3cb2c9ebd37e3c431f54fc964a84bc5f6a0fa2f6a2e980bf667581b069af38ff

General

Target

0eea2dcc23ab02365a367755f6a5ae1b_JaffaCakes118.exe
Size

14KB
MD5

0eea2dcc23ab02365a367755f6a5ae1b
SHA1

48393ddaadb2642871f3233e270b0d546de7060b
SHA256

3cb2c9ebd37e3c431f54fc964a84bc5f6a0fa2f6a2e980bf667581b069af38ff
SHA512

5cd93129af70ccbfa9f98187a9724a6cebc77456ea90fea96b2c9c35925b20563c84136801b0735afa55eac315dbff208a92b97032b4c248960b7abb741be0ec
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0P:hDXWipuE+K3/SSHgx4P

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2560	DEM1CF3.exe
2712	DEM731D.exe
1520	DEMC89C.exe
2352	DEM1DFC.exe
2232	DEM739A.exe
2204	DEMC8FA.exe

Loads dropped DLL 6 IoCs

pid	Process
1688	0eea2dcc23ab02365a367755f6a5ae1b_JaffaCakes118.exe
2560	DEM1CF3.exe
2712	DEM731D.exe
1520	DEMC89C.exe
2352	DEM1DFC.exe
2232	DEM739A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2560	1688	0eea2dcc23ab02365a367755f6a5ae1b_JaffaCakes118.exe	29
PID 1688 wrote to memory of 2560	1688	0eea2dcc23ab02365a367755f6a5ae1b_JaffaCakes118.exe	29
PID 1688 wrote to memory of 2560	1688	0eea2dcc23ab02365a367755f6a5ae1b_JaffaCakes118.exe	29
PID 1688 wrote to memory of 2560	1688	0eea2dcc23ab02365a367755f6a5ae1b_JaffaCakes118.exe	29
PID 2560 wrote to memory of 2712	2560	DEM1CF3.exe	31
PID 2560 wrote to memory of 2712	2560	DEM1CF3.exe	31
PID 2560 wrote to memory of 2712	2560	DEM1CF3.exe	31
PID 2560 wrote to memory of 2712	2560	DEM1CF3.exe	31
PID 2712 wrote to memory of 1520	2712	DEM731D.exe	35
PID 2712 wrote to memory of 1520	2712	DEM731D.exe	35
PID 2712 wrote to memory of 1520	2712	DEM731D.exe	35
PID 2712 wrote to memory of 1520	2712	DEM731D.exe	35
PID 1520 wrote to memory of 2352	1520	DEMC89C.exe	37
PID 1520 wrote to memory of 2352	1520	DEMC89C.exe	37
PID 1520 wrote to memory of 2352	1520	DEMC89C.exe	37
PID 1520 wrote to memory of 2352	1520	DEMC89C.exe	37
PID 2352 wrote to memory of 2232	2352	DEM1DFC.exe	39
PID 2352 wrote to memory of 2232	2352	DEM1DFC.exe	39
PID 2352 wrote to memory of 2232	2352	DEM1DFC.exe	39
PID 2352 wrote to memory of 2232	2352	DEM1DFC.exe	39
PID 2232 wrote to memory of 2204	2232	DEM739A.exe	41
PID 2232 wrote to memory of 2204	2232	DEM739A.exe	41
PID 2232 wrote to memory of 2204	2232	DEM739A.exe	41
PID 2232 wrote to memory of 2204	2232	DEM739A.exe	41

C:\Users\Admin\AppData\Local\Temp\0eea2dcc23ab02365a367755f6a5ae1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0eea2dcc23ab02365a367755f6a5ae1b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\DEM1CF3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1CF3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\DEM731D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM731D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\DEM1DFC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1DFC.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Users\Admin\AppData\Local\Temp\DEM739A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM739A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\DEMC8FA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC8FA.exe"
        7⤵
        Executes dropped EXE
        
        PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM731D.exe

Filesize
14KB

MD5
02696cfc7347dd045637b70187269214

SHA1
4f88aaab848e0b80bd514d2a5dd803e7e3815dff

SHA256
ff3188762b8908f120a9877b149a74b24902d679378b4aaf471df12dcddaead1

SHA512
187e8711952192f31ff237433a355a37a440b6bcde75a9e0c2f9b98e7cbfddcb012b43b8a524fe256e94da90e0f58e5f2dbaf320dbc46ead83f865948f0c102a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe

Filesize
14KB

MD5
b4c2e1b4cf2a8879f46a73da5c48a685

SHA1
68f2b4882d50d547e7351202c6264f686dcc2f50

SHA256
ca26a7364b0ea47e6d033e8d36c9c7a2f25b79970a99407071228a2c0f1a6eda

SHA512
bf9f3b6c73f1cac17ef8c3b483ecd658220b2c4ce1d5215c091d932f32afcfcca204bc25b6b894ab6b5196e431b298f9d8dc94ad99d280f577ff79cd916ad785

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC8FA.exe

Filesize
14KB

MD5
84553484e637b024fdad0c3514599d31

SHA1
655a9295909f4a467110f4fdea71b0aeab62fa7e

SHA256
0f3c32a13e8693e27b5b735644b3e72d06ac54b9623381151a6536a073afcd14

SHA512
ccd2d41128ffa05d5dc6b0d536b6f0628b1e4e48ee87e41f8baac4732dcb759476e8c60c107bcf2395c9b1bbf01c5f9e8504841bc213f21b3e668181de7db1cf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1CF3.exe

Filesize
14KB

MD5
e35141e06cd2644ff2f34f03e83ca6b5

SHA1
847677dd73330fc99f34165d0a8c11a38b734094

SHA256
6f4a7fe8a1792e65f281f607d7508320874ef6fd425d3238b4edc83284a7f3c2

SHA512
6bc0cf12cccbeda6e62b336ec024ffe9c77089addae2c9897ef0a559878ec9333f7a6866131665e953ac87dec6f8ba40f8b22e8e1eefd4686aa91bf76fcbb2f6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1DFC.exe

Filesize
14KB

MD5
b9f7ef2c93550796ce78447aba1dad7f

SHA1
ce8b7cf5cd9b15c8e1dde0c36629ec1c6d7f86ec

SHA256
b911855a9602ae0dbd199161aaa6bf4e44b8ec6249f6fcca2309f3267a23f1d4

SHA512
7459b64258b3bb0dd63532da95ac9a3136cb6ba6a9f6d1f50b6d208099cc7f841b5ab8f03a507cda87923a0dbaa056caababda21df7c16bb5259628ecf908f39

Download Submit
\Users\Admin\AppData\Local\Temp\DEM739A.exe

Filesize
14KB

MD5
6472978cf78255b03cc3056d00358a32

SHA1
4e0122ae2f8d5478fa90a0c122be751607f69925

SHA256
e1c003679b26cd0aed92a3ba0f10b8c99571ac8a46936274c88515b6f968f8de

SHA512
77439438509469db7d472851efd3049fb424e23ed4fad6587069c811cf5407957e457f35d5396c884013e546a9e6582df985f6c144cae83e98670518fcb1238e

Download Submit

Analysis

Sharing