48f5931c51df86fc67695db2e54694fbe1631e5ea27ff5b47cb381ec34ac7344

General

Target

0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe
Size

15KB
MD5

0ce98910be0fd7271444f04fb92ece8f
SHA1

fac1663749b336489f50a8206bb2c81835f6450e
SHA256

48f5931c51df86fc67695db2e54694fbe1631e5ea27ff5b47cb381ec34ac7344
SHA512

ccec3f0ad6ed91fc662ff9de6ff947cedd214121ff82c1e6ad67d341e79042303e119f4b208ff969ccb7288b6f676ffc0402246eb4530e4ef05f4ffe42e7ed50
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlPgt:hDXWipuE+K3/SSHgxml4t

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2568	DEM1056.exe
2960	DEM65E4.exe
2768	DEMBB53.exe
1772	DEM10D2.exe
1440	DEM6690.exe
2408	DEMBC1E.exe

Loads dropped DLL 6 IoCs

pid	Process
2712	0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe
2568	DEM1056.exe
2960	DEM65E4.exe
2768	DEMBB53.exe
1772	DEM10D2.exe
1440	DEM6690.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2568	2712	0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2568	2712	0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2568	2712	0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2568	2712	0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe	29
PID 2568 wrote to memory of 2960	2568	DEM1056.exe	31
PID 2568 wrote to memory of 2960	2568	DEM1056.exe	31
PID 2568 wrote to memory of 2960	2568	DEM1056.exe	31
PID 2568 wrote to memory of 2960	2568	DEM1056.exe	31
PID 2960 wrote to memory of 2768	2960	DEM65E4.exe	35
PID 2960 wrote to memory of 2768	2960	DEM65E4.exe	35
PID 2960 wrote to memory of 2768	2960	DEM65E4.exe	35
PID 2960 wrote to memory of 2768	2960	DEM65E4.exe	35
PID 2768 wrote to memory of 1772	2768	DEMBB53.exe	37
PID 2768 wrote to memory of 1772	2768	DEMBB53.exe	37
PID 2768 wrote to memory of 1772	2768	DEMBB53.exe	37
PID 2768 wrote to memory of 1772	2768	DEMBB53.exe	37
PID 1772 wrote to memory of 1440	1772	DEM10D2.exe	39
PID 1772 wrote to memory of 1440	1772	DEM10D2.exe	39
PID 1772 wrote to memory of 1440	1772	DEM10D2.exe	39
PID 1772 wrote to memory of 1440	1772	DEM10D2.exe	39
PID 1440 wrote to memory of 2408	1440	DEM6690.exe	41
PID 1440 wrote to memory of 2408	1440	DEM6690.exe	41
PID 1440 wrote to memory of 2408	1440	DEM6690.exe	41
PID 1440 wrote to memory of 2408	1440	DEM6690.exe	41

C:\Users\Admin\AppData\Local\Temp\0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\DEM1056.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1056.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\DEM65E4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM65E4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\DEMBB53.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBB53.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Users\Admin\AppData\Local\Temp\DEM10D2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM10D2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Users\Admin\AppData\Local\Temp\DEM6690.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6690.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\DEMBC1E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBC1E.exe"
        7⤵
        Executes dropped EXE
        
        PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM10D2.exe

Filesize
15KB

MD5
35f6190204cee5fc58aec392f10687fc

SHA1
8123efca8542f516acbd535ea0fe092a1d0dd518

SHA256
da797cd10649c91f23311d413d230fc84de603bda8c8f0c14098276194530432

SHA512
e695afe9a57076feb00743303217524a6ac499c3db0ccf893a2dce9b0464d4fb7f8e5fc739c1a6e44a8240fe1870b69da93a8b43fb5f26662e183a7bee10121c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM65E4.exe

Filesize
15KB

MD5
2f9b1216da1ca59bac0a216f91ffce8c

SHA1
1c02b2ab05a05eaaf9a2cae2b5c451313ebf14c4

SHA256
d612669cb288a650f5c5028ab230d5ae3c8413a7f3b94285b4b10e11eab651a9

SHA512
18b486f67fcfd5c370f674f624f4072fd170b6894f964b10a33356f28279332a7e5bb9c97b2832f8d95f9d388b7b4e9b1a164e0b2b8e6e1be4cda18d3018f20a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1056.exe

Filesize
15KB

MD5
866a8c73c06ef03429f77d3f11251b0b

SHA1
12954e8207667b4d685c8a66dd300473c86c584e

SHA256
e1935df486f72eb6000e008359041fcc7194104ee828f9e4cf3ec7f2e30949cc

SHA512
a23f2f7e38da9d8eb9d433c00ee967e97781af00706ba6cf540b0cf543e2adbe740da487ab2f210d1382e65b6a6fa7cbae08d40170f94d4ce1c0ff30bd0190b0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6690.exe

Filesize
15KB

MD5
803468dc59c713e2dc10c0a878673e69

SHA1
f1768e29f674a1b4de5720f9561dba28a52ed13e

SHA256
f926a1e6e56f3caa56777252ba8cb9a3dfe5c7f9501523dcfeb8f35eb9b6f167

SHA512
aa224d715cc8ebdadbc4ee125a71ed975dbbe3c926e8aa551c28333c9033fcfd9e2c139c6f025840b2da4297ca074b01d9e4896c4dbc91eab37d5b1a7e78fe35

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBB53.exe

Filesize
15KB

MD5
4d320794c150422a73d7a478f9847e3f

SHA1
657530eac132ed21d4acf2314c22e0b2ff1d8c60

SHA256
a1ead2f4969b92be18a385d0062325b56bc5e42beff8d8b71f976debf3283a68

SHA512
53057fe6faf875c6773656b45fa7cecd281d0f647d61660052b474633187d257bae76f5435177865bee5679086ca087353b4d2a50ad4148561e5de7b70789459

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBC1E.exe

Filesize
15KB

MD5
fc8e18d5322706c26d586d9bafbb0144

SHA1
cde22a12adee15709d7255436f54c9fd50538c77

SHA256
9657e73f40bfac9c584b396840028f35a1b0c15ef94b5f87012ea9212b53932c

SHA512
003c9d3a37184cf75ae7b23201cd1cde7a838a29313576a3a15d1c59f477333e0fd2aa367a15ec9fec47893c8ac69b2a8c585336a482abca38a950fe4bb9897f

Download Submit

Analysis

Sharing