1c0fb95388f6abdda01a52b238868e4be0716a3fc30e3f32aeb4c0695d3f085f

General

Target

2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe
Size

16KB
MD5

2a199d6f1d78544b189a3039a2e5327f
SHA1

aabe548e2279b1d62a0c05f1e9e248dcb8b77300
SHA256

1c0fb95388f6abdda01a52b238868e4be0716a3fc30e3f32aeb4c0695d3f085f
SHA512

b29a416d097fabf1d406107f48dd1f9767450da94a58629c96bf9f2b3b4f474e88eaf71565985b4c8a3a65ff6c897f6f9c527df254f3f9caf14b0e5ad30fe3cd
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlY2d:hDXWipuE+K3/SSHgxmlYu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2620	DEM10E2.exe
2336	DEM6680.exe
2792	DEMBC8B.exe
2320	DEM11DC.exe
1364	DEM671C.exe
1968	DEMBC4D.exe

Loads dropped DLL 6 IoCs

pid	Process
2092	2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe
2620	DEM10E2.exe
2336	DEM6680.exe
2792	DEMBC8B.exe
2320	DEM11DC.exe
1364	DEM671C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2620	2092	2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe	29
PID 2092 wrote to memory of 2620	2092	2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe	29
PID 2092 wrote to memory of 2620	2092	2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe	29
PID 2092 wrote to memory of 2620	2092	2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe	29
PID 2620 wrote to memory of 2336	2620	DEM10E2.exe	31
PID 2620 wrote to memory of 2336	2620	DEM10E2.exe	31
PID 2620 wrote to memory of 2336	2620	DEM10E2.exe	31
PID 2620 wrote to memory of 2336	2620	DEM10E2.exe	31
PID 2336 wrote to memory of 2792	2336	DEM6680.exe	35
PID 2336 wrote to memory of 2792	2336	DEM6680.exe	35
PID 2336 wrote to memory of 2792	2336	DEM6680.exe	35
PID 2336 wrote to memory of 2792	2336	DEM6680.exe	35
PID 2792 wrote to memory of 2320	2792	DEMBC8B.exe	37
PID 2792 wrote to memory of 2320	2792	DEMBC8B.exe	37
PID 2792 wrote to memory of 2320	2792	DEMBC8B.exe	37
PID 2792 wrote to memory of 2320	2792	DEMBC8B.exe	37
PID 2320 wrote to memory of 1364	2320	DEM11DC.exe	39
PID 2320 wrote to memory of 1364	2320	DEM11DC.exe	39
PID 2320 wrote to memory of 1364	2320	DEM11DC.exe	39
PID 2320 wrote to memory of 1364	2320	DEM11DC.exe	39
PID 1364 wrote to memory of 1968	1364	DEM671C.exe	41
PID 1364 wrote to memory of 1968	1364	DEM671C.exe	41
PID 1364 wrote to memory of 1968	1364	DEM671C.exe	41
PID 1364 wrote to memory of 1968	1364	DEM671C.exe	41

C:\Users\Admin\AppData\Local\Temp\2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\DEM10E2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM10E2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\DEM6680.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6680.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Users\Admin\AppData\Local\Temp\DEM11DC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM11DC.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Users\Admin\AppData\Local\Temp\DEM671C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM671C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\DEMBC4D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBC4D.exe"
        7⤵
        Executes dropped EXE
        
        PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM11DC.exe

Filesize
16KB

MD5
4f580111965e4033377e90d736a637be

SHA1
8b1afef6b392dac31bc071144141cb0224ba9ee7

SHA256
87b64c5663657c34009616618a790688af7835ac9f20c2125185174f26114924

SHA512
6c13357fcf34a153660cd4123f06463bcb073a4d56e142768377b2e24eeb360d584fda3c036802997235cb345cf786fc19c789ac55d8f012452ebb209d3ee195

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6680.exe

Filesize
16KB

MD5
f622aaf0d0bb1221b5e461bc399f5628

SHA1
ec207c017570a17519e336ee6f38d6824315e7e2

SHA256
9bc833fd9d8ea867e2003e14ea8ec0a5c6ce2e629090c7f35dc6b40b3ce84a43

SHA512
5ffdd0515d42ecbae676a7516e39eac31bb311da29c42c9124e62b52f1a24d68ce87dfa9428ba5d706af7eafacb96018ab41d89a43ca06f9416694a6bcfe9813

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBC4D.exe

Filesize
16KB

MD5
5c34dc96755d80a3c025930c9e7ced76

SHA1
77da55bdfee4fd7a36cbdfb6066150f26de8f469

SHA256
ad1db3c9e3d02f68fef5209d9f7de67cc2848a1a10833292bcb24abae620f2b1

SHA512
49c9ff88024e23faaf4f6a24a7cf36c2cae3a57f027d58ec1221efd5583b5c0102404a5ab9ee5b4c4cbaecc1af7891acc001639a5b0d30e09588c4696662b39a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM10E2.exe

Filesize
16KB

MD5
e11bb021eeb805dea2b7d1e3e9042692

SHA1
63a18a1786aae9108fa60446b63a37a67f9c99f2

SHA256
86b53142f656d7ad5368851e754902236f69d9e859647a3a151432d0b9246a9a

SHA512
15ac808a5930b9cada19efede569de21a0559f5b864b20633a82d03c66b357b7a1e4067715271d142bb9f7776c67a5c5c078c159a534596c3b16b3297d76028a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM671C.exe

Filesize
16KB

MD5
fd5a1fa5f0e87e02ec5d286cbf502aa1

SHA1
dcf325d5ac7cc6780059f1e447e4e96b344130b1

SHA256
4aa1d651a22d09d36b047e4a2969f5c7311fef2ef618289280d78e748a2471e0

SHA512
344360b6b77e4deca9421bf961e58287db9d6e44f733f2e487090c96f6c6982cd85bcc84c8e5bfad4905d2aa5aa9b880e08fd37e322d73f9a2dc37467426eaec

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBC8B.exe

Filesize
16KB

MD5
69d07ef0a49b819af2f29845ef926eb3

SHA1
c42e288c538238b16422d1101245b804d1c36e55

SHA256
c95e6e4e17f4d9a50ff0f3c75f6e76d1a8a5fd1feb2e957879f47292a843ef82

SHA512
dc768bb226272dbb90126fc3fbe5adc655a5444df64732844b07f304a12b73b383cffbfb16d1480b083ef1362e3801f747893b137775b1d166e7903125db8967

Download Submit

Analysis

Sharing