1f7da0bd7f0a915575c9bc9da281022fc63982644c2dec2f24494864b112b9ed

General

Target

23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe
Size

15KB
MD5

23eb3df84269b7dece78a7777523e300
SHA1

f4ff028d2196d28baefab4c58c266afe25138ce8
SHA256

1f7da0bd7f0a915575c9bc9da281022fc63982644c2dec2f24494864b112b9ed
SHA512

844d0251a35e5a25e1554f505772a4c6713111b81ef91eb46a54ed812c511d2f5ad02b59e150ec6280e4c0fff3f7cff581a1faddb758a9bb7e4c87b24c831bde
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4X:hDXWipuE+K3/SSHgxmW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2548	DEMFE8.exe
2668	DEM65A6.exe
2428	DEMBB25.exe
1944	DEM1084.exe
2164	DEM65E4.exe
2804	DEMBB26.exe

Loads dropped DLL 6 IoCs

pid	Process
2884	23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe
2548	DEMFE8.exe
2668	DEM65A6.exe
2428	DEMBB25.exe
1944	DEM1084.exe
2164	DEM65E4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2548	2884	23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe	29
PID 2884 wrote to memory of 2548	2884	23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe	29
PID 2884 wrote to memory of 2548	2884	23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe	29
PID 2884 wrote to memory of 2548	2884	23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2668	2548	DEMFE8.exe	31
PID 2548 wrote to memory of 2668	2548	DEMFE8.exe	31
PID 2548 wrote to memory of 2668	2548	DEMFE8.exe	31
PID 2548 wrote to memory of 2668	2548	DEMFE8.exe	31
PID 2668 wrote to memory of 2428	2668	DEM65A6.exe	35
PID 2668 wrote to memory of 2428	2668	DEM65A6.exe	35
PID 2668 wrote to memory of 2428	2668	DEM65A6.exe	35
PID 2668 wrote to memory of 2428	2668	DEM65A6.exe	35
PID 2428 wrote to memory of 1944	2428	DEMBB25.exe	37
PID 2428 wrote to memory of 1944	2428	DEMBB25.exe	37
PID 2428 wrote to memory of 1944	2428	DEMBB25.exe	37
PID 2428 wrote to memory of 1944	2428	DEMBB25.exe	37
PID 1944 wrote to memory of 2164	1944	DEM1084.exe	39
PID 1944 wrote to memory of 2164	1944	DEM1084.exe	39
PID 1944 wrote to memory of 2164	1944	DEM1084.exe	39
PID 1944 wrote to memory of 2164	1944	DEM1084.exe	39
PID 2164 wrote to memory of 2804	2164	DEM65E4.exe	41
PID 2164 wrote to memory of 2804	2164	DEM65E4.exe	41
PID 2164 wrote to memory of 2804	2164	DEM65E4.exe	41
PID 2164 wrote to memory of 2804	2164	DEM65E4.exe	41

C:\Users\Admin\AppData\Local\Temp\23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\DEMFE8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMFE8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\DEM65A6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM65A6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\DEMBB25.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBB25.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\DEM1084.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1084.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Users\Admin\AppData\Local\Temp\DEM65E4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM65E4.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\DEMBB26.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBB26.exe"
        7⤵
        Executes dropped EXE
        
        PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM65A6.exe

Filesize
15KB

MD5
19e820421498084812d31a61557d4a02

SHA1
a433b8f30c75939f9a0688d1a758d8a14444ec9a

SHA256
bb6955dec9ebef01044f5796dfb29c4efe5044021bcae47b548c93848c16f76b

SHA512
ed95a0ac0409556aea485a49419cab5a427159c1f1dcbe9575b7b25cbabdf1d464cdd329d5d1c32cb741656765d546482ac88f355e6b622d658429d7f91378d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBB25.exe

Filesize
15KB

MD5
62c0d1de1bef2cff29db629d01fd0f33

SHA1
f47fe8651ad18694240544b2842c5356d73565b6

SHA256
cc27b2db89b80ea00f84ad9cf5dd0142aa731b0e4a7b36c945336837da42ccd1

SHA512
f41dc4f806109bd575724a625129efaa548c759de1f78489faec930cbf32ce08199dc205baaa2965bdffb7df457dbf42ece42ba89ceed6a3b9742d93aa9e7f50

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1084.exe

Filesize
15KB

MD5
d01efea446f84193fb414774a765ac6b

SHA1
7d39eac97c65d2ca74aa4b8aa29e78e9233ae2fd

SHA256
f5c2fb1d6580bd1e58a9e518e339017eb731e49283da8384dd2e352c9a0e8faa

SHA512
eae9097f6bbaf8dc4743e0024e1ac72896f0a9e92bafd4474085ec26256e240c7e2ea7eb1d07b77bf8e77037fa5cd916c5e63a41eadcc77ea5d0cf832adcd7c6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM65E4.exe

Filesize
15KB

MD5
159b47016d795798121511cb80568bd3

SHA1
39dac783a268dc3e225733617c3909ecab3c2e50

SHA256
ae675ca22bad2e5d595f60f96064c334490c37ab192bb48badf9263c75a5f393

SHA512
2ce767ea08f79677f9b05b948c610cb81b9e43b9cbb6c56344e903bd74e99e6b7e867e5a6b83a017c41e9236fa8d892f2a6cf7957d0d3d6a07cfe6b9a036a798

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBB26.exe

Filesize
15KB

MD5
6a421a594800aff2ea0d23a1cf6fc33c

SHA1
cf1e721c01d24a9eaba3399e9158d23437b8f9cc

SHA256
c652a3a786bf6364887f49d28a3f21abaaf78ae7f7a442b1b52735ae484f5d17

SHA512
fbdb4f1ce03e8597048938c2cc32d3209efd18c1bf82419098ee3f914b5af501928ee24fe768f61fd34f0932c30c7910ec8b015f088fdb8e667c61a14e326a85

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFE8.exe

Filesize
15KB

MD5
63440d590b31da18ad6a6f67f9524c96

SHA1
c2f3addc119a103dded365cd79ceb879c5653668

SHA256
515cd1126799abb1ff485b021bb0c613e5c62a8d002852e2c5fb4464b4b5d33d

SHA512
d89da16e85dee15983020d790d61fecf5d367660d4da404ab392c773e2aaef83eacf4fa8cd50a22d8fe54fdfee44c8e38bad346400237ca755d92890778b9822

Download Submit

Analysis

Sharing