ad5a7ad19c18cbd7e1dafe9ea10aed8abe10e9a5031af98f8f5ca4630954d8a6

General

Target

c11bdd053c6b4786daff103a927c57ac_JaffaCakes118.exe
Size

16KB
MD5

c11bdd053c6b4786daff103a927c57ac
SHA1

de8c26e0862b7be634d5d21b0b40fdc7905ebb85
SHA256

ad5a7ad19c18cbd7e1dafe9ea10aed8abe10e9a5031af98f8f5ca4630954d8a6
SHA512

783bb29aab7c4746046291294f7e6b9dbe2e640d4cd31d68e7b66c175cda518d88d6e2c5f98a82292f3c2d28b3135b7142feadc8ee00eeb2ce983bd81ca7f414
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYHzM:hDXWipuE+K3/SSHgxmHQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2684	DEM25B9.exe
2876	DEM7BC5.exe
2728	DEMD0E6.exe
1516	DEM2636.exe
2156	DEM7B57.exe
2236	DEMD0A7.exe

Loads dropped DLL 6 IoCs

pid	Process
2792	c11bdd053c6b4786daff103a927c57ac_JaffaCakes118.exe
2684	DEM25B9.exe
2876	DEM7BC5.exe
2728	DEMD0E6.exe
1516	DEM2636.exe
2156	DEM7B57.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2684	2792	c11bdd053c6b4786daff103a927c57ac_JaffaCakes118.exe	29
PID 2792 wrote to memory of 2684	2792	c11bdd053c6b4786daff103a927c57ac_JaffaCakes118.exe	29
PID 2792 wrote to memory of 2684	2792	c11bdd053c6b4786daff103a927c57ac_JaffaCakes118.exe	29
PID 2792 wrote to memory of 2684	2792	c11bdd053c6b4786daff103a927c57ac_JaffaCakes118.exe	29
PID 2684 wrote to memory of 2876	2684	DEM25B9.exe	33
PID 2684 wrote to memory of 2876	2684	DEM25B9.exe	33
PID 2684 wrote to memory of 2876	2684	DEM25B9.exe	33
PID 2684 wrote to memory of 2876	2684	DEM25B9.exe	33
PID 2876 wrote to memory of 2728	2876	DEM7BC5.exe	35
PID 2876 wrote to memory of 2728	2876	DEM7BC5.exe	35
PID 2876 wrote to memory of 2728	2876	DEM7BC5.exe	35
PID 2876 wrote to memory of 2728	2876	DEM7BC5.exe	35
PID 2728 wrote to memory of 1516	2728	DEMD0E6.exe	37
PID 2728 wrote to memory of 1516	2728	DEMD0E6.exe	37
PID 2728 wrote to memory of 1516	2728	DEMD0E6.exe	37
PID 2728 wrote to memory of 1516	2728	DEMD0E6.exe	37
PID 1516 wrote to memory of 2156	1516	DEM2636.exe	39
PID 1516 wrote to memory of 2156	1516	DEM2636.exe	39
PID 1516 wrote to memory of 2156	1516	DEM2636.exe	39
PID 1516 wrote to memory of 2156	1516	DEM2636.exe	39
PID 2156 wrote to memory of 2236	2156	DEM7B57.exe	41
PID 2156 wrote to memory of 2236	2156	DEM7B57.exe	41
PID 2156 wrote to memory of 2236	2156	DEM7B57.exe	41
PID 2156 wrote to memory of 2236	2156	DEM7B57.exe	41

C:\Users\Admin\AppData\Local\Temp\c11bdd053c6b4786daff103a927c57ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c11bdd053c6b4786daff103a927c57ac_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\DEM25B9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM25B9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\DEM7BC5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7BC5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\DEMD0E6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD0E6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\DEM2636.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2636.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Users\Admin\AppData\Local\Temp\DEM7B57.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7B57.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\DEMD0A7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD0A7.exe"
        7⤵
        Executes dropped EXE
        
        PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7B57.exe

Filesize
16KB

MD5
2e439f10c094f37449e044cec262b65f

SHA1
0347cc84dd7a8bad07cd5f6a4a0d169676495ff0

SHA256
d41d7132352be859e313102b1a854387fe01d6ace3e810d5dcea62ef15fb0473

SHA512
945c3d107ede8245148caf9f9674f5e93e7fe799480172e58834abb1d56c300d58ba8d1bb7ba3ab6251c37af6f169373534921db78b56f2a25e6484160e8ae4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7BC5.exe

Filesize
16KB

MD5
544ca8f27c7f019eb8b39a839384cce0

SHA1
7cea453b1d913aaee176132474f1540ac85d343a

SHA256
d6e3096d06a88490913a08957ebc9204165195de6be35c15890863d5a93b8ae8

SHA512
18f4b2b8941c09540015333882dbd585506bb69af5277ed2a6ea3d33d1bf8a082b0288978ec705b02c7ffa15780441ab507164a6d91dbfb3c616b3eadf354f2f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM25B9.exe

Filesize
16KB

MD5
71b214270345a626c388b4d2141eef62

SHA1
3a1a2489f2e90908bc35cedbf3a4f64a1d867996

SHA256
f8617bbda682ea86bd2fac7a60166a9f4e254210d95e98b37454e29fab5e6e2b

SHA512
29b567df9546ffac59b71e05abbb9295cb94ee81b97f89a0e26c125122be118c9bc0342584e616afa8aea593909e7643b8ccf8302f8f1a597678ea754922e49c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2636.exe

Filesize
16KB

MD5
67f831335ef5e6c0f2d7f52326909eca

SHA1
dbdf8203cb2397e3a86acb82eec5d69860b4f9a8

SHA256
e6bcd4eb72268ca010cc10df308c3d7c1f5e3f16e6f29afb28a13737cc8c8909

SHA512
7ff79f61db501677b1b6d2b5ce66c8583eb0b9aaeec28074aba3f416d5f2aeb539feb884c30e87ecf3e0ae5dd652da1479b107f5d72d875518080622b34c14dc

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD0A7.exe

Filesize
16KB

MD5
5bbe67c1ef512f7a437a10e303496128

SHA1
3f2755f4129aa5b0067cd573f5d9a257331791ef

SHA256
3b53c7a5a6302809a371c2d9f62c835b8603e69ed48e1788200da440e580d253

SHA512
f77ca22904fecf801b7e4979c4b29e697a23a54ba189373d459b0537e7dd1b197fac570918c855ec1e4b02554d8cb815f184b2f924e0b0e35555b92c73cc1e06

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD0E6.exe

Filesize
16KB

MD5
c6f747eb4b1102e1e77d89337c65bc2d

SHA1
8e208342d4692f936baffb9ee96985c837e46312

SHA256
4cdaf9dc3279cc13a25a612e74e5227407bf944468be83cdfe1329b7c1547e23

SHA512
54a3bb2f3f097c958c891fd56033cc1d634eb649575663cb63ffb708f6fab6f83dc4c6eb8c9d683e99735cf61b04db19747205a67bf8cf2bef7f37c168bc5f52

Download Submit

Analysis

Sharing