3a02d14ac2d431de7cca591fde026eecee6878c559c7f36982580021743a5c90

General

Target

d8b57e553fcb0097512e2ec6d0dbb1dc_JaffaCakes118.exe
Size

16KB
MD5

d8b57e553fcb0097512e2ec6d0dbb1dc
SHA1

bae7b8b7afeb28cfdf1c67347157ca2be9986ee9
SHA256

3a02d14ac2d431de7cca591fde026eecee6878c559c7f36982580021743a5c90
SHA512

b588d421e644d421ae3f86ebdc1b159a801d2094b6afc9b4b0259b00ee71d02fde58cf9c1b84e4e40c84c58b5bca42e348c9450a5e78bbb7807357d776db2d5b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh6QFttUA:hDXWipuE+K3/SSHgxmyh6QBUA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2276	DEM10E2.exe
2612	DEM6651.exe
2508	DEMBBC1.exe
1980	DEM1101.exe
1932	DEM6680.exe
2116	DEMBC9B.exe

Loads dropped DLL 6 IoCs

pid	Process
2528	d8b57e553fcb0097512e2ec6d0dbb1dc_JaffaCakes118.exe
2276	DEM10E2.exe
2612	DEM6651.exe
2508	DEMBBC1.exe
1980	DEM1101.exe
1932	DEM6680.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2276	2528	d8b57e553fcb0097512e2ec6d0dbb1dc_JaffaCakes118.exe	29
PID 2528 wrote to memory of 2276	2528	d8b57e553fcb0097512e2ec6d0dbb1dc_JaffaCakes118.exe	29
PID 2528 wrote to memory of 2276	2528	d8b57e553fcb0097512e2ec6d0dbb1dc_JaffaCakes118.exe	29
PID 2528 wrote to memory of 2276	2528	d8b57e553fcb0097512e2ec6d0dbb1dc_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2612	2276	DEM10E2.exe	31
PID 2276 wrote to memory of 2612	2276	DEM10E2.exe	31
PID 2276 wrote to memory of 2612	2276	DEM10E2.exe	31
PID 2276 wrote to memory of 2612	2276	DEM10E2.exe	31
PID 2612 wrote to memory of 2508	2612	DEM6651.exe	35
PID 2612 wrote to memory of 2508	2612	DEM6651.exe	35
PID 2612 wrote to memory of 2508	2612	DEM6651.exe	35
PID 2612 wrote to memory of 2508	2612	DEM6651.exe	35
PID 2508 wrote to memory of 1980	2508	DEMBBC1.exe	37
PID 2508 wrote to memory of 1980	2508	DEMBBC1.exe	37
PID 2508 wrote to memory of 1980	2508	DEMBBC1.exe	37
PID 2508 wrote to memory of 1980	2508	DEMBBC1.exe	37
PID 1980 wrote to memory of 1932	1980	DEM1101.exe	39
PID 1980 wrote to memory of 1932	1980	DEM1101.exe	39
PID 1980 wrote to memory of 1932	1980	DEM1101.exe	39
PID 1980 wrote to memory of 1932	1980	DEM1101.exe	39
PID 1932 wrote to memory of 2116	1932	DEM6680.exe	41
PID 1932 wrote to memory of 2116	1932	DEM6680.exe	41
PID 1932 wrote to memory of 2116	1932	DEM6680.exe	41
PID 1932 wrote to memory of 2116	1932	DEM6680.exe	41

C:\Users\Admin\AppData\Local\Temp\d8b57e553fcb0097512e2ec6d0dbb1dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d8b57e553fcb0097512e2ec6d0dbb1dc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\DEM10E2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM10E2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\DEM6651.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6651.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\DEMBBC1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBBC1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Users\Admin\AppData\Local\Temp\DEM1101.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1101.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Users\Admin\AppData\Local\Temp\DEM6680.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6680.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\DEMBC9B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBC9B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6651.exe

Filesize
16KB

MD5
ad5478c261e2f16527e623bd4697ba95

SHA1
8b06749526c2321456d224c8243b64983694e154

SHA256
939a35b8e99bd866409d8fbbbbcced3d4da8c714a79d1f08be88dd7989ac6002

SHA512
00c6b61f5702515f14a269309b9b0b7ceaa52120e2fe2d92cd71f88cb0bebc7c7ed7761cb764e23cc0a91fabffcef5f34a4cce153dec6a815650f262fef3ef0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBBC1.exe

Filesize
16KB

MD5
7a752aabd1f55fe55578e6174e5a4607

SHA1
d740cb8ba6f1ce497a762f8e4655e4f51dc76937

SHA256
d8fe0ffda7baa55cfe13cb60edc3621cb5b5659dbf80763bbfe3d41a1e44aac8

SHA512
d3255c0442416a8cd6d03f0e3bb049e905fee22efb0d3fcdf79eb59318c9ef4665e551091f261d3b3a470c335831c970347fffdaec18ba9b0272959cbdf248d1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM10E2.exe

Filesize
16KB

MD5
e811dd520402ca0d928ad0a4355f0a02

SHA1
f2469d2ba504a33f305abe7cecb61c14de8c8874

SHA256
c6bf81761c21b83a936213e2ed1b1879c6b156dcad45a858044a72328b740c80

SHA512
b66bd3f534fbdbb05f056634a13faa48897a17bdec1bf92c8bc73d98e65174e36bda8266484c4a3d20c6c5aa9049bc1bd399b370e2b6369475410bc6ece9cdec

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1101.exe

Filesize
16KB

MD5
66fe89abc5fd6bd5f75e59b81cab9123

SHA1
7e7f7a457e4a49b84ff66d428aa0d2cea3a2654f

SHA256
82b53a143bb36e1beb35ca07e575c8659a47dad5e3a596ca0fcdf4e9f01e640a

SHA512
9970a23fc69aa647282ae28bd56a0d055b3d97f437c925ca6dee8dc75de30ff7701a94837b1949b369d50be923c440eb087becbfd1683eeff481bb5c1bf5cd10

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6680.exe

Filesize
16KB

MD5
a5ae7c5d9557f47a4269201fc5a94627

SHA1
51fbd765c725579db0422b36860aae53f6973f42

SHA256
1da9e6c60b19bec397598deddd6fd881998234918f18c0f09b9827dbf769ca9f

SHA512
a72abab3b381908cd870017d99c064690b31f5f73889ebc1064c833f664b8f38643d6b1bad5ab324ca4cce587c5b71e5981fa97396e8fd0791e316bc15594c2e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBC9B.exe

Filesize
16KB

MD5
cfe8dd8acec286337add2068db7a1f77

SHA1
11b0641aee4c4ae73624512ea9635e9f66fa6ce9

SHA256
726884a112db2ca8dd02fa4c7593567ade1b53c2b4c13e3f2b4072879c6f8e83

SHA512
f09e8c5c199e39dfaa2d0cadbbb8e8337a4083c732f9ae39f6b15f992aaf02436a258d3fffc314edf4fdfa8a692921dcb2770d180129c82e12a01474808d8a65

Download Submit

Analysis

Sharing