9d358b5c6fac7643fda635cf31d2a627a1225c122a6e10c5df6252135168b436

General

Target

c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe
Size

15KB
MD5

c04d5d196885ede724a09302c3c24199
SHA1

6f1e43fecc44e77c23f0e94bf14c0af7512c373e
SHA256

9d358b5c6fac7643fda635cf31d2a627a1225c122a6e10c5df6252135168b436
SHA512

f1758b93a3b8b6d38d128fcde88807c86be69808ac6e4a439fa56dc43fe2239f8012ddb231e04165292bab8b6abea9d5e64b1e7501c4f65208acd7b6871e9d38
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnwO:hDXWipuE+K3/SSHgx/wO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2628	DEM13FE.exe
2528	DEM695D.exe
3036	DEMBE9E.exe
1620	DEM13DE.exe
2100	DEM692F.exe
2060	DEMBE7F.exe

Loads dropped DLL 6 IoCs

pid	Process
2868	c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe
2628	DEM13FE.exe
2528	DEM695D.exe
3036	DEMBE9E.exe
1620	DEM13DE.exe
2100	DEM692F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2628	2868	c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2628	2868	c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2628	2868	c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2628	2868	c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe	29
PID 2628 wrote to memory of 2528	2628	DEM13FE.exe	31
PID 2628 wrote to memory of 2528	2628	DEM13FE.exe	31
PID 2628 wrote to memory of 2528	2628	DEM13FE.exe	31
PID 2628 wrote to memory of 2528	2628	DEM13FE.exe	31
PID 2528 wrote to memory of 3036	2528	DEM695D.exe	35
PID 2528 wrote to memory of 3036	2528	DEM695D.exe	35
PID 2528 wrote to memory of 3036	2528	DEM695D.exe	35
PID 2528 wrote to memory of 3036	2528	DEM695D.exe	35
PID 3036 wrote to memory of 1620	3036	DEMBE9E.exe	37
PID 3036 wrote to memory of 1620	3036	DEMBE9E.exe	37
PID 3036 wrote to memory of 1620	3036	DEMBE9E.exe	37
PID 3036 wrote to memory of 1620	3036	DEMBE9E.exe	37
PID 1620 wrote to memory of 2100	1620	DEM13DE.exe	39
PID 1620 wrote to memory of 2100	1620	DEM13DE.exe	39
PID 1620 wrote to memory of 2100	1620	DEM13DE.exe	39
PID 1620 wrote to memory of 2100	1620	DEM13DE.exe	39
PID 2100 wrote to memory of 2060	2100	DEM692F.exe	41
PID 2100 wrote to memory of 2060	2100	DEM692F.exe	41
PID 2100 wrote to memory of 2060	2100	DEM692F.exe	41
PID 2100 wrote to memory of 2060	2100	DEM692F.exe	41

C:\Users\Admin\AppData\Local\Temp\c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\DEM13FE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM13FE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\DEM695D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM695D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\DEMBE9E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBE9E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\DEM13DE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM13DE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Users\Admin\AppData\Local\Temp\DEM692F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM692F.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\DEMBE7F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBE7F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM13DE.exe

Filesize
15KB

MD5
f5ac97f795769a58dc16acff535a43ef

SHA1
f611045fad080da2c500c2179c3a186821ff708e

SHA256
68e4da9e7232b2ad9011f6e3415d14742a94b88742283affd67ada86627641b2

SHA512
d7c34e7704e782a25938b9199fcd49b23830a8bb1b1a1858121447a22e3677d3446d8eece1e8419b7f4da664649631cca6feb0ee5a3d6668957ec88fb837f4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM695D.exe

Filesize
15KB

MD5
159de1c81269a50cf6f6f29caaab763c

SHA1
2431bb92fe2653e67b9806a96d0858371fde3b0e

SHA256
9af8a4ba34ec951ec4ee717aef00d1762e642584c7dea10581519a3df1a435f5

SHA512
df92f1d57719507d83aaf573a687bba8fed62ed39488547a0087bf3ee3c1a48f14a7b6e847487ef2322a230c3c4c954002d6239b28c4eb0f738349f29164878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBE9E.exe

Filesize
15KB

MD5
8e1301379b96ad061b617111d3c0b5d2

SHA1
6e20b6e0abd44d0cbfe17572f7da8b9c19a98d2c

SHA256
d14f00167c1cd5525dfeea554f6778e0188288d1f4a858719b5c4ec777095c9c

SHA512
ade76baa468457c75dc7749122b89912838dc7d7c529551fb4331a7b16d4415cd6e296fab5c1d5a5f9ea3284c16780f43bcc280abcce182ffb017789fe04bfe7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM13FE.exe

Filesize
15KB

MD5
a5f4f1e435aa48d2f01ccbe420481702

SHA1
44ed5073af737c84580256d7e8636afdd9f70da2

SHA256
e126ed5946568c3501b05605268110e213b484d8887c88e1d8d0b57d10a8abe9

SHA512
d8cd3127721a71e6d3b630c74c8bfa164170eebb72b3a4e190630875e07e763e214d000a9653eef7c3d539d12be708100aa0346293197363ee0a4167bda64c1a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM692F.exe

Filesize
15KB

MD5
463cbb2b7185153e9e49da9311194c03

SHA1
9cf4ae5164c287776bb6192dbd2935a9c00d7292

SHA256
92353edf82324818b0598f01f38d7a7cba00d09f9c3cda2d5311a086b4eb2d74

SHA512
13d5bdafec6c16afbc9c63896f0f7ae24b69e7db9d61daf68360f9f9328c0b7ae703bad098745e7e0220d62fbc1be8da52ee8da3ba1154e2da187caefa9b21d2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBE7F.exe

Filesize
15KB

MD5
4d0794fedf073deff01f32fca87d8e53

SHA1
f9034780d2ee33a37dc6917d7de57fb426054150

SHA256
9aebc19ad2e17869fb9afc62e06e6eec1dca4e8fe2707719f84870e65cc53fc4

SHA512
63a2bdbe471d36330560f973044dd40d51e3e8e8419259a3e57f61754230a7d7936322f92c1000b65840691d3b0db48d76e75a4b6cf2370f0f4b1cae7cb437d8

Download Submit

Analysis

Sharing