f4b89f2da0efb456a8b8fa1cd4b334417d82ebdde1d277a1f5cbb90a40dd30ce

General

Target

c6e292cfd99ee4224c996ec7bddb9f88_JaffaCakes118.exe
Size

14KB
MD5

c6e292cfd99ee4224c996ec7bddb9f88
SHA1

220ba66d9d78c1210b6c9e66e115ea48d3da3b34
SHA256

f4b89f2da0efb456a8b8fa1cd4b334417d82ebdde1d277a1f5cbb90a40dd30ce
SHA512

76ac2180c10c6b548895d1deb0dfeb64418ff42266546d7eaeb9a7bcba5181138a4c3c0015e538aa42997b15da2a7b43b1c78694974f9477ffe1c2323b822d20
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhDn:hDXWipuE+K3/SSHgxV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2612	DEMB37.exe
2272	DEM6068.exe
2548	DEMB5E7.exe
2292	DEMB18.exe
1244	DEM6097.exe
2344	DEMB5D7.exe

Loads dropped DLL 6 IoCs

pid	Process
2232	c6e292cfd99ee4224c996ec7bddb9f88_JaffaCakes118.exe
2612	DEMB37.exe
2272	DEM6068.exe
2548	DEMB5E7.exe
2292	DEMB18.exe
1244	DEM6097.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2612	2232	c6e292cfd99ee4224c996ec7bddb9f88_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2612	2232	c6e292cfd99ee4224c996ec7bddb9f88_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2612	2232	c6e292cfd99ee4224c996ec7bddb9f88_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2612	2232	c6e292cfd99ee4224c996ec7bddb9f88_JaffaCakes118.exe	29
PID 2612 wrote to memory of 2272	2612	DEMB37.exe	31
PID 2612 wrote to memory of 2272	2612	DEMB37.exe	31
PID 2612 wrote to memory of 2272	2612	DEMB37.exe	31
PID 2612 wrote to memory of 2272	2612	DEMB37.exe	31
PID 2272 wrote to memory of 2548	2272	DEM6068.exe	35
PID 2272 wrote to memory of 2548	2272	DEM6068.exe	35
PID 2272 wrote to memory of 2548	2272	DEM6068.exe	35
PID 2272 wrote to memory of 2548	2272	DEM6068.exe	35
PID 2548 wrote to memory of 2292	2548	DEMB5E7.exe	37
PID 2548 wrote to memory of 2292	2548	DEMB5E7.exe	37
PID 2548 wrote to memory of 2292	2548	DEMB5E7.exe	37
PID 2548 wrote to memory of 2292	2548	DEMB5E7.exe	37
PID 2292 wrote to memory of 1244	2292	DEMB18.exe	39
PID 2292 wrote to memory of 1244	2292	DEMB18.exe	39
PID 2292 wrote to memory of 1244	2292	DEMB18.exe	39
PID 2292 wrote to memory of 1244	2292	DEMB18.exe	39
PID 1244 wrote to memory of 2344	1244	DEM6097.exe	41
PID 1244 wrote to memory of 2344	1244	DEM6097.exe	41
PID 1244 wrote to memory of 2344	1244	DEM6097.exe	41
PID 1244 wrote to memory of 2344	1244	DEM6097.exe	41

C:\Users\Admin\AppData\Local\Temp\c6e292cfd99ee4224c996ec7bddb9f88_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c6e292cfd99ee4224c996ec7bddb9f88_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\DEMB37.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB37.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\DEM6068.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6068.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\DEMB5E7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB5E7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Users\Admin\AppData\Local\Temp\DEMB18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB18.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Users\Admin\AppData\Local\Temp\DEM6097.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6097.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\DEMB5D7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB5D7.exe"
        7⤵
        Executes dropped EXE
        
        PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6068.exe

Filesize
14KB

MD5
f241a6ceccaf3619ea574c12d9d4aebe

SHA1
dec6a8bb186968101ca466ec97758bee4a33caef

SHA256
6b4e7dd89ae77fa1768d12c76f214eeba1e9106232d60ebad07ea40a6c00bb56

SHA512
369dd6ec6ed9ae68db6c7784a7a8b09d01cf2b4feac0f0ba9a5601018ae8b897f7d9e56be744ab8bdef0e304e4a4ff17a794bdfca916d049dfcacfadd041ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB18.exe

Filesize
14KB

MD5
09eb6f6ede6e3998a18e4db37ced0cbe

SHA1
56dfa44833f2c4cdacdac26cc0bcca97c76760ba

SHA256
5e9c369293788d9bbb351e646a6c7503df8720007e96e0c84d74886196541212

SHA512
2aea5cd89b14fc029baceea48e1babd019f86c42efa202005f13cbc1f8f0b1dfd1b27d7cd16489d1405873f1b2f58eb835b323e71a312c05008a24ae0d5be26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB37.exe

Filesize
14KB

MD5
79c912aaee3190aaf9a02baa7dd5bb2a

SHA1
a88ff62248cd4232de36f9ea749dfd325f146388

SHA256
89e7f4de8be98d62eb1ba1633ea1a5b6e51ea6d3361002cf1c0d922dfdb2f9fc

SHA512
b11aae26edfce6ecc2eeb5b3586111d12ba1b26387f97961f4f72d53284c98f802a42a452c26c1da4cd0fdce95d5d97d3a6a0b5e5593856f05ef8730affd08dc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6097.exe

Filesize
14KB

MD5
904f5d98e9b0b6b69c148f74555e01da

SHA1
9efd7d58442e286f0ea110a90dc1d91bd70d92a2

SHA256
ec5d1078eaf59809233264b76897becceafbc4b0ea83aaf2bad6dc1687b6fccb

SHA512
a8df548b252c23aa6d4d34b46a717792c5688f5b21449a00d71d82131ee954f34b0899dfe57a53308a750d2191296f3150fcfcad922d3e39d129bdb13abafe3d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB5D7.exe

Filesize
14KB

MD5
963b34703e5a71e48d46e213937df7c6

SHA1
a10104251e561b2e1fcc91d72aad4bd96805fcde

SHA256
dea20fe6093a3c1328b144370edfb6ec106ccd6aaac07dacb81d83a2da515fb8

SHA512
321156989928ba27da89bec4047ee92eece6fc13d7ec09470c81b3aa0603f67d4598e93ed6e96c461ae05ce3fad200de49d7db35381f4165579a47f0ed83da87

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB5E7.exe

Filesize
14KB

MD5
69bf9fc862bb1f0cd53b06071d83b937

SHA1
3c6d17ee04ef515e2f9a78114281e704bc2ebe94

SHA256
4d3f1273c28ae7ae025cade6835155513333a341cf1113372a028b8ee8542b56

SHA512
9e80c3927d75b3de244baf453754b60efbbeb415b08ba31d9d4e574fcfd8b7c6ecc227bf6f2a7f36ac86bf0d6931832a789d0c2fa932b6bb9d9ebd82184b42b1

Download Submit

Analysis

Sharing