e5a8755ff69ca519bf9178b5bf5f86a1777724b17e34bc9fbd1be4496d2c28c8

General

Target

267327823a11c335d2ab703be96052a7_JaffaCakes118.exe
Size

15KB
MD5

267327823a11c335d2ab703be96052a7
SHA1

4066079a2f2f2782d95f26c9321e4769060d45f2
SHA256

e5a8755ff69ca519bf9178b5bf5f86a1777724b17e34bc9fbd1be4496d2c28c8
SHA512

1d16bda64d788f848da08986a0a1d218aed8c192154f0707ce4fc0f92c28a75870770aaad0afee116b4cbd6b23d341bd3f54ecce04ef58f56e1324a6a93e3575
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvcd:hDXWipuE+K3/SSHgxmkd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
872	DEM4318.exe
2536	DEMA0B2.exe
2856	DEMF5E3.exe
1988	DEM4BA0.exe
1652	DEMA15E.exe
2700	DEMF74A.exe

Loads dropped DLL 6 IoCs

pid	Process
1936	267327823a11c335d2ab703be96052a7_JaffaCakes118.exe
872	DEM4318.exe
2536	DEMA0B2.exe
2856	DEMF5E3.exe
1988	DEM4BA0.exe
1652	DEMA15E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 872	1936	267327823a11c335d2ab703be96052a7_JaffaCakes118.exe	29
PID 1936 wrote to memory of 872	1936	267327823a11c335d2ab703be96052a7_JaffaCakes118.exe	29
PID 1936 wrote to memory of 872	1936	267327823a11c335d2ab703be96052a7_JaffaCakes118.exe	29
PID 1936 wrote to memory of 872	1936	267327823a11c335d2ab703be96052a7_JaffaCakes118.exe	29
PID 872 wrote to memory of 2536	872	DEM4318.exe	33
PID 872 wrote to memory of 2536	872	DEM4318.exe	33
PID 872 wrote to memory of 2536	872	DEM4318.exe	33
PID 872 wrote to memory of 2536	872	DEM4318.exe	33
PID 2536 wrote to memory of 2856	2536	DEMA0B2.exe	35
PID 2536 wrote to memory of 2856	2536	DEMA0B2.exe	35
PID 2536 wrote to memory of 2856	2536	DEMA0B2.exe	35
PID 2536 wrote to memory of 2856	2536	DEMA0B2.exe	35
PID 2856 wrote to memory of 1988	2856	DEMF5E3.exe	37
PID 2856 wrote to memory of 1988	2856	DEMF5E3.exe	37
PID 2856 wrote to memory of 1988	2856	DEMF5E3.exe	37
PID 2856 wrote to memory of 1988	2856	DEMF5E3.exe	37
PID 1988 wrote to memory of 1652	1988	DEM4BA0.exe	39
PID 1988 wrote to memory of 1652	1988	DEM4BA0.exe	39
PID 1988 wrote to memory of 1652	1988	DEM4BA0.exe	39
PID 1988 wrote to memory of 1652	1988	DEM4BA0.exe	39
PID 1652 wrote to memory of 2700	1652	DEMA15E.exe	41
PID 1652 wrote to memory of 2700	1652	DEMA15E.exe	41
PID 1652 wrote to memory of 2700	1652	DEMA15E.exe	41
PID 1652 wrote to memory of 2700	1652	DEMA15E.exe	41

C:\Users\Admin\AppData\Local\Temp\267327823a11c335d2ab703be96052a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\267327823a11c335d2ab703be96052a7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\DEM4318.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4318.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\DEMA0B2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA0B2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\DEMF5E3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF5E3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Users\Admin\AppData\Local\Temp\DEM4BA0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4BA0.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\DEMA15E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA15E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\DEMF74A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF74A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4BA0.exe

Filesize
15KB

MD5
b0da65c3248771b0b2b48e42d24c89a5

SHA1
153c900a8c422524da4667d5c6168953871f7e88

SHA256
65c2296779b7a04b41e8f3e2cf86b159eece0d5575a2ac9f1c60ccbb1ec4d2de

SHA512
05fb31da7a9090f3d66fd0ae306bc0f960b97c1952f08d985e53fe3b2d1c441fa7f097a0b8e1cdb67edf85e1d9278943fa6e34eb91ad7e115cc6a833aed6086c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA0B2.exe

Filesize
15KB

MD5
a74f7c687114a6e94641e8f5dcf6e8a6

SHA1
e4071cd4a0701ce2b052466ca1c099dbcdcec60a

SHA256
d9a5a67dd1c8dd31524bf9758628b59a0dbcc79593c699ba3c13bf5f672358d4

SHA512
f07351043f9340ed9b75df7ad86d61c9215160e510eed9224fd84242fafb44e9309161cbda01b175bbdb1a20d31118b5923078a9c58a806aa361252719ba8e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA15E.exe

Filesize
15KB

MD5
495b58a223e60bdaff3e87757c6dda98

SHA1
82bf66872a6b6320a33c932646f2f46ab7e385ab

SHA256
ccd8a9ba4d4e20b9fda3006f0072ef915e0da93702afeaf32f69e75cb869a1eb

SHA512
985d9a8d7e2fab4e1586d40330181396662d5b7df32922a5c3d5207263e1002562b56d89ebd4e25706b23125eca442434649b72cbccc9009665160deb41dc116

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF5E3.exe

Filesize
15KB

MD5
f7b36d75a9f0fff91291ea5c11453e1a

SHA1
86d687c7086fa09ec1225ec5c021935c73d9710b

SHA256
8f42cd62384a49a906ee1303f6e2203833c391f27b2880cca6cda73c5077f2b3

SHA512
7ce0640aa9efebd3807c73385de136c0197f4445b0b42a53e3c219312b42ff94b562950f77fc6f55c094b0c2b7931df14d738b8ac7b94d12fd5621c65435a80a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4318.exe

Filesize
15KB

MD5
1b9c8a8b76ea63057227ea2af07be54b

SHA1
952ee87d9ac2cd5b32c46b966114e06e59800dc2

SHA256
285ba4559f8257e217bb0dd47852e615806ebed3e3a014519097d4fc866ebc93

SHA512
8a014ae97908cd30b0038844bd833ab85170e9cf598a19492a4ba508d892352a9970d989afa7b67da324b7b99a4291164c3bb80aa579d2eb3b89174a8f1fa827

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF74A.exe

Filesize
15KB

MD5
b5a5ef7125f10ffcbdd7b2d92d156afa

SHA1
a925ee9f77cb56951d7fe8b0b4fb208267401096

SHA256
e31baaa19434798235cd44de90273f0efeb34273afbc2c2e563afe966672f7fd

SHA512
11000a8b4f02971fef0214f1bdbbd34b2cba63030a4bd45bfba24346284eec6754ac47a335b0f6cf9c2195e79326cdadbc820bc02b67a16c9525e41924703bc0

Download Submit

Analysis

Sharing