1062105e98743a8a45276d24f7ebce25565df818e8f2ad58d7a436a527beb921

General

Target

dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe
Size

13KB
MD5

dc3cf8388b866c3b471ca69c285a1dc1
SHA1

455c0f474597214e46f85fdf9fbb22109e4ce54a
SHA256

1062105e98743a8a45276d24f7ebce25565df818e8f2ad58d7a436a527beb921
SHA512

b9ade17b402194a2c52899d4f825593782514da3b7b25c123723a7fd7671ad4655fe6ea8abe64e2664e0e1f428fe34e0619bddcdd26bcc0b404cd9815e9842c1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhz0:hDXWipuE+K3/SSHgxx0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2284	DEM13B0.exe
2484	DEM6900.exe
1624	DEMBE5F.exe
2000	DEM13CF.exe
1648	DEM690F.exe
2800	DEMBE7F.exe

Loads dropped DLL 6 IoCs

pid	Process
2944	dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe
2284	DEM13B0.exe
2484	DEM6900.exe
1624	DEMBE5F.exe
2000	DEM13CF.exe
1648	DEM690F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2284	2944	dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2284	2944	dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2284	2944	dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2284	2944	dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe	29
PID 2284 wrote to memory of 2484	2284	DEM13B0.exe	31
PID 2284 wrote to memory of 2484	2284	DEM13B0.exe	31
PID 2284 wrote to memory of 2484	2284	DEM13B0.exe	31
PID 2284 wrote to memory of 2484	2284	DEM13B0.exe	31
PID 2484 wrote to memory of 1624	2484	DEM6900.exe	35
PID 2484 wrote to memory of 1624	2484	DEM6900.exe	35
PID 2484 wrote to memory of 1624	2484	DEM6900.exe	35
PID 2484 wrote to memory of 1624	2484	DEM6900.exe	35
PID 1624 wrote to memory of 2000	1624	DEMBE5F.exe	37
PID 1624 wrote to memory of 2000	1624	DEMBE5F.exe	37
PID 1624 wrote to memory of 2000	1624	DEMBE5F.exe	37
PID 1624 wrote to memory of 2000	1624	DEMBE5F.exe	37
PID 2000 wrote to memory of 1648	2000	DEM13CF.exe	39
PID 2000 wrote to memory of 1648	2000	DEM13CF.exe	39
PID 2000 wrote to memory of 1648	2000	DEM13CF.exe	39
PID 2000 wrote to memory of 1648	2000	DEM13CF.exe	39
PID 1648 wrote to memory of 2800	1648	DEM690F.exe	41
PID 1648 wrote to memory of 2800	1648	DEM690F.exe	41
PID 1648 wrote to memory of 2800	1648	DEM690F.exe	41
PID 1648 wrote to memory of 2800	1648	DEM690F.exe	41

C:\Users\Admin\AppData\Local\Temp\dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\DEM13B0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM13B0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\DEM6900.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6900.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\DEMBE5F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBE5F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\DEM13CF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM13CF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\Users\Admin\AppData\Local\Temp\DEM690F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM690F.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\DEMBE7F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBE7F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6900.exe

Filesize
13KB

MD5
73668f5218e55224a6587c1beff6709f

SHA1
985ae3dc411b4fd2de0533e2fdfb7ea61d84b28c

SHA256
2131d1c601d3cacce153f9997fa0a1b87f76c33edd2780ee1e82e3a9dbdd0c36

SHA512
966076230044c1949cddbfe22b3fadaba1a81fa599a4284f443cf75b2accf5d024755a98a96da1f5b5c4a28748fbb8437237d7cf17de52c61ca9687d3a042216

Download Submit
\Users\Admin\AppData\Local\Temp\DEM13B0.exe

Filesize
13KB

MD5
d951be9e4de76efbc9f7a3b4cc08e0c7

SHA1
787fca9a8b9ce63193e02feb463537002b55f9f7

SHA256
af69ff6b0968e85301d3a1c4e00bbd15b3c12cd8a3c59263ce1c8542f60dfd1e

SHA512
7259d4db479937fc4994fe2993589e26eed7c872c94063df3f61a7d9df222bdd66cca0118fe45f151cfba0a97437cff27831dc099f55b82e0695f60510f45c2a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM13CF.exe

Filesize
13KB

MD5
933b0fd9be1b400266e6b0b130785b44

SHA1
0e87f4863b66d0ff4c0cad589124ba22865cbff3

SHA256
1b2794f3935e80e07e96abe9516e46fcf56c3e2e89a864590ca5dfb32a3e80ca

SHA512
210da963bd433a4635362719e318b170c90b43ec2e6874c7f0cbdde4a7a7d6a16af64a47efb95a5956dc83e9709ed2fac9378ad9cc5cae0ee1488faf3dbe80e5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM690F.exe

Filesize
13KB

MD5
c7715a6d7c3ad68bd0000166dd02bae6

SHA1
987a73fb6e44ee221309232bdb6616763e138358

SHA256
fa33448e5c605a0695250102291b75927804edd1f3d7e26d0cdcefe0786d571d

SHA512
f5b51a352f7279a71f1da5b25d3bacf07e38bb849b60d4503292b15b69f995981d477ad878a8d0772fbe9afa5eb6a967ea5870d9683c6b084d3a1d8e3321acf4

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBE5F.exe

Filesize
13KB

MD5
1b7385d1410419d74849ebbc40f0e1c7

SHA1
358743919274c1d5606d223c04ebde4ec55484bc

SHA256
861e0165bd35035615b46d8a82446a8943f9c45e9197b6b3d7a06dc55d2d8171

SHA512
0a01b5ad8c808886f345850918bad566e172372230d5e0c87c47ec4a52aca9915efd1bc5f740adaadf7a2b64fb320ae1b799bb272baccbda2fcd76eae0f7992c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBE7F.exe

Filesize
13KB

MD5
2ee4246481a7529271a26e972145ee6c

SHA1
77f14e92afc6cf124e1a3299375f3ae90686bb00

SHA256
60ff72217a6d3aee2d29f8f2819c732a7f8101d76b3ab058b98a078bca9d1445

SHA512
78ce57d520b7fd973c40ff91bdd7df9940fc85eae544ff57a29b822cba1ec0ba09920be35ca3fda06c787c054283cc1fc2770c34b5cb76e191dd104cf916d53d

Download Submit

Analysis

Sharing