6b3e85771545eb33cd7e20d55f160710fb02773a8b80896f9194ac4164a8d688

General

Target

1871ff55ae441349e24e0a002293c9af_JaffaCakes118.exe
Size

14KB
MD5

1871ff55ae441349e24e0a002293c9af
SHA1

aae1ce84257eb16e7e8a40ed69660abb9b97e655
SHA256

6b3e85771545eb33cd7e20d55f160710fb02773a8b80896f9194ac4164a8d688
SHA512

ea1110fbf93224a86dca45cad4f5b5a6b600b9894ab1cd5c11b026f27c6e96c3abf4e21abb6d633eaafb55fe86439a3c9c0bfbc1f6dcb3da1c68b07427bb2308
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYq441/ea:hDXWipuE+K3/SSHgxmq441/ea

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1060	DEMB95.exe
2732	DEM6181.exe
1632	DEMB6E1.exe
1976	DEMCAE.exe
348	DEM61DF.exe
2124	DEMB7AB.exe

Loads dropped DLL 6 IoCs

pid	Process
2792	1871ff55ae441349e24e0a002293c9af_JaffaCakes118.exe
1060	DEMB95.exe
2732	DEM6181.exe
1632	DEMB6E1.exe
1976	DEMCAE.exe
348	DEM61DF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1060	2792	1871ff55ae441349e24e0a002293c9af_JaffaCakes118.exe	29
PID 2792 wrote to memory of 1060	2792	1871ff55ae441349e24e0a002293c9af_JaffaCakes118.exe	29
PID 2792 wrote to memory of 1060	2792	1871ff55ae441349e24e0a002293c9af_JaffaCakes118.exe	29
PID 2792 wrote to memory of 1060	2792	1871ff55ae441349e24e0a002293c9af_JaffaCakes118.exe	29
PID 1060 wrote to memory of 2732	1060	DEMB95.exe	31
PID 1060 wrote to memory of 2732	1060	DEMB95.exe	31
PID 1060 wrote to memory of 2732	1060	DEMB95.exe	31
PID 1060 wrote to memory of 2732	1060	DEMB95.exe	31
PID 2732 wrote to memory of 1632	2732	DEM6181.exe	35
PID 2732 wrote to memory of 1632	2732	DEM6181.exe	35
PID 2732 wrote to memory of 1632	2732	DEM6181.exe	35
PID 2732 wrote to memory of 1632	2732	DEM6181.exe	35
PID 1632 wrote to memory of 1976	1632	DEMB6E1.exe	37
PID 1632 wrote to memory of 1976	1632	DEMB6E1.exe	37
PID 1632 wrote to memory of 1976	1632	DEMB6E1.exe	37
PID 1632 wrote to memory of 1976	1632	DEMB6E1.exe	37
PID 1976 wrote to memory of 348	1976	DEMCAE.exe	39
PID 1976 wrote to memory of 348	1976	DEMCAE.exe	39
PID 1976 wrote to memory of 348	1976	DEMCAE.exe	39
PID 1976 wrote to memory of 348	1976	DEMCAE.exe	39
PID 348 wrote to memory of 2124	348	DEM61DF.exe	41
PID 348 wrote to memory of 2124	348	DEM61DF.exe	41
PID 348 wrote to memory of 2124	348	DEM61DF.exe	41
PID 348 wrote to memory of 2124	348	DEM61DF.exe	41

C:\Users\Admin\AppData\Local\Temp\1871ff55ae441349e24e0a002293c9af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1871ff55ae441349e24e0a002293c9af_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\DEMB95.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB95.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\DEM6181.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6181.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\DEMB6E1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB6E1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Users\Admin\AppData\Local\Temp\DEMCAE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCAE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\DEM61DF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM61DF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\DEMB7AB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB7AB.exe"
        7⤵
        Executes dropped EXE
        
        PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6181.exe

Filesize
14KB

MD5
3fd7a003661cbb0b170c28f46f68fece

SHA1
95b462cce05e8c7ae35e1a80e7b73fb36f7d78ac

SHA256
642b76283d3506c7b7d3d3be65887f0f605aedeb16939c8666162b12359d2508

SHA512
214c6a9f1114ced2971161a24b9cb356d35669b88257cee869b9ac8ec7bb4322e3851da6c8d7c5e89a78da596e19ce52561e592785ee1a28d78610c61bccf2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB7AB.exe

Filesize
14KB

MD5
6ab6bfdb3bb2afff355188cde806504d

SHA1
19ff60c367a9ca813f25c1776b0357a42b40e9ea

SHA256
8ca9e7258035a15000dc7ca305e60b053d15bfa3eb86e051f631697889bdff96

SHA512
6cd9dc8a42ba8054c3c7468494bc7d24b0cf4c664d7e01474b25278146998c4bf7306d2cacbdde8e64357cf34f530361b83afe0efe5bfd267aa13fe84425c843

Download Submit
\Users\Admin\AppData\Local\Temp\DEM61DF.exe

Filesize
14KB

MD5
57ff9cf4f7437e9085783c6789f84ddd

SHA1
fc2ff059c85a788ae25f49ce21a74014a0a10ea7

SHA256
c2162f87b33e6cfbd3af24180e6eb7bfda74117ccc1d3f50ddf332a23987c4a3

SHA512
586c63e6721564298cdc9defb8669f4411031ceb619433cf0763ca2d185bc550aef4a3faa5521e9b0045a5551e109c35fdc803e5d3d2ac536a59148f5891c1d4

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB6E1.exe

Filesize
14KB

MD5
3cdead72a29daf09991aa297933d3d83

SHA1
92e3ba0c4380a59a92a196b0831158de459f7d17

SHA256
2d23f64a6e65cc8e6cb9753fd933798dfd9a06da6015b21f7f2f6aa757d5b704

SHA512
e4039b8b3a47a275599eb4211a5f1c78ef1298fb26aceb10b9bfb312aeb7d6b718538fc7c76510254ad2b660b87cef550d3b57649c559638fc1eaab01673ba9a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB95.exe

Filesize
14KB

MD5
8f9a8d9ce07ebe5e3466fd9465e814ff

SHA1
8b5941d8b7a9880f99d44b3f574a2a4d9f1e47a0

SHA256
2924f8ba7256907be5a7188d111d0e9b3fac4c91a4a6e998434fcd77f69f38c5

SHA512
817ca70c121f9ea265e85855cfcd393c1fb475e9c4474908035eedd7c0040caaa0ee9e7d04364de30699dcd917f8f9b274ce0d2817afb31f9e77406455eca31c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCAE.exe

Filesize
14KB

MD5
3b99b737dd48fadecc161fc009235cb2

SHA1
3cf76195c52eaeb053b85c459b9568d405c35d33

SHA256
7152e9a8c58e5e986da7b4e99d57e9b1bc9615895e2f8232020559995b5144e0

SHA512
a15e3e299dd2f87ce0d51937d50968f66f1b4833889a841c254d604155f334586541f7e85fb0c66c70d3cf3d2e23faa603ac058e93238e074722ec75e9ca7501

Download Submit

Analysis

Sharing