92f3a51ed46a4f638f342778aa7d3435f530ba9b32730ab7f312b088747f64a6

General

Target

0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe
Size

14KB
MD5

0d06e4b8f305ff629b596a78750dce92
SHA1

c8b4825e1f1de1619a7838d0c4b7351802df6f54
SHA256

92f3a51ed46a4f638f342778aa7d3435f530ba9b32730ab7f312b088747f64a6
SHA512

45f0b8ae51cf6b5dd0975f7754da3dd148568adfb5624f4fa27d7ce842eac0f8a6a513b3a92972eab3daea0240efea877ceea44bf4a2b73329d39f922a13789a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhH:hDXWipuE+K3/SSHgxt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2632	DEM45E6.exe
2528	DEM9CBC.exe
2836	DEMF325.exe
1908	DEM4911.exe
2848	DEMA045.exe
1988	DEMF788.exe

Loads dropped DLL 6 IoCs

pid	Process
2224	0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe
2632	DEM45E6.exe
2528	DEM9CBC.exe
2836	DEMF325.exe
1908	DEM4911.exe
2848	DEMA045.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2632	2224	0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2632	2224	0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2632	2224	0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2632	2224	0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe	29
PID 2632 wrote to memory of 2528	2632	DEM45E6.exe	33
PID 2632 wrote to memory of 2528	2632	DEM45E6.exe	33
PID 2632 wrote to memory of 2528	2632	DEM45E6.exe	33
PID 2632 wrote to memory of 2528	2632	DEM45E6.exe	33
PID 2528 wrote to memory of 2836	2528	DEM9CBC.exe	35
PID 2528 wrote to memory of 2836	2528	DEM9CBC.exe	35
PID 2528 wrote to memory of 2836	2528	DEM9CBC.exe	35
PID 2528 wrote to memory of 2836	2528	DEM9CBC.exe	35
PID 2836 wrote to memory of 1908	2836	DEMF325.exe	37
PID 2836 wrote to memory of 1908	2836	DEMF325.exe	37
PID 2836 wrote to memory of 1908	2836	DEMF325.exe	37
PID 2836 wrote to memory of 1908	2836	DEMF325.exe	37
PID 1908 wrote to memory of 2848	1908	DEM4911.exe	39
PID 1908 wrote to memory of 2848	1908	DEM4911.exe	39
PID 1908 wrote to memory of 2848	1908	DEM4911.exe	39
PID 1908 wrote to memory of 2848	1908	DEM4911.exe	39
PID 2848 wrote to memory of 1988	2848	DEMA045.exe	41
PID 2848 wrote to memory of 1988	2848	DEMA045.exe	41
PID 2848 wrote to memory of 1988	2848	DEMA045.exe	41
PID 2848 wrote to memory of 1988	2848	DEMA045.exe	41

C:\Users\Admin\AppData\Local\Temp\0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\DEM45E6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM45E6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\DEM9CBC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9CBC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\DEMF325.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF325.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\DEM4911.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4911.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Users\Admin\AppData\Local\Temp\DEMA045.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA045.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\DEMF788.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF788.exe"
        7⤵
        Executes dropped EXE
        
        PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM9CBC.exe

Filesize
14KB

MD5
85484b4b662f235d8426dd7f162b39de

SHA1
c027f55a61bdec4a79409e2e29efdfcd82066940

SHA256
632c21175ad53c90e16fdacb205027650e78c0042784d3e7a6f1178a2401c0b6

SHA512
cd7f3da805ada6380559be7ac84c29ea1c3c7a37faff457141136d3954a12017118563c9af2c8670fe5728a0bd060014b0d5d1046dd471e3a6215c882e437816

Download Submit
\Users\Admin\AppData\Local\Temp\DEM45E6.exe

Filesize
14KB

MD5
d78def62be1c986ae8c27b4efe786796

SHA1
b0bc9c92bbe452d63964929880a8b5790a436e67

SHA256
fdc54fb2a808a0d755502368762b8b067f0d99dae1fd44df4d7b5ff488c6ed10

SHA512
c2a5e9c3bdfd9d6cb4e6e6dc372682c4925b57c87a836ebaedaaef665df9c44bb69ca6aa64d8826b3003c63cb23a23326b917a6a79b24eecb444b577c3d87c8d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4911.exe

Filesize
14KB

MD5
655f486fd461a46e74423af309aa414d

SHA1
55d525c9efbbd0a871d3444ae77243894f0c730c

SHA256
de51201dc3515f136fe315262053ac1e847d21928bb9323cce5fab6ab594ed78

SHA512
6e11bd7c7346204d16c3db27493733395747c41922d74a88354346a0b91747e390a93af1b89d941ad7ae33a56f8f003489aa023b69089c5e782d6aca8a363d7a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA045.exe

Filesize
14KB

MD5
f8ee14c65764ba9866b59a21fb80cfcc

SHA1
b390cb36e9f85e6ad84928c97ffca2bfb53c4ca6

SHA256
7d6dc9eb7ebb640586a73d0f253ea5d5e16809973c4758b361ebdac3eba1aae5

SHA512
a1b6f3a624012fb0f26d73e7c6a42fc0dfd4aadac63c2e4ba78170f042fd80eac18cb5aa0bb42d8e699f9000e9544a8a44f231320f674c9c688578462001c45a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF325.exe

Filesize
14KB

MD5
05d97e600418efad122f265a268a280a

SHA1
0bdc73b3f7df1b9e77ddeb9ee8c68e5845958962

SHA256
17d93c0cb0ba17fe454746126b393b7e97684305225930a7431ffa0dce9d3e10

SHA512
672a1ffd4b020659b25a9c741cc0e695ff2d8b1c8937d84a12a95cb93e95a7babbe2b6b2f928f07b8cb7ffe1dbdc3db81f061ccddb5947015c914a34f68a6fad

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF788.exe

Filesize
14KB

MD5
8a36c0f11d9648e743ac17a0974240ea

SHA1
2fd44577a34a3466dd9884188900f550696d5867

SHA256
0c988ac4028192ed54d3b1b9e8e70ee7b9dc196b06755bb07289ab907f393680

SHA512
d1c3ae14e9366ef76984eaa5777c0ffb054cf7a9b6da57cc8ab7cf4be965308c97b73342d978b35bedc664e055cb7a5eba01379ecc886cf3743d3e66787f9c5f

Download Submit

Analysis

Sharing