92d57cce68556ff0c86ba41d79c89ea323114c29ab42829d9220a37f99b26155

General

Target

dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe
Size

14KB
MD5

dbf46b68e7408b25f39c985259024fce
SHA1

87ff120dc67ccd7e86c404d1d16995890d008d55
SHA256

92d57cce68556ff0c86ba41d79c89ea323114c29ab42829d9220a37f99b26155
SHA512

3d90028976c894c673ad33c3d3aadfc2708fc7f72f234c207d7751afaf2e66d726fb1c4d3d84c5c466068cf998e7627d0a2dbec759cf7d205483bc8185f35aa7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh5Rxf:hDXWipuE+K3/SSHgx3f

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2580	DEM843D.exe
2900	DEME753.exe
2712	DEM3E29.exe
1740	DEM9434.exe
2692	DEME9F2.exe
2876	DEM3FCE.exe

Loads dropped DLL 6 IoCs

pid	Process
2872	dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe
2580	DEM843D.exe
2900	DEME753.exe
2712	DEM3E29.exe
1740	DEM9434.exe
2692	DEME9F2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2580	2872	dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2580	2872	dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2580	2872	dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2580	2872	dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe	29
PID 2580 wrote to memory of 2900	2580	DEM843D.exe	33
PID 2580 wrote to memory of 2900	2580	DEM843D.exe	33
PID 2580 wrote to memory of 2900	2580	DEM843D.exe	33
PID 2580 wrote to memory of 2900	2580	DEM843D.exe	33
PID 2900 wrote to memory of 2712	2900	DEME753.exe	35
PID 2900 wrote to memory of 2712	2900	DEME753.exe	35
PID 2900 wrote to memory of 2712	2900	DEME753.exe	35
PID 2900 wrote to memory of 2712	2900	DEME753.exe	35
PID 2712 wrote to memory of 1740	2712	DEM3E29.exe	37
PID 2712 wrote to memory of 1740	2712	DEM3E29.exe	37
PID 2712 wrote to memory of 1740	2712	DEM3E29.exe	37
PID 2712 wrote to memory of 1740	2712	DEM3E29.exe	37
PID 1740 wrote to memory of 2692	1740	DEM9434.exe	39
PID 1740 wrote to memory of 2692	1740	DEM9434.exe	39
PID 1740 wrote to memory of 2692	1740	DEM9434.exe	39
PID 1740 wrote to memory of 2692	1740	DEM9434.exe	39
PID 2692 wrote to memory of 2876	2692	DEME9F2.exe	41
PID 2692 wrote to memory of 2876	2692	DEME9F2.exe	41
PID 2692 wrote to memory of 2876	2692	DEME9F2.exe	41
PID 2692 wrote to memory of 2876	2692	DEME9F2.exe	41

C:\Users\Admin\AppData\Local\Temp\dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\DEM843D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM843D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\DEME753.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME753.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\DEM3E29.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3E29.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\DEM9434.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9434.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1740
      - C:\Users\Admin\AppData\Local\Temp\DEME9F2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME9F2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\DEM3FCE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3FCE.exe"
        7⤵
        Executes dropped EXE
        
        PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM9434.exe

Filesize
14KB

MD5
fe053825f3c8885be3f98a9d7d488f92

SHA1
19cc8e6ef53a236ba03b108b1dd407f780ca0e79

SHA256
7025a142c2fb6dbcf547d734d2a2d6d45bae301fb18bcfd30880ba7ea1fa7363

SHA512
d48b8d1ebe6be2d1c0b8c79f56b24a76db12ce5f6ef97b1e337b48b4f33b9ee109893d1ddb532c0ba66127509db0eb92cb352243b29fc4d653e7ee3cf41035a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME753.exe

Filesize
14KB

MD5
d66836a8dec9667365a30f38a63bc6d2

SHA1
7af76700b6619612a2adeb0e38717a214fa1b391

SHA256
d242cbce58b49619cd4e7d25966c481c53d170b57a1ed2038f11635f69be7875

SHA512
0e4b6f3770ef4d404460283a3ce6fe813083f9cd4c4765ba34ab70219ff89d58e00b8c0cc8772470d242bf9cdbf50e4b157fadd4feee188d9564621221e2bd7b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3E29.exe

Filesize
14KB

MD5
6f19427b9fd1fcc7eab820b59a201b4b

SHA1
d80ed0c71f3974a459413011aa835e879a93d598

SHA256
a740521966036e95b9e5d8f5e68844184771ee63e755a07293cc071dfe6c28e8

SHA512
26ff2729734fa54f9e96bc5dbc90847b3157942234646f25843e13cafbc68f4c540c9db50fee25fce0adc7563a1f411d494dff8a9e8beca9326e337e787c58bd

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3FCE.exe

Filesize
14KB

MD5
5990d0607e3f8895ee568338679bd13c

SHA1
806071e92a60364375ae534516a041862a91c96b

SHA256
1ab97549ef8f7fa91b30fdb19d486e1a18be6bf03a0fe0edee2794e2971c347d

SHA512
68a207f4d6386c00fca0467319ff005fa3a6bf6f305db289ae4bc9467c4862f7e0cfbc09ea1210a4900a3d3f53d294f94b2943519ea4e7cc864c19b3e3ee4630

Download Submit
\Users\Admin\AppData\Local\Temp\DEM843D.exe

Filesize
14KB

MD5
5d0fb832123ac7af1fad03a3513d4d5f

SHA1
f15641f63d20b765a9011f3db181cbcf847be7d1

SHA256
c50c56a66d9fc5e9b8a28b7a075ce97cfe713530a26fd9d1489cce2469bd4486

SHA512
9056e974a51caff3a79b16808347298e4b56a451ab3110271f664da37f871240246177b29299f446e4d002745fcec5f57010f47bc0df3f276ccfdbb99a5d5f0b

Download Submit
\Users\Admin\AppData\Local\Temp\DEME9F2.exe

Filesize
14KB

MD5
86d99a339e9f4ee40401a429f6c34613

SHA1
690d882dd56c61556d60ab6ae6e355d285b35a21

SHA256
96140bb8764e58403b0ff5ff0e0ec7d71b403b16da450878b2e8983e6aeb27a4

SHA512
facf0c84af1fdf62d21f4302d4d31865b5fe7d1a8e8ccd2c8ef162061565f3d00fd595ab7ad8ff080b1b92f70193146c9c26c7a9cc90164631a78ebb36985a79

Download Submit

Analysis

Sharing