45b0a67ca1187808310dc06a50c344bb9d292bcc313b78d357384fe764cd2451

General

Target

29bc7ef7be718035ebfb32c18389e45b_JaffaCakes118.exe
Size

16KB
MD5

29bc7ef7be718035ebfb32c18389e45b
SHA1

1cd47a044006a68d9b0b1fc9c91a23e75f9bb173
SHA256

45b0a67ca1187808310dc06a50c344bb9d292bcc313b78d357384fe764cd2451
SHA512

194b25f70b68ba3972f1ed7f4cf227e33d2ea35a796b6a49035e67f9b837e1719aa60bad21659624561da79f446d26d75f12bec61b482a02150d67c4654b61e5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYr:hDXWipuE+K3/SSHgxmr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2596	DEM12C6.exe
1708	DEM68E1.exe
1360	DEMBE11.exe
1752	DEM1342.exe
2032	DEM695D.exe
2188	DEMBE9E.exe

Loads dropped DLL 6 IoCs

pid	Process
1900	29bc7ef7be718035ebfb32c18389e45b_JaffaCakes118.exe
2596	DEM12C6.exe
1708	DEM68E1.exe
1360	DEMBE11.exe
1752	DEM1342.exe
2032	DEM695D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2596	1900	29bc7ef7be718035ebfb32c18389e45b_JaffaCakes118.exe	29
PID 1900 wrote to memory of 2596	1900	29bc7ef7be718035ebfb32c18389e45b_JaffaCakes118.exe	29
PID 1900 wrote to memory of 2596	1900	29bc7ef7be718035ebfb32c18389e45b_JaffaCakes118.exe	29
PID 1900 wrote to memory of 2596	1900	29bc7ef7be718035ebfb32c18389e45b_JaffaCakes118.exe	29
PID 2596 wrote to memory of 1708	2596	DEM12C6.exe	31
PID 2596 wrote to memory of 1708	2596	DEM12C6.exe	31
PID 2596 wrote to memory of 1708	2596	DEM12C6.exe	31
PID 2596 wrote to memory of 1708	2596	DEM12C6.exe	31
PID 1708 wrote to memory of 1360	1708	DEM68E1.exe	35
PID 1708 wrote to memory of 1360	1708	DEM68E1.exe	35
PID 1708 wrote to memory of 1360	1708	DEM68E1.exe	35
PID 1708 wrote to memory of 1360	1708	DEM68E1.exe	35
PID 1360 wrote to memory of 1752	1360	DEMBE11.exe	37
PID 1360 wrote to memory of 1752	1360	DEMBE11.exe	37
PID 1360 wrote to memory of 1752	1360	DEMBE11.exe	37
PID 1360 wrote to memory of 1752	1360	DEMBE11.exe	37
PID 1752 wrote to memory of 2032	1752	DEM1342.exe	39
PID 1752 wrote to memory of 2032	1752	DEM1342.exe	39
PID 1752 wrote to memory of 2032	1752	DEM1342.exe	39
PID 1752 wrote to memory of 2032	1752	DEM1342.exe	39
PID 2032 wrote to memory of 2188	2032	DEM695D.exe	41
PID 2032 wrote to memory of 2188	2032	DEM695D.exe	41
PID 2032 wrote to memory of 2188	2032	DEM695D.exe	41
PID 2032 wrote to memory of 2188	2032	DEM695D.exe	41

C:\Users\Admin\AppData\Local\Temp\29bc7ef7be718035ebfb32c18389e45b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29bc7ef7be718035ebfb32c18389e45b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\DEM12C6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM12C6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\DEM68E1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM68E1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\DEMBE11.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBE11.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\DEM1342.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1342.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Users\Admin\AppData\Local\Temp\DEM695D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM695D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\DEMBE9E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBE9E.exe"
        7⤵
        Executes dropped EXE
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1342.exe

Filesize
16KB

MD5
024111b435fabf5e669fc2ce1ee4877c

SHA1
cae746c116b7bfa2f510948890061c185f2b5910

SHA256
00572320ed43dd2d3e7476aa39c2d7d9cea1ee13ea5ba66567a215851c0dbc8f

SHA512
fdd757c8c35e18fd5b2ea1f8fbab079d3833930627cb4f98c719472a5e0621c77c478036b9705f0d97759ee0af0c889b74b70935958bbc090b0e0593e8b17b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM68E1.exe

Filesize
16KB

MD5
206abacc7328b30320cba4deadd45b5e

SHA1
4f088918828024c2989b6867bfe4605f280d14ec

SHA256
166ade04b162a0ddeba10dbcec7bdd27778b8112223db38a0738d644ebceb81d

SHA512
0fbce70bbbb5f98b5df425faeec9f69bf1c5ee8bcad3b9ce380a7c1e69cda1f55f63212905b8b36d28bc343b4c3ad9fd6990b977bac12d3ab3239c819e3dc804

Download Submit
\Users\Admin\AppData\Local\Temp\DEM12C6.exe

Filesize
16KB

MD5
e0e31c4f2604b8999e5a24b4afb7ece0

SHA1
c5344163315011f1ac673e6c7f9f24dfcea521c8

SHA256
daf7a2b02b1e11e4f5376fda2f687982999e2812e9cf64dab73804f2ba867ffc

SHA512
89dbf5551fe96ba7a002a4ed959daec47e2177769b55cdced2d91c57996d1c9d21bc9ff48d1218313fc4cc0f5f9e8e88965e3d9b63376f9d9b931179fe9b1bdc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM695D.exe

Filesize
16KB

MD5
5b9b974d61cd28c7e8306b3a434176b5

SHA1
599dfac4a93de62b3ad615be6f8e59f496179d2e

SHA256
84fa6a746f796f8670d8d78ef641af48787fdeb6e5cb39e78a1fa73c33465e7a

SHA512
7afa7138f17ffda1cfae5c23e082e76f19f60e0377488e1e678c2af9e24125dbb8b974304538190327dfc1cecbdbd1d17d1c748952d983fbe7c9aad4695f5e4f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBE11.exe

Filesize
16KB

MD5
83f9ce0ab42a7ca7ff54f5bc56798876

SHA1
1693f6c8043ef49ed4862e464cf9345d952e8285

SHA256
3a5dc74f06b542aada1c5d8e65599c98568bcda01fcf32fbe98797b5e23e2936

SHA512
f723bd89395dd2d6b899195e12243806643042f9a5896d3a22f11651b4c2a5bce9ab91482bd81dd21bf39dca7c89d2b33af14bae22b175ce3a6bc9221f451104

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBE9E.exe

Filesize
16KB

MD5
3a074bac3e377adf9adf0f90d72743b2

SHA1
47339968eaf9c570001ad939fc08a5b449d8c0da

SHA256
9833a4e68a9ee0930fa405b0ce959bc528ab1d289eb80c75995e982687c933b9

SHA512
2ef7d133be33d1a9a37afb819aeb1239e70c90d1b8f315cd46877bbc468d4c063bedb18685dfd50acc38e5ea59ecd563934cc5c742845203ecc0fa7a969531d9

Download Submit

Analysis

Sharing