362bc615d5bb8b6c3387b35c147c18cbb4f25046af99061b9335a5e25bdf4577

General

Target

0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe
Size

14KB
MD5

0e4c41a998ccab92561ac1858ab836a8
SHA1

07e0d1777a1d689af330680484c6e4134a418f2d
SHA256

362bc615d5bb8b6c3387b35c147c18cbb4f25046af99061b9335a5e25bdf4577
SHA512

1fc68a3069c46b8e8d6f3d111e020852a6446c34702ece855b145f7d590c82ad75ade6dd82b408f3d25353c41a56e827563ee2b8fca6cbfb19f56c2d53395068
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhiP:hDXWipuE+K3/SSHgxLiP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2820	DEMF4C.exe
2664	DEM64CB.exe
2756	DEMBA2B.exe
1904	DEMF6C.exe
1568	DEM6548.exe
2592	DEMBB25.exe

Loads dropped DLL 6 IoCs

pid	Process
2040	0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe
2820	DEMF4C.exe
2664	DEM64CB.exe
2756	DEMBA2B.exe
1904	DEMF6C.exe
1568	DEM6548.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2820	2040	0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe	29
PID 2040 wrote to memory of 2820	2040	0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe	29
PID 2040 wrote to memory of 2820	2040	0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe	29
PID 2040 wrote to memory of 2820	2040	0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe	29
PID 2820 wrote to memory of 2664	2820	DEMF4C.exe	31
PID 2820 wrote to memory of 2664	2820	DEMF4C.exe	31
PID 2820 wrote to memory of 2664	2820	DEMF4C.exe	31
PID 2820 wrote to memory of 2664	2820	DEMF4C.exe	31
PID 2664 wrote to memory of 2756	2664	DEM64CB.exe	35
PID 2664 wrote to memory of 2756	2664	DEM64CB.exe	35
PID 2664 wrote to memory of 2756	2664	DEM64CB.exe	35
PID 2664 wrote to memory of 2756	2664	DEM64CB.exe	35
PID 2756 wrote to memory of 1904	2756	DEMBA2B.exe	37
PID 2756 wrote to memory of 1904	2756	DEMBA2B.exe	37
PID 2756 wrote to memory of 1904	2756	DEMBA2B.exe	37
PID 2756 wrote to memory of 1904	2756	DEMBA2B.exe	37
PID 1904 wrote to memory of 1568	1904	DEMF6C.exe	39
PID 1904 wrote to memory of 1568	1904	DEMF6C.exe	39
PID 1904 wrote to memory of 1568	1904	DEMF6C.exe	39
PID 1904 wrote to memory of 1568	1904	DEMF6C.exe	39
PID 1568 wrote to memory of 2592	1568	DEM6548.exe	41
PID 1568 wrote to memory of 2592	1568	DEM6548.exe	41
PID 1568 wrote to memory of 2592	1568	DEM6548.exe	41
PID 1568 wrote to memory of 2592	1568	DEM6548.exe	41

C:\Users\Admin\AppData\Local\Temp\0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\DEMF4C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF4C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\DEM64CB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM64CB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\DEMBA2B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBA2B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Users\Admin\AppData\Local\Temp\DEMF6C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF6C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Users\Admin\AppData\Local\Temp\DEM6548.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6548.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\DEMBB25.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBB25.exe"
        7⤵
        Executes dropped EXE
        
        PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM64CB.exe

Filesize
14KB

MD5
e7fdefff4e1287eaef3146459aef3eaf

SHA1
5ad6a776ab1a2c294493ffb19dcd480e3a5cc0e4

SHA256
ba04be376a3a6d8a2444ac95e8ed4fac46e25d98bbe63fbe044609a9c947c3ce

SHA512
25fa7cf37a3a0fc35bdb7b3e6bc03e771171cd28e45bfea9cb1636571b051177667ac0cad9ef7b602534b6b508357c041c82662ebab732fa390e7e3ba86c57d0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6548.exe

Filesize
14KB

MD5
91384a5fcc22e723d09df3c3367c216a

SHA1
abf80493be7c0ff7fa7b081c426302b162d097c4

SHA256
c7e47b859a5ef5925d0360f6d431b0fab7881d075ec8f39adfef0540e996508c

SHA512
b7d8720678c1ab97975ca83f74ee9377c7f5bb8c08d91cd682e6f50342d182407091f9b36051a6c41c025bde27fa79cce400cf13cb74dd9e7b85a7ba8cf92910

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBA2B.exe

Filesize
14KB

MD5
ba0a0ec8a1a93ba6f29bf4819e1a8627

SHA1
4508fe88b5d23dc4b95b7d18295ad3b2657bb765

SHA256
603d706a280a367529ec0b8284c4b05ab5735c313f15b96f64cd2dc75522c68c

SHA512
c23fea18ce15e6ddb3e5307c46b535d9be6c6d8f223d34426cfbba3290af8d74a2392567f660e429de1a072453fa90f44a0a97e5af894b921f492fda1fc99852

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBB25.exe

Filesize
14KB

MD5
a6e7c39df16b8b6477b77e1213ef5302

SHA1
4e06e9fb800a3ed4c372127d62c0f6bcc09a0e5b

SHA256
5c3bde0eec060b93aa258eb8b2e6270fab8aaf298d5e35ee116af5cc003c375f

SHA512
391b334ebe091bd2598e5ea9ca5fff557411051795ee26e4df25473ffff3ed7dc5f6f6f0d7d868102d66266b55edf05d9d8def05e4a9f01cbd2bc18531dd76dd

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF4C.exe

Filesize
14KB

MD5
a506fb9c05a3641b23011e47c33aec99

SHA1
9656f8867918e32798cb5fbcc503adf8a030e607

SHA256
0b0218e6f94a914c17196dbca0be66dd4ba1c47cc384e9a8998f6165aa639d3a

SHA512
fafdec1324d240ca94b626bb8c54176e58208c3234096941603caf0750948b725ca4c1de6b419b832a67a3c40d68d512c1a6a847f5cf0b8532f369710042fcb8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF6C.exe

Filesize
14KB

MD5
14fa5ed0e0ae0a3e3b417e089f02e382

SHA1
d5dc997c8d2002158b3ca7ec050afa868dd48a60

SHA256
faa61b5b0f31bdbd415ff7fbe1ada4668b30e395bb65951589764d225e1911f1

SHA512
95e755c37d87b322c673a60a6ab2a141286645b47b31456f711cd35bb5487d1f6285d0f0cbe4a5da87b6347f2c550b602ed067e5001bead1fc8735e9870caeb0

Download Submit

Analysis

Sharing