e6d1c806e8b1f6b172509e129767cb4d3fda949efe6a967de9e9e2a2db1fdf10

General

Target

bd163ea78fc656f2730a9267ee0c6bd2_JaffaCakes118.exe
Size

20KB
MD5

bd163ea78fc656f2730a9267ee0c6bd2
SHA1

be7513e3f811a29da56d51b206459069a3527b81
SHA256

e6d1c806e8b1f6b172509e129767cb4d3fda949efe6a967de9e9e2a2db1fdf10
SHA512

527882d120450074fedb400233304ebf363019ea0891fba1af411fb7ae3e669ea2a51f7e23ed7de131fac1f92a1d529545489cb9392de15afd0f5ebf169e1858
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4Uo:hDXWipuE+K3/SSHgxmHZUo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2580	DEM31DA.exe
2472	DEM8797.exe
2712	DEMDCB8.exe
1856	DEM3312.exe
492	DEM895B.exe
2280	DEMDE9C.exe

Loads dropped DLL 6 IoCs

pid	Process
2320	bd163ea78fc656f2730a9267ee0c6bd2_JaffaCakes118.exe
2580	DEM31DA.exe
2472	DEM8797.exe
2712	DEMDCB8.exe
1856	DEM3312.exe
492	DEM895B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2580	2320	bd163ea78fc656f2730a9267ee0c6bd2_JaffaCakes118.exe	29
PID 2320 wrote to memory of 2580	2320	bd163ea78fc656f2730a9267ee0c6bd2_JaffaCakes118.exe	29
PID 2320 wrote to memory of 2580	2320	bd163ea78fc656f2730a9267ee0c6bd2_JaffaCakes118.exe	29
PID 2320 wrote to memory of 2580	2320	bd163ea78fc656f2730a9267ee0c6bd2_JaffaCakes118.exe	29
PID 2580 wrote to memory of 2472	2580	DEM31DA.exe	33
PID 2580 wrote to memory of 2472	2580	DEM31DA.exe	33
PID 2580 wrote to memory of 2472	2580	DEM31DA.exe	33
PID 2580 wrote to memory of 2472	2580	DEM31DA.exe	33
PID 2472 wrote to memory of 2712	2472	DEM8797.exe	35
PID 2472 wrote to memory of 2712	2472	DEM8797.exe	35
PID 2472 wrote to memory of 2712	2472	DEM8797.exe	35
PID 2472 wrote to memory of 2712	2472	DEM8797.exe	35
PID 2712 wrote to memory of 1856	2712	DEMDCB8.exe	37
PID 2712 wrote to memory of 1856	2712	DEMDCB8.exe	37
PID 2712 wrote to memory of 1856	2712	DEMDCB8.exe	37
PID 2712 wrote to memory of 1856	2712	DEMDCB8.exe	37
PID 1856 wrote to memory of 492	1856	DEM3312.exe	39
PID 1856 wrote to memory of 492	1856	DEM3312.exe	39
PID 1856 wrote to memory of 492	1856	DEM3312.exe	39
PID 1856 wrote to memory of 492	1856	DEM3312.exe	39
PID 492 wrote to memory of 2280	492	DEM895B.exe	41
PID 492 wrote to memory of 2280	492	DEM895B.exe	41
PID 492 wrote to memory of 2280	492	DEM895B.exe	41
PID 492 wrote to memory of 2280	492	DEM895B.exe	41

C:\Users\Admin\AppData\Local\Temp\bd163ea78fc656f2730a9267ee0c6bd2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd163ea78fc656f2730a9267ee0c6bd2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\DEM31DA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM31DA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\DEM8797.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8797.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\DEMDCB8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDCB8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\DEM3312.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3312.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Users\Admin\AppData\Local\Temp\DEM895B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM895B.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\DEMDE9C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDE9C.exe"
        7⤵
        Executes dropped EXE
        
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM31DA.exe

Filesize
20KB

MD5
120a148168825068547f7a000768578f

SHA1
7253f9424d3b3ad96494d0196fa4b66e247e89e9

SHA256
dd0473f9d80978fe0a0e866002c9965d0f4ff63665331c43d8956dbaece05099

SHA512
a26998f1c5b5d0075e97707fd38e7e5b006d06ea13c5a2652fe3909594263725519720b63893731d997c4c304cf758cbc37552c68c7a4e3d9efa729eea9a5765

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8797.exe

Filesize
20KB

MD5
8b7a72b694f9d9a638b42e4e758dc415

SHA1
35c6ff4fd5cd121aefd2075961c34fa49c859763

SHA256
8c9b96e0d01d91ea3950ce60570acf2fd6666e549062e4fe8792c6161f3c09ab

SHA512
4a8e46fb1ed3928d4303488d2ea75316929d22aff8ff26eb0d1ea0981e7a9b104cad8d476948e50ff7bae57be8f07f3b833b73d613c61fb0c9142dfe76a98251

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM895B.exe

Filesize
20KB

MD5
875f63a864f0526517a598aa2f754196

SHA1
3da304db6d8714b018947a1b2b1e3751dbe26aec

SHA256
a791ac9aa4853f4f747d7efc1d014ebfd407010434a08413f0e7929b3e295ff6

SHA512
d244784ef06121084e7f96d97e30a9c9fe35f60e4baafd89c30f5320b8e816f9f0793bef20ba7a16ddedb1addef95443b6217708cb40a9f97a6e658e0da7506f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3312.exe

Filesize
20KB

MD5
b7364ed4f222d0e751ab65efcbfb9ef1

SHA1
ffb50d6ff8e41c8ac95a5e6cff9e6e2f113b72f8

SHA256
f3804bf3570839c37e4f4839b7ac237bfbc04851be2857f71961dbbf006a8d86

SHA512
dc9c2fce917864685441ad3965a2d1045225b36c33b301f0f130903cb065f45f7f653402bc25d593be1b4fff6d68210f0bcf2a1418490e20304748b1227119cb

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDCB8.exe

Filesize
20KB

MD5
df98f3162c1b41202f5c45156fc2e14a

SHA1
fadccf45db11ac7bc2fbaa72b3ca8e018ada59fe

SHA256
ad9474f612512f433db52ce09c9cd288433a704b6de8706a6073e57d1c89d9ce

SHA512
3d545c06220dc36c5a1233a472935924d45cde4891c793e17af2390ccfb4144c7ea103fd085ec24691325abf0224aec3542e1291cda319ca6d2028f3f56ac879

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDE9C.exe

Filesize
20KB

MD5
1fe560779633f3cebf92fba442d0e982

SHA1
a107db1f9f2e52ab3a87567a53c40912518c9419

SHA256
bf87aa1861a736bb176f90a3344c462a0a6686c21757ab85909754404617013b

SHA512
b2e11b069bd1bd821dd6382566ceb13c422335464ed20f4d7d278f5d8096ec89aa951af9ad60c6ef01403ddd5f2513578268ce2b02a1ccf90d97dd33008da6f4

Download Submit

Analysis

Sharing