cf0285d6570c1e64f746f162222cbce0a38ccd305ba9a988e098915d7106e464

General

Target

d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe
Size

15KB
MD5

d838dbde2eff15a2b510dc3a73727f0a
SHA1

004e95943268ce35ea9be694d8fce09b75b2fee6
SHA256

cf0285d6570c1e64f746f162222cbce0a38ccd305ba9a988e098915d7106e464
SHA512

4b27d2bf7c9b3203eb7d80aee005244d083014635f98dcb154feaaf8bb47642a8e2070da1b6fbd7ff8f3b22ffc6c9a8338f946ae0d01dd262ba59d5b0f6fe578
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhz:hDXWipuE+K3/SSHgxzz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2628	DEM1304.exe
2672	DEM6873.exe
1596	DEMBE6F.exe
2148	DEM13A0.exe
644	DEM694E.exe
2076	DEMBF69.exe

Loads dropped DLL 6 IoCs

pid	Process
2080	d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe
2628	DEM1304.exe
2672	DEM6873.exe
1596	DEMBE6F.exe
2148	DEM13A0.exe
644	DEM694E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2628	2080	d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe	29
PID 2080 wrote to memory of 2628	2080	d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe	29
PID 2080 wrote to memory of 2628	2080	d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe	29
PID 2080 wrote to memory of 2628	2080	d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe	29
PID 2628 wrote to memory of 2672	2628	DEM1304.exe	31
PID 2628 wrote to memory of 2672	2628	DEM1304.exe	31
PID 2628 wrote to memory of 2672	2628	DEM1304.exe	31
PID 2628 wrote to memory of 2672	2628	DEM1304.exe	31
PID 2672 wrote to memory of 1596	2672	DEM6873.exe	35
PID 2672 wrote to memory of 1596	2672	DEM6873.exe	35
PID 2672 wrote to memory of 1596	2672	DEM6873.exe	35
PID 2672 wrote to memory of 1596	2672	DEM6873.exe	35
PID 1596 wrote to memory of 2148	1596	DEMBE6F.exe	37
PID 1596 wrote to memory of 2148	1596	DEMBE6F.exe	37
PID 1596 wrote to memory of 2148	1596	DEMBE6F.exe	37
PID 1596 wrote to memory of 2148	1596	DEMBE6F.exe	37
PID 2148 wrote to memory of 644	2148	DEM13A0.exe	39
PID 2148 wrote to memory of 644	2148	DEM13A0.exe	39
PID 2148 wrote to memory of 644	2148	DEM13A0.exe	39
PID 2148 wrote to memory of 644	2148	DEM13A0.exe	39
PID 644 wrote to memory of 2076	644	DEM694E.exe	41
PID 644 wrote to memory of 2076	644	DEM694E.exe	41
PID 644 wrote to memory of 2076	644	DEM694E.exe	41
PID 644 wrote to memory of 2076	644	DEM694E.exe	41

C:\Users\Admin\AppData\Local\Temp\d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\DEM1304.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1304.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\DEM6873.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6873.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\DEMBE6F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBE6F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\DEM13A0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM13A0.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Users\Admin\AppData\Local\Temp\DEM694E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM694E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\DEMBF69.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBF69.exe"
        7⤵
        Executes dropped EXE
        
        PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6873.exe

Filesize
15KB

MD5
90f177f53055c5712e429559da0eba1b

SHA1
2b4561b21fb7dcf994286353f566fdc196e9c071

SHA256
c6430db3782fe78afc7935bb75e39b9773091f91e0900360a11a4b02e88267a9

SHA512
e1d3f5b966882de43a63e9472145a84ee1593ec2793b1e4f8da05db3aa4cec5c47c3a65dd24a7a4fdd663b9896f6a68da43a26c9904d987c44520e11d658fa36

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1304.exe

Filesize
15KB

MD5
061138497b9f769960aad9be0eac89dd

SHA1
8605577455da0274d6db1dbe0cdbe3e7e6812193

SHA256
a2dd3791eeca0444be165ae919defcf2ca43f9350910f230b9a042e53c0a387e

SHA512
e837ae90a7fef17523a3d7a724e761338fa7bf21022ff3843f705ba12d37a70f22d6486aef565d4b5ce83f33269b270d5c82733859aa19a2c2a82c868604c566

Download Submit
\Users\Admin\AppData\Local\Temp\DEM13A0.exe

Filesize
15KB

MD5
c4f016e09d907e49f3ab589544ff0190

SHA1
14db35c0a5f4acd6e5055f7199320e5a82e56fa6

SHA256
e8a73b1cc453c119603507242995e66cfbd9475faefb6872bf3a9573da4dbc03

SHA512
9b3af6c096073cabfe0e9b246b92f1efe4544651816c0268e70a80cfdccdbd65c664970ec73be613be2e72f01c25ee8877ce45412d935aa33502faaf251c8946

Download Submit
\Users\Admin\AppData\Local\Temp\DEM694E.exe

Filesize
15KB

MD5
6bd8b18adf63e86c8e4984a9eb7c575e

SHA1
d09bc9647c251369dfb509409cf911ed48b19118

SHA256
0882e432cc259702ca418324c35ba478643ca056d1613903de3f3a9f05374711

SHA512
3b9c52bfedc9f68b7e903040363c2d44e8cef5c9f3da1538ef6bc9efcbf548e145a8abb8ca62bbd6eae884f5916c72d38df02604b3b10ca664ce63627ef68b0e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBE6F.exe

Filesize
15KB

MD5
8cb52e840ee5d92c04bef4ee55c2fd98

SHA1
db0ca743339f891b618a3556f4dbd65ae8811d6f

SHA256
2803260bde949db3e9fa374398f45455238f78a76a56a93f03d4526a26669664

SHA512
147d6f0d947dac1f9a885d1d3451bf5bb8cb88816c1e08a1d16f791eb05406cbe2904337a5d0630d9a3252bc67431ea9d359fc056eef050ee4db9ea4863dcd4f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBF69.exe

Filesize
15KB

MD5
3da0b88ce1f23e24ff81d78e898c3292

SHA1
22c9d9e81ce1d6c8b9fd338d267fc0cdbfcb47c9

SHA256
c64952c7f7f5f123e5c2236b321e9b58bf1c8ffe12da594515ccbc99a93dd134

SHA512
41f68bb99f6d65a3ad53f12f3b2e18c4ccd37002b6b606425fe8c1aac4e872951ea566fa56c78f98297a88974e5a5f2fe06a3a0d6674259010c1ba29def967f1

Download Submit

Analysis

Sharing