6ed630061d546991665f8961d29275bd9b69f91214cf4a6a0415e9cc092049f8

General

Target

0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe
Size

15KB
MD5

0f1804021eb96820702f0ffcb3c72015
SHA1

d8ef69dc7c0a89fe11a29e3c2c77fcf60ea0e473
SHA256

6ed630061d546991665f8961d29275bd9b69f91214cf4a6a0415e9cc092049f8
SHA512

297e22ed028301c4afd23cad60e852bd9d05e6c696f32260ab712bd7e7c130284d25b9a573840eb4a8a7a0129c64def3a0c2e22990677012ede1b14f7670dd18
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyhb:hDXWipuE+K3/SSHgxmyhb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2676	DEM142C.exe
2452	DEM69EA.exe
2928	DEMBF2A.exe
1552	DEM14A9.exe
840	DEM6A95.exe
1984	DEMBFD6.exe

Loads dropped DLL 6 IoCs

pid	Process
2316	0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe
2676	DEM142C.exe
2452	DEM69EA.exe
2928	DEMBF2A.exe
1552	DEM14A9.exe
840	DEM6A95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2676	2316	0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe	29
PID 2316 wrote to memory of 2676	2316	0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe	29
PID 2316 wrote to memory of 2676	2316	0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe	29
PID 2316 wrote to memory of 2676	2316	0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe	29
PID 2676 wrote to memory of 2452	2676	DEM142C.exe	31
PID 2676 wrote to memory of 2452	2676	DEM142C.exe	31
PID 2676 wrote to memory of 2452	2676	DEM142C.exe	31
PID 2676 wrote to memory of 2452	2676	DEM142C.exe	31
PID 2452 wrote to memory of 2928	2452	DEM69EA.exe	35
PID 2452 wrote to memory of 2928	2452	DEM69EA.exe	35
PID 2452 wrote to memory of 2928	2452	DEM69EA.exe	35
PID 2452 wrote to memory of 2928	2452	DEM69EA.exe	35
PID 2928 wrote to memory of 1552	2928	DEMBF2A.exe	37
PID 2928 wrote to memory of 1552	2928	DEMBF2A.exe	37
PID 2928 wrote to memory of 1552	2928	DEMBF2A.exe	37
PID 2928 wrote to memory of 1552	2928	DEMBF2A.exe	37
PID 1552 wrote to memory of 840	1552	DEM14A9.exe	39
PID 1552 wrote to memory of 840	1552	DEM14A9.exe	39
PID 1552 wrote to memory of 840	1552	DEM14A9.exe	39
PID 1552 wrote to memory of 840	1552	DEM14A9.exe	39
PID 840 wrote to memory of 1984	840	DEM6A95.exe	41
PID 840 wrote to memory of 1984	840	DEM6A95.exe	41
PID 840 wrote to memory of 1984	840	DEM6A95.exe	41
PID 840 wrote to memory of 1984	840	DEM6A95.exe	41

C:\Users\Admin\AppData\Local\Temp\0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\DEM142C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM142C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\DEM69EA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM69EA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\DEMBF2A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBF2A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Users\Admin\AppData\Local\Temp\DEM14A9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM14A9.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Users\Admin\AppData\Local\Temp\DEM6A95.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6A95.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\DEMBFD6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBFD6.exe"
        7⤵
        Executes dropped EXE
        
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM142C.exe

Filesize
15KB

MD5
68cb81b02b949c7f27c4b4f1fe2bc932

SHA1
2bf000dca68fcb0dc4823013bcdb43091dde9adf

SHA256
ac2a44bc2f10ee169665edba56d382ddf59220c4bcf814c1a78f8517afa4aff1

SHA512
f55a3060a083b79414d0b9d4fbd82caef98ce86bb67d5b6573d5f3e29a5ea226294f68bd4e42d47f34210ad583f0eb64744c2b2fe3466fbeafb03dc3897a0a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM69EA.exe

Filesize
15KB

MD5
0db4d8273f4d057b8dca20a1a02a8473

SHA1
5cf65951391bd0c286fd9a08401ab716e3a66764

SHA256
c71d4385176dd7e4fe3d3724a5b387053fb1a58671e22a8b3fbc6c92ea8d80f3

SHA512
46e7e7ab9f266c8be1676eef81ae40e311df7d68c5c96e1df99c00b607256adcab06608a9e86160ce0364cf4a03d22c82a0220eb2c3b82178e39df686ae19577

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6A95.exe

Filesize
15KB

MD5
60e624183aabc16e766beb422f1cf8e3

SHA1
083afe74b02d1f70064173bb1f4a1279f5b8f2c3

SHA256
105205969186cab1b2fb7c6658cd5778981f720c209cb1cb64808cf0dc124a24

SHA512
26668430f5cd9c416168abcab695408a64a1c7f88c2949f03a9e2b88d25cb5c39cf7ced230bf1b22237bc39cd3824186db248cf326eb22fe1eaba6a454bd795d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBF2A.exe

Filesize
15KB

MD5
8910082f036cd5aa2e91b3da99df2e2b

SHA1
154cc54e3f40f23800ab6e31e7904ea543112aef

SHA256
77b20385fca20e10ea589c8c062f17934b9041e328b8461d34526a125c2fdcf0

SHA512
fa76927a1a9717aa3b257a5c16cedde47c51544742f880b142aadca64f4e5e807bbfc15bac54e64207e2c1222c849067aea5306d45f3e5367a0e72a5c0839178

Download Submit
\Users\Admin\AppData\Local\Temp\DEM14A9.exe

Filesize
15KB

MD5
b6592954bbe295bcead7812ff4649e70

SHA1
42d4268d970043624ace09a95a674823cab4d881

SHA256
cb0793ba265cdeff687b980de4e280c3cf54c2400f3de997ccdcf648f764f1f9

SHA512
83be0ce0275e3c2fad74a2916ba3cc89447326d6159c31bdf8747912c8f4eb507fa659d3cbc59f9623929e10b93012b1f107ce4bf751f35cb9e236b1d7439508

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBFD6.exe

Filesize
15KB

MD5
357ed96bcf4da04cf29784bf7b3a859f

SHA1
914441fa10ca14469740d17ba1348517b068ec6d

SHA256
73b2339104914598b7de60e209df045f5dfa321781369ae4bd23838aa901efc7

SHA512
1aa6ba241f5bdc6400b2a5beb67094635a4c9e2f83c9170ed8ea119a716f0e1e3503f177719bc3a6b544157d99c19ba6502840fd05ab59c63a8279281f02ff2a

Download Submit

Analysis

Sharing