7af6595ef53007e9468b13e717e21d1e906ee8ec61bf0cc57e06d74ad492fb96

General

Target

0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe
Size

15KB
MD5

0d59cdac6efe4042bba9243e6a5e4e19
SHA1

a523a703649a0567b14f7b7e861f143158e785be
SHA256

7af6595ef53007e9468b13e717e21d1e906ee8ec61bf0cc57e06d74ad492fb96
SHA512

1d684731752e32feb1c73199c18dfa52db38cc467b21a9fe6e665d35f961f52623d35f01e27b0088c8faf14ac0d288d5cc27e0d601e8ef43457123e1be77bf7a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8QaK:hDXWipuE+K3/SSHgxm83K

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2872	DEM77A0.exe
2564	DEMCDAB.exe
664	DEM2462.exe
2336	DEM7A9C.exe
1596	DEMD079.exe
752	DEM2655.exe

Loads dropped DLL 6 IoCs

pid	Process
1184	0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe
2872	DEM77A0.exe
2564	DEMCDAB.exe
664	DEM2462.exe
2336	DEM7A9C.exe
1596	DEMD079.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2872	1184	0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe	29
PID 1184 wrote to memory of 2872	1184	0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe	29
PID 1184 wrote to memory of 2872	1184	0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe	29
PID 1184 wrote to memory of 2872	1184	0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2564	2872	DEM77A0.exe	33
PID 2872 wrote to memory of 2564	2872	DEM77A0.exe	33
PID 2872 wrote to memory of 2564	2872	DEM77A0.exe	33
PID 2872 wrote to memory of 2564	2872	DEM77A0.exe	33
PID 2564 wrote to memory of 664	2564	DEMCDAB.exe	35
PID 2564 wrote to memory of 664	2564	DEMCDAB.exe	35
PID 2564 wrote to memory of 664	2564	DEMCDAB.exe	35
PID 2564 wrote to memory of 664	2564	DEMCDAB.exe	35
PID 664 wrote to memory of 2336	664	DEM2462.exe	37
PID 664 wrote to memory of 2336	664	DEM2462.exe	37
PID 664 wrote to memory of 2336	664	DEM2462.exe	37
PID 664 wrote to memory of 2336	664	DEM2462.exe	37
PID 2336 wrote to memory of 1596	2336	DEM7A9C.exe	39
PID 2336 wrote to memory of 1596	2336	DEM7A9C.exe	39
PID 2336 wrote to memory of 1596	2336	DEM7A9C.exe	39
PID 2336 wrote to memory of 1596	2336	DEM7A9C.exe	39
PID 1596 wrote to memory of 752	1596	DEMD079.exe	41
PID 1596 wrote to memory of 752	1596	DEMD079.exe	41
PID 1596 wrote to memory of 752	1596	DEMD079.exe	41
PID 1596 wrote to memory of 752	1596	DEMD079.exe	41

C:\Users\Admin\AppData\Local\Temp\0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\DEM77A0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM77A0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\DEMCDAB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCDAB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\DEM2462.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2462.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:664
    - - C:\Users\Admin\AppData\Local\Temp\DEM7A9C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7A9C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Users\Admin\AppData\Local\Temp\DEMD079.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD079.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\DEM2655.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2655.exe"
        7⤵
        Executes dropped EXE
        
        PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2462.exe

Filesize
15KB

MD5
26fcd071f49a084b473dbbca46e6a158

SHA1
7c5be9fe9239549dab055d690a9ea17b8f36a8d7

SHA256
f3fec18c4977348f8271e7b9121d126b1a69a2994bc0d82892292cb262da0886

SHA512
7c163f39935c9ee218fde4be2a7548817a140e11d28b80db9c3e3d488ed3ba2d82f93a8a300c1fba76f40e053ac59692d350f89252c802dbc82e6219630849ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2655.exe

Filesize
16KB

MD5
70a22090ce7f03fb1b749d4d3dcc1036

SHA1
90df0da03a5289197d1186e41f4576fff9869f85

SHA256
9eb8c198b222a1f3ee1677d9bca07eabfe99e52e465c44b6bde1a7981acae739

SHA512
71f12b9ec4826920e36013e5928ed6ff24f4ee7cb0bc85c28785c83d5e19dbfd58206b2f5d8d6d235f126ff6fc47eb59fa49604dca0f2b08cd019b30aa1a28a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM77A0.exe

Filesize
15KB

MD5
6b95cdd547bec91209eff785bd82993c

SHA1
28c28a892a0ace1e90c89677c403f557a8281c09

SHA256
9f4e06f5eaa1cebc7543c4e7d3dac8de5c2312609bf94ed505d24d4dba3483dc

SHA512
159d73c86a7e7b6af75639a30ad3ef08af1c080b5b738e9aa6fba2ffbb5f5fbdbc74817151a47c4a31c8d4dfd3b6fb9f1cf24405e7d27859ddb8857b7cbb4310

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A9C.exe

Filesize
15KB

MD5
d6150e2966b129d67fd2861665f2bcaa

SHA1
807aecc4c7abfaeafea32732db3518b470370232

SHA256
55674edb843f0b270d197b503ae6dec2480a3c8f85ab871d3c5c55fca92f9544

SHA512
c7506f9f72ecf287ae1d303fc801f6558f5988b4157945af8acb43c97943fb13bb1532542cda4d3653806fca670c7e674e112d41920587629ef7b9bf6471342c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCDAB.exe

Filesize
15KB

MD5
e2277b7d2a782c7c49bb9498d260e190

SHA1
6b05ccdbabd5118abfbb571fa536dfd1262cd1e9

SHA256
90d669889f1cd26fc027ae5ac79fbc03f540341585efa9b134a301422c4bcee1

SHA512
1b5412666767a67f042b0bce021d63f8675912be6291e9d7a2e919144781acb9f4948597befb0c9a9708f8db03f3a4aadd1338494d700940379cd70c7e6a422b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD079.exe

Filesize
16KB

MD5
80306dd4d12d50b755961540c350130b

SHA1
bbe663d1d4f786cac030fa6ea9c07464fb36070d

SHA256
86473da65c8533b72a32db4e1a1ffdd01b69868cda1ff77bfa0052aedfd20016

SHA512
e9f93e7cdd9ea8012fbdd8bee7ee65d92e6c2ca1914a32a220f6535834caa318d97c7291470e9abfd75f0b3fc62d22fbc4f48cb11d544660d157c95dc3013ef9

Download Submit

Analysis

Sharing