4518b0fbd154e48997f7893d76ac91556ec762268095863348235333801e7264

General

Target

156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe
Size

16KB
MD5

156859d274545c043c3e7a8e201d9c99
SHA1

c5c66160478520b06eac1071ae2ce4852dc34075
SHA256

4518b0fbd154e48997f7893d76ac91556ec762268095863348235333801e7264
SHA512

58f404b0e630b34fe53ae022a7c369c2674777a3d840fb0ef52bcba71911a026dea9215374f5916cb49775cdbfbe40928b947521ba7ff542c058862ee0472689
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlh:hDXWipuE+K3/SSHgxmlh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2840	DEM1249.exe
2672	DEM6825.exe
2748	DEMBD75.exe
1852	DEM12E5.exe
1212	DEM6826.exe
2356	DEMBD66.exe

Loads dropped DLL 6 IoCs

pid	Process
2100	156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe
2840	DEM1249.exe
2672	DEM6825.exe
2748	DEMBD75.exe
1852	DEM12E5.exe
1212	DEM6826.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2840	2100	156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe	29
PID 2100 wrote to memory of 2840	2100	156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe	29
PID 2100 wrote to memory of 2840	2100	156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe	29
PID 2100 wrote to memory of 2840	2100	156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe	29
PID 2840 wrote to memory of 2672	2840	DEM1249.exe	31
PID 2840 wrote to memory of 2672	2840	DEM1249.exe	31
PID 2840 wrote to memory of 2672	2840	DEM1249.exe	31
PID 2840 wrote to memory of 2672	2840	DEM1249.exe	31
PID 2672 wrote to memory of 2748	2672	DEM6825.exe	35
PID 2672 wrote to memory of 2748	2672	DEM6825.exe	35
PID 2672 wrote to memory of 2748	2672	DEM6825.exe	35
PID 2672 wrote to memory of 2748	2672	DEM6825.exe	35
PID 2748 wrote to memory of 1852	2748	DEMBD75.exe	37
PID 2748 wrote to memory of 1852	2748	DEMBD75.exe	37
PID 2748 wrote to memory of 1852	2748	DEMBD75.exe	37
PID 2748 wrote to memory of 1852	2748	DEMBD75.exe	37
PID 1852 wrote to memory of 1212	1852	DEM12E5.exe	39
PID 1852 wrote to memory of 1212	1852	DEM12E5.exe	39
PID 1852 wrote to memory of 1212	1852	DEM12E5.exe	39
PID 1852 wrote to memory of 1212	1852	DEM12E5.exe	39
PID 1212 wrote to memory of 2356	1212	DEM6826.exe	41
PID 1212 wrote to memory of 2356	1212	DEM6826.exe	41
PID 1212 wrote to memory of 2356	1212	DEM6826.exe	41
PID 1212 wrote to memory of 2356	1212	DEM6826.exe	41

C:\Users\Admin\AppData\Local\Temp\156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\DEM1249.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1249.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\DEM6825.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6825.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\DEMBD75.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBD75.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\DEM12E5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM12E5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Users\Admin\AppData\Local\Temp\DEM6826.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6826.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\DEMBD66.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBD66.exe"
        7⤵
        Executes dropped EXE
        
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6825.exe

Filesize
16KB

MD5
6d80ac7585e9541f212b2818b278834d

SHA1
349f4e62577267529374693e4b9b57702967a370

SHA256
48ca2d37d580fae3a90d632b2a7eac4ac48cb7d1a0f30eb829b6c95648c455eb

SHA512
5917b893b15991d4c0268c77b4a52f9dc00d307015a151dc78bf39cf95b4094ec395b1c455d4c0bef5d30bfe22e74892df9671a7e0119a2ca66745a7e141965a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1249.exe

Filesize
16KB

MD5
3106a3aefca53bbc83d283c7209a9cb9

SHA1
8ee7e04790d4854a04bc913ab8ca85d7488d09ce

SHA256
e7ca8e2d7a009bbc57a1db88c675f5fc9467cd635e3e793bd78755c8c35bbd15

SHA512
ed55776640f7b46e631933a544199c2d7b157efe5b2369f3cce9481a0f91c4316005f617cf3c150c2ee5b75053cd52804490472f1254d363d922675cb335ee4c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM12E5.exe

Filesize
16KB

MD5
6d6d14f3aee313ee47fb8bc16be40dc3

SHA1
54581e39651ece8e772f7094128b520c30371dcb

SHA256
e63f9192ee5b3a39a773a9007055fd8a0ed59753251a2f1bc81a35d1775689e8

SHA512
0953c6b54422e28173d38490ccaca936ebe76e283d2882719a3541b8f4a060fd0be2250ecce5ec141be2ba355ae9392767acb0b202fd3b22d7254441ec754735

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6826.exe

Filesize
16KB

MD5
49b05c92d7a38ba99dbae575bb7cbb7f

SHA1
ce6238198ce306ca314f71df72fafcf1c8825d4b

SHA256
937286505a6435914fdc95bc9b631c3ee9eb52bd4ac6a7271dc432976a693091

SHA512
729b6912c2898c6e86b0cc1973871067d931deda6c13969ae2fac3e405bdfa1eefd35e6dbd06884fbaf1b2797aaef5da65ce6f98d8c5e59a064ffc9a0c8cb170

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBD66.exe

Filesize
16KB

MD5
0e56b7bf76eb0019745daad070fce4a1

SHA1
9d72042123eb15f0f013367f499340d9761f16b7

SHA256
e4a67115520f3987f3d4246796a7c15e6277cf8ce9368e5bc952eb7657f5f301

SHA512
51c13651ec84ccd427b14756a969a8660f8f3fa780c2b782aa07df83dd611dec15f7d945adf9c9588be3d682a68159c52a4777c70c49e91f0bfa5a8226d79f98

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBD75.exe

Filesize
16KB

MD5
fd1bc84bb56f4c5fb7fb773c3ffb2bff

SHA1
de80db4248f6d32958ed3e04650a0049fdebb431

SHA256
13638e7ab4d3ef3dc35c5a14416baff1bfe7a88f5096d13fa4d30c952cc88ae5

SHA512
472c8148b99197bc4c3f254f8dcbdb89436b24b16aff1178cf18dd7be93ba648e838c3f50f79ddbb92f07d7c9eb433a206e3a0eaed9d948bee1edd22b0376a6c

Download Submit

Analysis

Sharing