a16391d75ee3dbb3ceda05017397267e0f421a359088f01e8a7d6854529f8628

General

Target

c6546d96d9951f43ea3a715e27693984_JaffaCakes118.exe
Size

15KB
MD5

c6546d96d9951f43ea3a715e27693984
SHA1

c7a83efc3aae316727a19e034df9cb4828c3453e
SHA256

a16391d75ee3dbb3ceda05017397267e0f421a359088f01e8a7d6854529f8628
SHA512

71b2450830779d9c36e58fcb9eded89484eb00fe4115ee6a3158c6edcb0d1a2ca6ed2f4eb1cf4b5488bc4ff1c929f346b281ab7d7d3eec014c47c401e99cff65
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhkRwjd:hDXWipuE+K3/SSHgxDjd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2556	DEMF5C.exe
2644	DEM6539.exe
2676	DEMBA5A.exe
1976	DEMF4C.exe
1368	DEM64AC.exe
2880	DEMB9BE.exe

Loads dropped DLL 6 IoCs

pid	Process
1248	c6546d96d9951f43ea3a715e27693984_JaffaCakes118.exe
2556	DEMF5C.exe
2644	DEM6539.exe
2676	DEMBA5A.exe
1976	DEMF4C.exe
1368	DEM64AC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 2556	1248	c6546d96d9951f43ea3a715e27693984_JaffaCakes118.exe	29
PID 1248 wrote to memory of 2556	1248	c6546d96d9951f43ea3a715e27693984_JaffaCakes118.exe	29
PID 1248 wrote to memory of 2556	1248	c6546d96d9951f43ea3a715e27693984_JaffaCakes118.exe	29
PID 1248 wrote to memory of 2556	1248	c6546d96d9951f43ea3a715e27693984_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2644	2556	DEMF5C.exe	31
PID 2556 wrote to memory of 2644	2556	DEMF5C.exe	31
PID 2556 wrote to memory of 2644	2556	DEMF5C.exe	31
PID 2556 wrote to memory of 2644	2556	DEMF5C.exe	31
PID 2644 wrote to memory of 2676	2644	DEM6539.exe	35
PID 2644 wrote to memory of 2676	2644	DEM6539.exe	35
PID 2644 wrote to memory of 2676	2644	DEM6539.exe	35
PID 2644 wrote to memory of 2676	2644	DEM6539.exe	35
PID 2676 wrote to memory of 1976	2676	DEMBA5A.exe	37
PID 2676 wrote to memory of 1976	2676	DEMBA5A.exe	37
PID 2676 wrote to memory of 1976	2676	DEMBA5A.exe	37
PID 2676 wrote to memory of 1976	2676	DEMBA5A.exe	37
PID 1976 wrote to memory of 1368	1976	DEMF4C.exe	39
PID 1976 wrote to memory of 1368	1976	DEMF4C.exe	39
PID 1976 wrote to memory of 1368	1976	DEMF4C.exe	39
PID 1976 wrote to memory of 1368	1976	DEMF4C.exe	39
PID 1368 wrote to memory of 2880	1368	DEM64AC.exe	41
PID 1368 wrote to memory of 2880	1368	DEM64AC.exe	41
PID 1368 wrote to memory of 2880	1368	DEM64AC.exe	41
PID 1368 wrote to memory of 2880	1368	DEM64AC.exe	41

C:\Users\Admin\AppData\Local\Temp\c6546d96d9951f43ea3a715e27693984_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c6546d96d9951f43ea3a715e27693984_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\DEMF5C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF5C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\DEM6539.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6539.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\DEMBA5A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBA5A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Users\Admin\AppData\Local\Temp\DEMF4C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF4C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\DEM64AC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM64AC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\DEMB9BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB9BE.exe"
        7⤵
        Executes dropped EXE
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM64AC.exe

Filesize
15KB

MD5
bb8c732f54d834e1b344b5fd846fe0fc

SHA1
53e8d42d5288f433677bdd2de0d8664224617885

SHA256
1654b22fc603c1fcd941bc8a22285e0ed2e89f3db25b6725b369d73fb1d66a6c

SHA512
6271321c784b8bab8b494a27504e211bd40148a985594b640e6bea050175b015b44059b976d03ef7499e8af7dc6ece7c7400a91f2b3bddfb0aa9ea57b4a42b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6539.exe

Filesize
15KB

MD5
71a1ab9bd7f45fe540e6b048ca0dee40

SHA1
fa4d81e813fb75235c04aa002fd4106f208b82a4

SHA256
ee32ba43af5cc283938833e35d0ac2772315fd32f68408eaf1569544e2dd683c

SHA512
7ec5ef5274815b1e7a683b53dd2c3098ff3d85d4b14e26a68a8ccee28a7ee2bc439f225d8b956fb75145bcd2d9be1e32e6aac62861525c8b2d68a1265deaa43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB9BE.exe

Filesize
15KB

MD5
125df20dd76bb1f31eca0be4cd391c39

SHA1
ef22d6aa8c782bcbe99e413237b3ad918a79520f

SHA256
1d3912907c478b4e27cc01f5e18c3589d6c2b79b167fe85ac367d60036ef0440

SHA512
234813632cbb01616fa49667c5a214f6b47a9301eaf49a4be6debb388d235249edc304bcafd79bbdff4ac309aac7595e4d05ef1eb547fbe55d64a6156f856280

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF5C.exe

Filesize
15KB

MD5
fdce047d85fd11d64fc7fbe60933e51d

SHA1
4c46cbfda9288b42ea5f9adee86fc4baa3b4b302

SHA256
d566ae186721858310713fd1e152f5ab1d690ca432017a9a1e3388dbc97a3b55

SHA512
0d60f166ab4c06f45b278cf870b44e657ddaceffe66d6760133a3c7a03da6efe6af7e04e846d7c38a2867e4c986d0e14495c9a5ef4682fdbb1e66187d69cadac

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBA5A.exe

Filesize
15KB

MD5
80edd50ae5aaad10563b9aab54f970cc

SHA1
f0075d6c24731561baf2f886609eb0288b2391b7

SHA256
2caa6649a90520cced3a7d27144cb7adc2a20467212d8bd8a17848615f24378d

SHA512
fc31224fbc9b6c97e228e7f87d894f599a83b2be1bcc61341218a0bcfea749621f48393cb9f6e2ed3699554fbc68a2662caeccf81f9e06581b4198f2740bddf1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF4C.exe

Filesize
15KB

MD5
8c0af9ac9755eea99749fe2d87ab3952

SHA1
1df6e183ab28c96b2ffa6828fa464578bf2f19c5

SHA256
1f5c9690d1e107402c8313acaa796e85e30ac3d0bbb2acc71e4d83d5a0840398

SHA512
b46364f93e34cdf1e91ed5e1e595230a20888eb27a72d2ae50c38d035977a43faf71ad6bea33e14a88e3fd1e077fedb5cfaa746dbbd1d4d8665c6fc1332b7439

Download Submit

Analysis

Sharing