10ec036c6f2bdfac33c19ddd14e8bcd900f34259251af21594e31d5b13e52fc4

General

Target

db872e8377517b8a5f6ce191f7557c60_JaffaCakes118.exe
Size

20KB
MD5

db872e8377517b8a5f6ce191f7557c60
SHA1

e3546a0db30099e320fd833ab0f0351166d9c313
SHA256

10ec036c6f2bdfac33c19ddd14e8bcd900f34259251af21594e31d5b13e52fc4
SHA512

4468d62e82b15fea5c0689eef5fdf5f2ed83cfa6b43ad5f6d971d8a6fe233c6212932e6eb4c85af64de660d4dbb73839d0f06f090ef0b568f0b24944973f26a3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PRS+:hDXWipuE+K3/SSHgxmHZPRh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1972	DEM17B5.exe
2696	DEM6D63.exe
1192	DEMC2A3.exe
2204	DEM1822.exe
1664	DEM6D82.exe
1212	DEMC33F.exe

Loads dropped DLL 6 IoCs

pid	Process
2936	db872e8377517b8a5f6ce191f7557c60_JaffaCakes118.exe
1972	DEM17B5.exe
2696	DEM6D63.exe
1192	DEMC2A3.exe
2204	DEM1822.exe
1664	DEM6D82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1972	2936	db872e8377517b8a5f6ce191f7557c60_JaffaCakes118.exe	29
PID 2936 wrote to memory of 1972	2936	db872e8377517b8a5f6ce191f7557c60_JaffaCakes118.exe	29
PID 2936 wrote to memory of 1972	2936	db872e8377517b8a5f6ce191f7557c60_JaffaCakes118.exe	29
PID 2936 wrote to memory of 1972	2936	db872e8377517b8a5f6ce191f7557c60_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2696	1972	DEM17B5.exe	31
PID 1972 wrote to memory of 2696	1972	DEM17B5.exe	31
PID 1972 wrote to memory of 2696	1972	DEM17B5.exe	31
PID 1972 wrote to memory of 2696	1972	DEM17B5.exe	31
PID 2696 wrote to memory of 1192	2696	DEM6D63.exe	35
PID 2696 wrote to memory of 1192	2696	DEM6D63.exe	35
PID 2696 wrote to memory of 1192	2696	DEM6D63.exe	35
PID 2696 wrote to memory of 1192	2696	DEM6D63.exe	35
PID 1192 wrote to memory of 2204	1192	DEMC2A3.exe	37
PID 1192 wrote to memory of 2204	1192	DEMC2A3.exe	37
PID 1192 wrote to memory of 2204	1192	DEMC2A3.exe	37
PID 1192 wrote to memory of 2204	1192	DEMC2A3.exe	37
PID 2204 wrote to memory of 1664	2204	DEM1822.exe	39
PID 2204 wrote to memory of 1664	2204	DEM1822.exe	39
PID 2204 wrote to memory of 1664	2204	DEM1822.exe	39
PID 2204 wrote to memory of 1664	2204	DEM1822.exe	39
PID 1664 wrote to memory of 1212	1664	DEM6D82.exe	41
PID 1664 wrote to memory of 1212	1664	DEM6D82.exe	41
PID 1664 wrote to memory of 1212	1664	DEM6D82.exe	41
PID 1664 wrote to memory of 1212	1664	DEM6D82.exe	41

C:\Users\Admin\AppData\Local\Temp\db872e8377517b8a5f6ce191f7557c60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db872e8377517b8a5f6ce191f7557c60_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\DEM17B5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM17B5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\DEM6D63.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6D63.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\DEMC2A3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC2A3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Users\Admin\AppData\Local\Temp\DEM1822.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1822.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Users\Admin\AppData\Local\Temp\DEM6D82.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6D82.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\DEMC33F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC33F.exe"
        7⤵
        Executes dropped EXE
        
        PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM17B5.exe

Filesize
20KB

MD5
52f4531c2647cf0a310634409158802f

SHA1
248b252a917478fb59dfcf802a9508f7a01f7f1c

SHA256
c3cefdd556f13cdbf29755a0e36b644940813212cf9ab741e18340dc37d0bb66

SHA512
2a27d9ea69725f09a11e661ade627d0460267451b00d44d78ec09f632cefeae0d7e7af9f2ddb48a47fdc44b6f518f9fc0386fea3b78373a1c21d06b537d666f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6D63.exe

Filesize
20KB

MD5
7ae5b6398a3776948ea56c8506804dfb

SHA1
95b16319e398592ad41dbd63b95d44b146aa6ab1

SHA256
910b652520aef00abee7c705fb1b2ef4974b9917c3ef65fc928c55151a25a6ec

SHA512
c88a12c0e4e8fb59bf3507ba1a43a90e2b5f546faa6d389345e78c079e177a7964bbe713e0f571256fe61aead4c915aa0076092a0b5fc60f43f189b01e373b0b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1822.exe

Filesize
20KB

MD5
4d56bf7545f2bd4a9734df90cba01725

SHA1
302c5dc3145a1caa8d4d851c4dcfdf8386bca32b

SHA256
19446761dfcfbf2aaafbba219d91dd0cb35e61e15f0a67d000a02fc62d286903

SHA512
99d059cf82749e6db57c37015b46ba3d7fb80516d674dd750d21cf16e93b1348e7c500adc0231d60d4b482bc1e4dea01fbe9b5aa73caf34b7757b5ea224ab2f1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6D82.exe

Filesize
20KB

MD5
2f7f233b2315859bc11a19fc889ebc94

SHA1
74f42b334796d728e5dba75d58e385ac0ddeed8a

SHA256
98aee7144d2f77e6e444a36057a30a3e20a9dbdd44d36f2a7cb9d3647d3951a5

SHA512
49ca5668e2c1ee914595483d9f3011f146ecc63cd345fced4d048995b05113fec8ed68404509b87dd23e2b5906f4b5a6238ffe2051a47fa0d181fc3ecc05496a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC2A3.exe

Filesize
20KB

MD5
c7fbbe390489ba969cefc1355641513e

SHA1
f28d9a4bc8c7a83cffc25923bfb782622e60961b

SHA256
5ef35725a9ced9c91ccd5d2614864b47e63d94bbcc4c077383f06864bd4bbabf

SHA512
020e61fb6cf6bc4e3cf8e8c54bcede995d4be695602c837e13bc5e058c9d011beaf53a4e7ff10c8e2d81f215712f8127813b4eff77c5552babec7ff9fb18384a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC33F.exe

Filesize
20KB

MD5
60b5ddcac1ddc8854aa4d473740cd021

SHA1
1e9c21309a2cb06727807c828528c4fc46a10ef5

SHA256
04cb89b921c41adb0e20a88fd39fac443b95389d04d809870fc5bbaa53c2579d

SHA512
2ba490bd7eaf6a0020e435134c36c8a86871a8d611c0e61e71c03c88a72e5db448a1210983fe534c9352a593748fb7a9179dbdb36fd1332432f3c78a29fa84d3

Download Submit

Analysis

Sharing