9e610c7984a4f6b33f8cdf5a750416dcfccd6465a8fafb4402d2697834cb191d

General

Target

0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe
Size

16KB
MD5

0d6ff9174f3c184d8eff282262df94ef
SHA1

f614db1fca3b47f6c88b7246b4e2f1f7ec310615
SHA256

9e610c7984a4f6b33f8cdf5a750416dcfccd6465a8fafb4402d2697834cb191d
SHA512

0b101a054f2fb30adadc02df07c7c5c53b33a132fbec5e53138dd1db3f7ccde6058fb0919519d6f7081922a185e8c2c09329e62599f59cc22a00dd7ff2df59ef
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZV:hDXWipuE+K3/SSHgx3V

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2620	DEM2971.exe
2552	DEM8028.exe
2412	DEMD623.exe
1884	DEM2C6D.exe
1608	DEM8315.exe
2264	DEMD9DB.exe

Loads dropped DLL 6 IoCs

pid	Process
2888	0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe
2620	DEM2971.exe
2552	DEM8028.exe
2412	DEMD623.exe
1884	DEM2C6D.exe
1608	DEM8315.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2620	2888	0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2620	2888	0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2620	2888	0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2620	2888	0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe	29
PID 2620 wrote to memory of 2552	2620	DEM2971.exe	31
PID 2620 wrote to memory of 2552	2620	DEM2971.exe	31
PID 2620 wrote to memory of 2552	2620	DEM2971.exe	31
PID 2620 wrote to memory of 2552	2620	DEM2971.exe	31
PID 2552 wrote to memory of 2412	2552	DEM8028.exe	35
PID 2552 wrote to memory of 2412	2552	DEM8028.exe	35
PID 2552 wrote to memory of 2412	2552	DEM8028.exe	35
PID 2552 wrote to memory of 2412	2552	DEM8028.exe	35
PID 2412 wrote to memory of 1884	2412	DEMD623.exe	37
PID 2412 wrote to memory of 1884	2412	DEMD623.exe	37
PID 2412 wrote to memory of 1884	2412	DEMD623.exe	37
PID 2412 wrote to memory of 1884	2412	DEMD623.exe	37
PID 1884 wrote to memory of 1608	1884	DEM2C6D.exe	39
PID 1884 wrote to memory of 1608	1884	DEM2C6D.exe	39
PID 1884 wrote to memory of 1608	1884	DEM2C6D.exe	39
PID 1884 wrote to memory of 1608	1884	DEM2C6D.exe	39
PID 1608 wrote to memory of 2264	1608	DEM8315.exe	41
PID 1608 wrote to memory of 2264	1608	DEM8315.exe	41
PID 1608 wrote to memory of 2264	1608	DEM8315.exe	41
PID 1608 wrote to memory of 2264	1608	DEM8315.exe	41

C:\Users\Admin\AppData\Local\Temp\0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\DEM2971.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2971.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\DEM8028.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8028.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\DEMD623.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD623.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Users\Admin\AppData\Local\Temp\DEM2C6D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2C6D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Users\Admin\AppData\Local\Temp\DEM8315.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8315.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\DEMD9DB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD9DB.exe"
        7⤵
        Executes dropped EXE
        
        PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8028.exe

Filesize
16KB

MD5
22f1ce2998d1a08bac08213a12c0ecd8

SHA1
db5ce0408c9c66ee12e8f9584adeae3a300e9dc1

SHA256
3b1e1ad170bc2b1e9ba64d42d13d9383755688a368f8f19716d21fefe5b8f845

SHA512
57a0b2589a55b75b2702e8996c4a98becdddd332d79cfb69a0a188139269ed651a522b7f3e611ec7f775346b56093c82e333b629ea383a61bf3c254fa4a207a0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2971.exe

Filesize
16KB

MD5
0adcca0ad00b7047e8c221c05e0e6566

SHA1
163d3ba6a78f5c180a187091e196d08993cedd6b

SHA256
7475b43876287b8e820a8e3d6c3ceb30992b833fc6de80d1af69b7079965ddf5

SHA512
3f48dbf67aad8b7071f410a5f72a294765d04353659edba3c7e9db821d2b6f242fa4cc370d9101763e16714812d30cebfe0109fd95e1a0f2d8531dc4a4d7050f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2C6D.exe

Filesize
16KB

MD5
1541965d8179d9646255426a2b3b5375

SHA1
a32070bf571fb92c29ac0eb074d1633e66f4b534

SHA256
0833b8f5e91da681ef61acad3f2d725da483b2e47c736437f537e911c340f0f8

SHA512
54bee8d744440a863c03bcbd8fd22f59e9681d011da7c2226d9cd09f5590f31e3d43734fbe6d53d52f56e360f8ab9d3af650b78f0c280cd3cb2a3c69535da46b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8315.exe

Filesize
16KB

MD5
7c807ee798e07409e41eab4ae99d55da

SHA1
9956034140fe4e295c5d41c6dd22fa717aff6336

SHA256
6fea1245052e379aaa3f8df6671d42aaddfc1d3a35b211ed17d640660232005a

SHA512
adaec0cdffb31b7ec8110fb2d2f2202fdb2e7e917b5020375e98efdaea60f202459089e64b9ca33e2f51bcfa6dd1e1b45fbe3de17825a0e2ae9b472db236365a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD623.exe

Filesize
16KB

MD5
d8df528193088d94476d6c6444b2398a

SHA1
837be7d9b7da48ce9861c62eb0d43c8c3754f8d6

SHA256
74c1852ea7a659f77cc1d2b6e6d4bf8edd35fcd3447c04362bd4e7a6dfd1f559

SHA512
049ae6ad8fd52a66be8cb66927535ebed9ddb75577f239163fe3e9f09b13b15b19e35ad029e9ac5bc554d2dae7b634970cd3f85847c35b8d55022678c340801d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD9DB.exe

Filesize
16KB

MD5
1e01fdc6da6167284b79186aba6cecbe

SHA1
0cc5d686ac3b9b8b8be7604ca748a495bbb0fa42

SHA256
2ab4a0396eb082a538621f053303b4cc9061bc3775e17210f07e119d40371e18

SHA512
13bd194949eba9e229df2257ab6d69c3a00db21372fbafe0c36b612c98752de978284f4ef169109353228ce1281f4e98d6c2c8f454fe8810e0db84128b5b2220

Download Submit

Analysis

Sharing