	33
PID 3020 wrote to memory of 2564	3020	DEM7B57.exe	33
PID 3020 wrote to memory of 2564	3020	DEM7B57.exe	33
PID 2564 wrote to memory of 528	2564	DEMD1A1.exe	35
PID 2564 wrote to memory of 528	2564	DEMD1A1.exe	35
PID 2564 wrote to memory of 528	2564	DEMD1A1.exe	35
PID 2564 wrote to memory of 528	2564	DEMD1A1.exe	35
PID 528 wrote to memory of 2336	528	DEM2730.exe	37
PID 528 wrote to memory of 2336	528	DEM2730.exe	37
PID 528 wrote to memory of 2336	528	DEM2730.exe	37
PID 528 wrote to memory of 2336	528	DEM2730.exe	37
PID 2336 wrote to memory of 1596	2336	DEM7CFD.exe	39
PID 2336 wrote to memory of 1596	2336	DEM7CFD.exe	39
PID 2336 wrote to memory of 1596	2336	DEM7CFD.exe	39
PID 2336 wrote to memory of 1596	2336	DEM7CFD.exe	39
PID 1596 wrote to memory of 752	1596	DEMD337.exe	41
PID 1596 wrote to memory of 752	1596	DEMD337.exe	41
PID 1596 wrote to memory of 752	1596	DEMD337.exe	41
PID 1596 wrote to memory of 752	1596	DEMD337.exe	41

C:\Users\Admin\AppData\Local\Temp\0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\DEM7B57.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7B57.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\DEMD1A1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD1A1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\DEM2730.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2730.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:528
    - - C:\Users\Admin\AppData\Local\Temp\DEM7CFD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7CFD.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Users\Admin\AppData\Local\Temp\DEMD337.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD337.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\DEM2913.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2913.exe"
        7⤵
        Executes dropped EXE
        
        PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2730.exe

Filesize
16KB

MD5
061a054756dec32289a072fcec9be20e

SHA1
6b3a32c5d0fe241c7c9f88ea0563f0e90feab7cd

SHA256
968119e7787f106ec1b8289094488f6cd09d0a3243982332e80fe82206ed1a3d

SHA512
e08c835747b5e40b6a93434c4ddc0ec5629ffa7a28609048ebd46e1dc26b255025ada6aaf06baaf0f04a3db06656997d0971358228e412904eaedbaa74bbf990

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2913.exe

Filesize
16KB

MD5
9f20b1d9b6e9c00ecb8bf4c52ffa0be3

SHA1
b111a8cf652f7b383313951df7dbdf783df6659f

SHA256
af53a1b77485f811851a977b20329afded5fe50e8233c2b80610b38f62ca56e0

SHA512
5ed53c8dd67efdd2d55067e174e40102c06bf73069bbc738c95878b25c23d65c9b995d21a483881af82fbafb7541215bb2d9c39401b338b426324e1452323b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7CFD.exe

Filesize
16KB

MD5
d14b3ffb5d05b4b862e0d5e2011d3e89

SHA1
4e968770abff07d52fec12f8f64e2901f53abbb0

SHA256
e2200e72c5617e8acef048480a7d2821babadb918f277a995864ee23114bb70f

SHA512
797b0bc799f49e598a93b064ed742ab4545b3119f741cf0bc4a09da87237f7e46e23bd4d3215ac1f7ceb21f20177367e10451e33e4258ea6d8454579c069aa06

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD1A1.exe

Filesize
16KB

MD5
a3d7e03aa7ff0011d259b066e60b97de

SHA1
f3dd7723e07eddce736b41b911ac5c8c8ef60adc

SHA256
08b1545520d2cdccc0acf93b883df27119f29bf20672cc13197578ca6d710b5a

SHA512
2253166149a634c59dceb6f1e68dc690330bb5c5d49ce5c988a5c4ad6deba1fd90bbb1c9d4973461715c5406d368d070d31ce27325bc81f126a5de0c974d244f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7B57.exe

Filesize
16KB

MD5
e182367e8adc3932f657324f460df671

SHA1
7b8fb81c900432c0dea61ae3a870526865999c67

SHA256
912010891e55574b50ef10e5eaff6ea5b2b3b4f4df5aaa42dfafa0c26ca7ade1

SHA512
8a7ed02e0524e9597ef7b5717ff2d6b594ceb435d842676ca7531e787337e8590450e15972dac13153397890bdc140c3803b9169bd9ce6cd3e8e0fe2d31a4fe3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD337.exe

Filesize
16KB

MD5
b66c9280e11208ae81a95c7f2ca9e79a

SHA1
978e309d159de2ac35d0476596c7e614796e816a

SHA256
ef3d4b991410abe881d63a52d4db559ab555ec6712815db543d605e9828f2e61

SHA512
e902d5cd9347848e81602ea1362995d93074b8d75d40837e8f01ab67ddea754a9a2483d7cd7195a395a4fc5692d01a652f3161018e4a1b689778deff61999022

Download Submit

Analysis

Sharing