0d833e719d93403e66b29861ba178daabee52e91c0afd051af6f075e5030d2cd

General

Target

1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe
Size

15KB
MD5

1c6d59271e05d417695f7c9c7c283838
SHA1

e8e8d5b5a4bed12f82eadb4672b2992b1d7b81ad
SHA256

0d833e719d93403e66b29861ba178daabee52e91c0afd051af6f075e5030d2cd
SHA512

fca12859cc4350be7440ddbd65c370db8f3c64c418d04e30ff10eee1f5fa0ab88eeffbc6f40c8fa69206b60fb60c4bbb223f755a8ec002cf111993eac41748f7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8YBO:hDXWipuE+K3/SSHgxm8eO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2656	DEMF7B.exe
2420	DEM6529.exe
2748	DEMBB05.exe
1904	DEM1065.exe
1568	DEM65B5.exe
2204	DEMBAE6.exe

Loads dropped DLL 6 IoCs

pid	Process
1636	1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe
2656	DEMF7B.exe
2420	DEM6529.exe
2748	DEMBB05.exe
1904	DEM1065.exe
1568	DEM65B5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2656	1636	1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2656	1636	1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2656	1636	1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2656	1636	1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe	29
PID 2656 wrote to memory of 2420	2656	DEMF7B.exe	31
PID 2656 wrote to memory of 2420	2656	DEMF7B.exe	31
PID 2656 wrote to memory of 2420	2656	DEMF7B.exe	31
PID 2656 wrote to memory of 2420	2656	DEMF7B.exe	31
PID 2420 wrote to memory of 2748	2420	DEM6529.exe	35
PID 2420 wrote to memory of 2748	2420	DEM6529.exe	35
PID 2420 wrote to memory of 2748	2420	DEM6529.exe	35
PID 2420 wrote to memory of 2748	2420	DEM6529.exe	35
PID 2748 wrote to memory of 1904	2748	DEMBB05.exe	37
PID 2748 wrote to memory of 1904	2748	DEMBB05.exe	37
PID 2748 wrote to memory of 1904	2748	DEMBB05.exe	37
PID 2748 wrote to memory of 1904	2748	DEMBB05.exe	37
PID 1904 wrote to memory of 1568	1904	DEM1065.exe	39
PID 1904 wrote to memory of 1568	1904	DEM1065.exe	39
PID 1904 wrote to memory of 1568	1904	DEM1065.exe	39
PID 1904 wrote to memory of 1568	1904	DEM1065.exe	39
PID 1568 wrote to memory of 2204	1568	DEM65B5.exe	41
PID 1568 wrote to memory of 2204	1568	DEM65B5.exe	41
PID 1568 wrote to memory of 2204	1568	DEM65B5.exe	41
PID 1568 wrote to memory of 2204	1568	DEM65B5.exe	41

C:\Users\Admin\AppData\Local\Temp\1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\DEMF7B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF7B.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\DEM6529.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6529.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\DEMBB05.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBB05.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\DEM1065.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1065.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Users\Admin\AppData\Local\Temp\DEM65B5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM65B5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\DEMBAE6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBAE6.exe"
        7⤵
        Executes dropped EXE
        
        PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6529.exe

Filesize
15KB

MD5
72299b9850839e4640a1f11d628f6ad6

SHA1
902761e188e04c856d40e27b37f785ff19feb5fc

SHA256
6d2e288242b541e7faa1b42b59ad56ff48017e374fe565351263f281cd292385

SHA512
f7d45d97d85c82cbf499bd17130891b1014501053cfba64aa2bc54e5a8686cb08b4a04129e443ec4081c5fcf14aa8bff2ffa38e894768007cf34ceae20378484

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBB05.exe

Filesize
16KB

MD5
ef72e5cefc9cd41204b5d51fc0e089af

SHA1
1eb566b1377c9f480826d47799ee024d88d97e00

SHA256
3382107fd60ccc013bb1ea0928a45fb152d53ad4c6d936fd73e54e433252680e

SHA512
493fbc3fb694dfd45f509ba662c27fc07633287f317b1915ff7856d97b0b196298142234bd0244ddc7dda17ff9dc8123b3dcd9cbcfc5660bdf87681d0c3a17e2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1065.exe

Filesize
16KB

MD5
4faf6376e5c893c5f750095763b22fbf

SHA1
2701f26f3e2bf30a93de85c2a79625ebea4e082f

SHA256
722ba802953d86bd701b7f174f86f21678f209361b211d8c0ba19def0692211c

SHA512
3e9df6dc1593ade9b4cf1624e778e2962dcf6ac070695b936eef1fdf6ca6e3e090f0e38234092bf1abf62a49d736ea18b47ea79afd19e2ff52ea96a3636948e2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM65B5.exe

Filesize
16KB

MD5
e0cc6bd94c7fb1380dabf123304e08c1

SHA1
91908cb1e8f384db9c14fb4e13d29c9883c00c6a

SHA256
64e65da174bd601b233be90116d0432e362a1eea419a65919994c5756f54d1e3

SHA512
3a135f872ce14d9f17c4304ccaf7797967d91162051ecb80eeabce1f1e6a5f29e829b31aa877bd5668e8634bba91729c7bb955ee5031f6764af9cf8ef67a6ffc

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBAE6.exe

Filesize
16KB

MD5
0ffb7ef5325ed5b256624e386813f032

SHA1
87934c395f34628562fc45f0738391be3845f74d

SHA256
48def023c106b92f53622c760d06fd719e08c1ae687e6371c27463ef4f939cc8

SHA512
089f8f12272f360d534a10d563a10a80bcdeee6aba30157a961bba3d6f1812523b405465ac4a4b814a569cf9294e84ea56e3de115d0147c6a82b7f6ed8bd7c6f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF7B.exe

Filesize
15KB

MD5
86797b3c08e24beaac84c381a576275b

SHA1
0bfa2a4da35add2d0e38a995696ab5f722c7ab21

SHA256
b54ec31f72fda8e5f711b2eec7b44e72afbb601ffc2767529921bf93ac636fb6

SHA512
907e3383542668a457594489598189d644e3b16a2f754d7a2a172cd1fd67ccb7e4cf41df78df78539884505dcf98e732c11befbf062586e92061505c8e658d8b

Download Submit

Analysis

Sharing