82bf3976864813303f88c6ed14030e7be1d45d09e094aadc848444840101415d

General

Target

0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe
Size

15KB
MD5

0ebc1f6e5b304686946b4ec4716d4a9c
SHA1

c8b37c6a9a8c4adf8a2e7a2643fdd247dc3a924c
SHA256

82bf3976864813303f88c6ed14030e7be1d45d09e094aadc848444840101415d
SHA512

1625d2948920acd10b28a1258ca3d17afb19fe12e5f1a78b6e950ade3ccb699540d5311acafe0abf19797723f3d86a257b16eb7f33d98a2df4487b02b9c33278
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJSmW:hDXWipuE+K3/SSHgxXW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3060	DEM1555.exe
2728	DEM6AC4.exe
2796	DEMBFF5.exe
2428	DEM1545.exe
2772	DEM6A57.exe
2212	DEMBF59.exe

Loads dropped DLL 6 IoCs

pid	Process
2416	0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe
3060	DEM1555.exe
2728	DEM6AC4.exe
2796	DEMBFF5.exe
2428	DEM1545.exe
2772	DEM6A57.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 3060	2416	0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe	29
PID 2416 wrote to memory of 3060	2416	0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe	29
PID 2416 wrote to memory of 3060	2416	0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe	29
PID 2416 wrote to memory of 3060	2416	0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe	29
PID 3060 wrote to memory of 2728	3060	DEM1555.exe	31
PID 3060 wrote to memory of 2728	3060	DEM1555.exe	31
PID 3060 wrote to memory of 2728	3060	DEM1555.exe	31
PID 3060 wrote to memory of 2728	3060	DEM1555.exe	31
PID 2728 wrote to memory of 2796	2728	DEM6AC4.exe	35
PID 2728 wrote to memory of 2796	2728	DEM6AC4.exe	35
PID 2728 wrote to memory of 2796	2728	DEM6AC4.exe	35
PID 2728 wrote to memory of 2796	2728	DEM6AC4.exe	35
PID 2796 wrote to memory of 2428	2796	DEMBFF5.exe	37
PID 2796 wrote to memory of 2428	2796	DEMBFF5.exe	37
PID 2796 wrote to memory of 2428	2796	DEMBFF5.exe	37
PID 2796 wrote to memory of 2428	2796	DEMBFF5.exe	37
PID 2428 wrote to memory of 2772	2428	DEM1545.exe	39
PID 2428 wrote to memory of 2772	2428	DEM1545.exe	39
PID 2428 wrote to memory of 2772	2428	DEM1545.exe	39
PID 2428 wrote to memory of 2772	2428	DEM1545.exe	39
PID 2772 wrote to memory of 2212	2772	DEM6A57.exe	41
PID 2772 wrote to memory of 2212	2772	DEM6A57.exe	41
PID 2772 wrote to memory of 2212	2772	DEM6A57.exe	41
PID 2772 wrote to memory of 2212	2772	DEM6A57.exe	41

C:\Users\Admin\AppData\Local\Temp\0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\DEM1555.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1555.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\DEM6AC4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6AC4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\DEMBFF5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBFF5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Users\Admin\AppData\Local\Temp\DEM1545.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1545.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Users\Admin\AppData\Local\Temp\DEM6A57.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6A57.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\DEMBF59.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBF59.exe"
        7⤵
        Executes dropped EXE
        
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1545.exe

Filesize
15KB

MD5
016bc5cc2232571e53cfa42374094f7b

SHA1
3fb866c452fcd172e5711fdf448503306c76a00b

SHA256
e0e377059ea1737e0b53d6fa6ff22f3c719ec47ef5de7a13ab486f76a5a57c0b

SHA512
5f60e2757e6943c8fcb6ba623de63f7e442f19b584472dba125e76519dcf11d1106ff16df061b9656fc68327da3708fb394e8a435c311abd149be88be59426c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1555.exe

Filesize
15KB

MD5
10af52cf43a8f069b7bf7e04cb426ff9

SHA1
747e5d3bafb5c972d2dd900f4886ed38fc68ac78

SHA256
40779f16abb0aa061326f7e9e8ccf915a3cfe5ee4c27e34ad34daa49742f4027

SHA512
af93a1ebb26c87644abf2d22c733c5b3562c7c2ba94a9425dcf78ec8717bdcabf585a0d13e590eae9f58f4616a9ab96e49f8cbe3fc111b8a977f68facd856468

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6A57.exe

Filesize
15KB

MD5
c32631b0a8c82e8561beef815e82e4d0

SHA1
eb9e5eddcabcce06937187e56d4eb833369eff7f

SHA256
c6275c81975569790ff79212ba004af906b9382b1f65b5dde2ce312c4e162ff0

SHA512
80e79f08ec04d9350bbf8f6bb9a878f92b07c5488a0459d08362970c12da347ba209a60714726329183ea96a19f4d1ab595136f0a58d2ba927f0e3429d684629

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6AC4.exe

Filesize
15KB

MD5
8091291b1116ee3588c56a36dc733a8b

SHA1
6e630212c1d7acde112d2d26c314777f2a5004fc

SHA256
6bb04827bdd99387b3cf4718d352d22ae3742804b6f17e7bf40c90d19a19cfed

SHA512
386f6bc3f7c38d32a28bf9a6c59f56a185dbc4122a84d2aa1b784e446137741dbf30245293280c637c7cea2bbebc92846fa2d8462d3849b3414ef8848200c832

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBF59.exe

Filesize
15KB

MD5
231ad9b34fed91af8506d5f7d6faebdc

SHA1
a32fd35a67da2bf97edbb97fb016594c32f2a026

SHA256
64f3c184aa87e29e25a3b47f3f0d9227dd821b89f2f5e681a0ce9e8393d7f9bc

SHA512
5037a2a8c3877f62190b246a59d1bd3616f4ef8abec5b42896dbff5098cb6918436d0ab79c98fd2a8597db5822d0cb6088adcf2ef726cc66501cd0ce4e54caf8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBFF5.exe

Filesize
15KB

MD5
cda999d8319c3c0e1c50fac397018b5f

SHA1
ef26d0c0ad1d4d788b671840c0b35b56a2f76b9d

SHA256
90dcae5b4fc1f07c60d84d3d21339382f459916c192e9da7d66fe448a47dcb55

SHA512
3acda4e0ab272e2e34bbde047365578c4c54f91a8d3b79dda963356ee5c89b9bf0dd8d9372d5fd2687ee7d17f7cb5b7206b15b6ac9c7bb3799ce308195b7e56d

Download Submit

Analysis

Sharing