213490b0d8c2f7aa6bbee9e06102eb4f5874f60eadbdd199ef0f807492e0b003

General

Target

d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe
Size

16KB
MD5

d3fb8f8a10121324d0bce428e86611b0
SHA1

ae755337babeddb7b55f6e8be212dde73be628d0
SHA256

213490b0d8c2f7aa6bbee9e06102eb4f5874f60eadbdd199ef0f807492e0b003
SHA512

c2e6b8126665e305d9073df8c70bf7030bbdef0b054519b867263f9c9b409d09f0382b4e79bc0268b4ad9e6e3895d9146229e298606cfc31aac09a86b50c4144
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhD8t:hDXWipuE+K3/SSHgxty

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2616	DEM5B88.exe
2520	DEMB155.exe
332	DEM696.exe
2756	DEM5BF5.exe
844	DEMB174.exe
328	DEM732.exe

Loads dropped DLL 6 IoCs

pid	Process
2240	d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe
2616	DEM5B88.exe
2520	DEMB155.exe
332	DEM696.exe
2756	DEM5BF5.exe
844	DEMB174.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2616	2240	d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2616	2240	d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2616	2240	d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2616	2240	d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe	29
PID 2616 wrote to memory of 2520	2616	DEM5B88.exe	33
PID 2616 wrote to memory of 2520	2616	DEM5B88.exe	33
PID 2616 wrote to memory of 2520	2616	DEM5B88.exe	33
PID 2616 wrote to memory of 2520	2616	DEM5B88.exe	33
PID 2520 wrote to memory of 332	2520	DEMB155.exe	35
PID 2520 wrote to memory of 332	2520	DEMB155.exe	35
PID 2520 wrote to memory of 332	2520	DEMB155.exe	35
PID 2520 wrote to memory of 332	2520	DEMB155.exe	35
PID 332 wrote to memory of 2756	332	DEM696.exe	37
PID 332 wrote to memory of 2756	332	DEM696.exe	37
PID 332 wrote to memory of 2756	332	DEM696.exe	37
PID 332 wrote to memory of 2756	332	DEM696.exe	37
PID 2756 wrote to memory of 844	2756	DEM5BF5.exe	39
PID 2756 wrote to memory of 844	2756	DEM5BF5.exe	39
PID 2756 wrote to memory of 844	2756	DEM5BF5.exe	39
PID 2756 wrote to memory of 844	2756	DEM5BF5.exe	39
PID 844 wrote to memory of 328	844	DEMB174.exe	41
PID 844 wrote to memory of 328	844	DEMB174.exe	41
PID 844 wrote to memory of 328	844	DEMB174.exe	41
PID 844 wrote to memory of 328	844	DEMB174.exe	41

C:\Users\Admin\AppData\Local\Temp\d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\DEM5B88.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5B88.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\DEMB155.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB155.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\DEM696.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM696.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:332
    - - C:\Users\Admin\AppData\Local\Temp\DEM5BF5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5BF5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Users\Admin\AppData\Local\Temp\DEMB174.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB174.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\DEM732.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM732.exe"
        7⤵
        Executes dropped EXE
        
        PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5B88.exe

Filesize
16KB

MD5
d36df9668d2f55b40133e84e0771baaf

SHA1
2d96bd5ee3269ad265be71e9728215d583bcfcc5

SHA256
abc83e74bffbf2b12faabc5190b1dc526e4b400b462c00f0a7e90c9903a18f46

SHA512
a76355392d7a2bf13b2ff67b4bc95144c77443ce8ff6f0321e9acb4b1756056b4ff6cc753d5a6771ac002d65b1839bcd90f19d658e52e9c9e64419421c4cf741

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM696.exe

Filesize
16KB

MD5
a60f68ce110a29328e1499a19a9689fa

SHA1
c5c4afb44e403a6dc6cdeaa1544b2ebc8b216e82

SHA256
32914f12bb7a5466834d0213fa43a5e10ec8beb575f50b8c02077c098cc36719

SHA512
c36a2a1b4d3f57797661c2a32fcb352ee89524e2dfa79f6a1788a78830e2ce68045484086589506e784f597dafd38eda0a1b23de2080f30731ca0368000f02fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB155.exe

Filesize
16KB

MD5
2c02aca17ee7e0ba865c52428e97b2a3

SHA1
5a5f01a59b2a698b5ed25b98d1b062267504d763

SHA256
b60c7642eea9e81b0c741f9aab36b5b3e859851ca233ba6e728cefc6862185f1

SHA512
110df7434d78183e188e0551e4efd29693c4a88a1f3b7e479733a2381b746813547ec0784c5a7be77c803970ce2edf5e40f72dc0d16d5b017b635c3b384342ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB174.exe

Filesize
16KB

MD5
07dcd017b80b950c30d7779cdfa410ea

SHA1
7c761242dd104b901cd0d44caec26832193227ab

SHA256
d4416896a4282041c1bd8e2a0ca7342b64a6a4a396a791aa1aaf28a4f0e01e76

SHA512
262df364dfd33c03e7ab8f66a571fec33bbbfdc7d12a310434d5538065ff3c1cab0b9403beff85c252f587113e30e0e34bf51a267ead52c65c45813ea81530b7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5BF5.exe

Filesize
16KB

MD5
fc78a3243238b3843a4411eb33f15819

SHA1
c9f49414c24ef99a97ebb6046fb3f9979b7e8a22

SHA256
c8ddeb3838d2665e6d524f577ada39acc957112da0865d9e7dc44d3e81e816ca

SHA512
0a66e5df9c703dac28ddd2ea3129e2ec49e77ae79a8c4725b7b34bb322704f4eb3e9f9928073ffac79dbc15fb99a60b1113971bbad4a60ca541e012bf770b671

Download Submit
\Users\Admin\AppData\Local\Temp\DEM732.exe

Filesize
16KB

MD5
903ad0798794d10aed3f08758149130d

SHA1
4d218603a3694c010add81871437ff17795448df

SHA256
e23550f8bfe4e324c20dd07ed3c83884790a200bd80883c119d94abba53cdf45

SHA512
b1c23ae557035cbcc65219e13266c70b64e6e36b7beebe90244bf2eee4107f8930458cf386f7632044d9c95b23371d6900adc0f5b90ad8def9e855e628a16b5f

Download Submit

Analysis

Sharing