fdfc903b97cdbfab6a3b152daf75bc2e0124fa1d561bb589505e2be5cc962f43

General

Target

1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe
Size

15KB
MD5

1bc5ac86fe53c6ef51a763c704eb36b6
SHA1

6409c5d206f6851829895c0887e5e85b7433c706
SHA256

fdfc903b97cdbfab6a3b152daf75bc2e0124fa1d561bb589505e2be5cc962f43
SHA512

f8ee14d99f71161e38032e2dbe4e4b55e18bf38d7c1dadb00d5cc61886b0bc054bc9a74b43f5913bdcd8114f37ce6a6cf34039b00321c2ed316c5ac8d7eac377
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4hEuBmSN:hDXWipuE+K3/SSHgxmMISN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2068	DEM60F4.exe
1828	DEMB941.exe
912	DEMF8B.exe
1940	DEM6623.exe
1260	DEMBC9B.exe
628	DEM12A6.exe

Loads dropped DLL 6 IoCs

pid	Process
2884	1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe
2068	DEM60F4.exe
1828	DEMB941.exe
912	DEMF8B.exe
1940	DEM6623.exe
1260	DEMBC9B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2068	2884	1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe	29
PID 2884 wrote to memory of 2068	2884	1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe	29
PID 2884 wrote to memory of 2068	2884	1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe	29
PID 2884 wrote to memory of 2068	2884	1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe	29
PID 2068 wrote to memory of 1828	2068	DEM60F4.exe	33
PID 2068 wrote to memory of 1828	2068	DEM60F4.exe	33
PID 2068 wrote to memory of 1828	2068	DEM60F4.exe	33
PID 2068 wrote to memory of 1828	2068	DEM60F4.exe	33
PID 1828 wrote to memory of 912	1828	DEMB941.exe	35
PID 1828 wrote to memory of 912	1828	DEMB941.exe	35
PID 1828 wrote to memory of 912	1828	DEMB941.exe	35
PID 1828 wrote to memory of 912	1828	DEMB941.exe	35
PID 912 wrote to memory of 1940	912	DEMF8B.exe	37
PID 912 wrote to memory of 1940	912	DEMF8B.exe	37
PID 912 wrote to memory of 1940	912	DEMF8B.exe	37
PID 912 wrote to memory of 1940	912	DEMF8B.exe	37
PID 1940 wrote to memory of 1260	1940	DEM6623.exe	39
PID 1940 wrote to memory of 1260	1940	DEM6623.exe	39
PID 1940 wrote to memory of 1260	1940	DEM6623.exe	39
PID 1940 wrote to memory of 1260	1940	DEM6623.exe	39
PID 1260 wrote to memory of 628	1260	DEMBC9B.exe	41
PID 1260 wrote to memory of 628	1260	DEMBC9B.exe	41
PID 1260 wrote to memory of 628	1260	DEMBC9B.exe	41
PID 1260 wrote to memory of 628	1260	DEMBC9B.exe	41

C:\Users\Admin\AppData\Local\Temp\1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\DEM60F4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM60F4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\DEMB941.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB941.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\DEMF8B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF8B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Users\Admin\AppData\Local\Temp\DEM6623.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6623.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Users\Admin\AppData\Local\Temp\DEMBC9B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBC9B.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\DEM12A6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM12A6.exe"
        7⤵
        Executes dropped EXE
        
        PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMB941.exe

Filesize
15KB

MD5
d25b92baa547b1282ce2a3a759c40420

SHA1
05333c9efe9660af2ab45dc6f3be5b77219a6be1

SHA256
ef26550cbcfbdcb86fb5e573f1de7c0766f210fbd93357fc2ac46426430793bd

SHA512
95f49c882f13b7aabe28b376eadd1e62dd79592777543b9520cf32c72db0d196856b70f80431093c875d8c17f581419fb29a96c39758ea0e618f868a9e54bd4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBC9B.exe

Filesize
15KB

MD5
886eb9174bd70e7a46e4089da5476477

SHA1
d86042873f0cd93c47c378a84bf22002d8cd7bc1

SHA256
ab623e2542c51a632ea590ca33d36493f71afc43622ff9c6c0441d5c157b40cb

SHA512
eeeeaf23ecb493798c55cea5ab58d1555bcd26d7171a177ee09f7c25d625845bd762f22f3b3902977fc3b2282a632d6ee5d2cf77933be2983020d084ccbd9500

Download Submit
\Users\Admin\AppData\Local\Temp\DEM12A6.exe

Filesize
15KB

MD5
a2e21c044d4491250acb56959a2ef7cf

SHA1
3398265ca50f5d3b46f00c8e4469e167c3ba8900

SHA256
e0cd83e5dba09d0ac2eda17622e7d44c01228570c03835e41e34094cc03e510f

SHA512
4fb52c316a0c032137ba67e649a313d1c49384adbabd652f27c7336098e6b12f05bbfb68021dd55b89633b75c8b543d7046318ae826d8a25ecaddf79a847611e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM60F4.exe

Filesize
15KB

MD5
2fb4f35b79b82b8f7514abef7cbffbe3

SHA1
e9229195b97db2935725c1b1d9b1337afb57dbfa

SHA256
7b2fcc66bce0c8f3c342a6f0e63d50b376edf2955fd7ec5e04011498790a1df5

SHA512
cdf8cf780583877f4a876974acbf929abb4cda7f9c8c4674a1e9f83947f2f79fab1357ee3952515a798e00df857a8f370d6b62698bd1744a4e79aadd292293a1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6623.exe

Filesize
15KB

MD5
1b02cb146c4a5591327e2aa4de4d818e

SHA1
931631b80f2de067a389f85b004afc3e64358487

SHA256
5738b999079bee39c9595ddd621a4f6bcaf1f5fdeb2fbd12c63e45fa22cea452

SHA512
4af4863ae4680e6e70210cf2aeda2ba898f80f766a6444659f2072d4c717c33cb4fe56a32528abcc8b7d891dbcca2291131d94462ec9bbd6d9894813e5841035

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF8B.exe

Filesize
15KB

MD5
27a196665c15508c5975557dbf0f6a1a

SHA1
2489c7e9cf57dae739834063e271c4e79230b549

SHA256
cc4ce2a5eaa6119cc53ed715340cfcd53208ea993a214c9370c918df20626858

SHA512
d7bbbe8618c5afc974ecac7a1b7f1672931f30191a9a29df6ac82f493115f9a09279dda52d60aa7367a581ff698b63ef0b098d8c8d7a3c6ef20181a8caf46cc0

Download Submit

Analysis

Sharing