6e6dd8ade8b5323e1f38849d6453c5484d378669b0bd3ae055ade4df233eb3b3

General

Target

ceeb87b6282781f90fe44b3ab759acb6_JaffaCakes118.exe
Size

15KB
MD5

ceeb87b6282781f90fe44b3ab759acb6
SHA1

cb5356347e157c0228594148e6a084e258961859
SHA256

6e6dd8ade8b5323e1f38849d6453c5484d378669b0bd3ae055ade4df233eb3b3
SHA512

379e1cd824e38c812703eeb15ed0e3e849612b54c098dcfecf63fb384bdc0e8fb3e629b457de939c757c496b0799e4387eac64fc266dec7427b150e932ecf110
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlPn:hDXWipuE+K3/SSHgxml/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2568	DEM57F0.exe
3016	DEMAEE5.exe
2296	DEM58C.exe
1500	DEM5C24.exe
2744	DEMB2CB.exe
1984	DEM9F0.exe

Loads dropped DLL 6 IoCs

pid	Process
2772	ceeb87b6282781f90fe44b3ab759acb6_JaffaCakes118.exe
2568	DEM57F0.exe
3016	DEMAEE5.exe
2296	DEM58C.exe
1500	DEM5C24.exe
2744	DEMB2CB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2568	2772	ceeb87b6282781f90fe44b3ab759acb6_JaffaCakes118.exe	29
PID 2772 wrote to memory of 2568	2772	ceeb87b6282781f90fe44b3ab759acb6_JaffaCakes118.exe	29
PID 2772 wrote to memory of 2568	2772	ceeb87b6282781f90fe44b3ab759acb6_JaffaCakes118.exe	29
PID 2772 wrote to memory of 2568	2772	ceeb87b6282781f90fe44b3ab759acb6_JaffaCakes118.exe	29
PID 2568 wrote to memory of 3016	2568	DEM57F0.exe	33
PID 2568 wrote to memory of 3016	2568	DEM57F0.exe	33
PID 2568 wrote to memory of 3016	2568	DEM57F0.exe	33
PID 2568 wrote to memory of 3016	2568	DEM57F0.exe	33
PID 3016 wrote to memory of 2296	3016	DEMAEE5.exe	35
PID 3016 wrote to memory of 2296	3016	DEMAEE5.exe	35
PID 3016 wrote to memory of 2296	3016	DEMAEE5.exe	35
PID 3016 wrote to memory of 2296	3016	DEMAEE5.exe	35
PID 2296 wrote to memory of 1500	2296	DEM58C.exe	37
PID 2296 wrote to memory of 1500	2296	DEM58C.exe	37
PID 2296 wrote to memory of 1500	2296	DEM58C.exe	37
PID 2296 wrote to memory of 1500	2296	DEM58C.exe	37
PID 1500 wrote to memory of 2744	1500	DEM5C24.exe	39
PID 1500 wrote to memory of 2744	1500	DEM5C24.exe	39
PID 1500 wrote to memory of 2744	1500	DEM5C24.exe	39
PID 1500 wrote to memory of 2744	1500	DEM5C24.exe	39
PID 2744 wrote to memory of 1984	2744	DEMB2CB.exe	41
PID 2744 wrote to memory of 1984	2744	DEMB2CB.exe	41
PID 2744 wrote to memory of 1984	2744	DEMB2CB.exe	41
PID 2744 wrote to memory of 1984	2744	DEMB2CB.exe	41

C:\Users\Admin\AppData\Local\Temp\ceeb87b6282781f90fe44b3ab759acb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ceeb87b6282781f90fe44b3ab759acb6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\DEM57F0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM57F0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\DEMAEE5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAEE5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\DEM58C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM58C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Users\Admin\AppData\Local\Temp\DEM5C24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5C24.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Users\Admin\AppData\Local\Temp\DEMB2CB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB2CB.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\DEM9F0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9F0.exe"
        7⤵
        Executes dropped EXE
        
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMAEE5.exe

Filesize
15KB

MD5
c2c1f52c864c9c5ed9210c1d94584d86

SHA1
2b4047123476c922df3eff1dcddf4fd6f0c9bf32

SHA256
f3a25d0b6bd1484ca121d87fee4056c65ceb366f60afa879d3273518a78962be

SHA512
1473c649825ae0c0c6e5defb95c8f2cbb3b2ac45945a17886186ca6af506efb3d9e97329124f75df501411df4169f829226c10221b92ef8e97d8a5f87db0fcea

Download Submit
\Users\Admin\AppData\Local\Temp\DEM57F0.exe

Filesize
15KB

MD5
9e2866af4ef7f6bfb0f75f1443a62fdf

SHA1
92fde20e82525a9f311a52a38a5a49f22e6cdd2b

SHA256
cc1f7d4e1da4c65134e5be32287baf2a7dfdc17d9f042b35edf2b9c548dda78a

SHA512
566d59c4604aadbb9df1bcbb4c1c1aaa3ca57ed73656f6111a58fbf07e5f43094f6502b047c0d45e4a6566bc59b7bc9c45a436d6857ef997ca41fac2d80638bb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM58C.exe

Filesize
15KB

MD5
0e1da9b1f908fb9ed7b708889191ee4a

SHA1
0cfa8af2d77b8a8753c7af008c7b47be3299988b

SHA256
6c44a5b92f83163b6255625565379392130cd36e972b50f62e3e20f14212b941

SHA512
7b6cc048e57ab20076f73e6fa2e49b09bd4e0fa5408923c8d7fb07967906f19c83fac00aedfaf8813ceffa76516549c768948972ba96188fe27c82b70b73796a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5C24.exe

Filesize
15KB

MD5
24ab5c109b6c82636bd66b265cefd50a

SHA1
f132bd550e7cc17fe502abe53b31a2c81649dae2

SHA256
5cb94bfed81c07a86e900750801f64bc6b0bfb6dc6f394f696cdbb79395d7f10

SHA512
4b694023ffb3715bb57483b998b7d73827729f0389b82203fbcb2db4a4ea3290fb369a6cc5f0dcd8bfcadf02f5c2d1faa93e83126d0c527ecbd3a58bfd3102ef

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9F0.exe

Filesize
15KB

MD5
898d1991a4e1a9510d8e4eb78c708368

SHA1
1ad327586892218d59d40fffa7784286590de655

SHA256
1a0ad8761d280c1fd7131047e097ce0ec552e10f467a1fb0e21749f58099723a

SHA512
ab24ca22afb8ade2a1ce2467854964461ec57d4381b58e42615e0f4e92cfec8e6ce41cbd8ba6b73315a1acada9a76cb75cc5496c951ad41b7ba585ff6943b953

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB2CB.exe

Filesize
15KB

MD5
aaca1a9878cc6e0ab5f63cb53f1edb02

SHA1
9f1d33f2312d7c9fd16deb14f7345a46edd8c495

SHA256
a27fccacb5d6224de5bb19bb3bc027f6ae52aea0ff6ea08e2fbc4a5790b5b4f5

SHA512
c534a8645cd5aedc92bc1867057baef1d4d11ba30e1a68d5234f02175e44ce26e852be66ad93ddbadfccc41bad5d3d44f670f77c3e0b1829bdfe53353ac92495

Download Submit

Analysis

Sharing