5a542e621f1fa3e219cb70bacaf3e376dc592344b97bda3fe1e82a3a9c59e52e

General

Target

dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe
Size

14KB
MD5

dbf4a2b38996ff3b5aded7751ccfc887
SHA1

3f5a55079cccde72029dcb5fdd6650afe08dd1e8
SHA256

5a542e621f1fa3e219cb70bacaf3e376dc592344b97bda3fe1e82a3a9c59e52e
SHA512

40b3cd581b94eaf0c464f1134f18a323632333f8781e3a1d22382438e172bae2cf2a698a2853fbeadb3ce0ca26409e5342b32411f95c3190c1949fef7ac401ed
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhDv:hDXWipuE+K3/SSHgx9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2576	DEM6078.exe
1724	DEMB664.exe
2724	DEMBC4.exe
1556	DEM620D.exe
592	DEMB76D.exe
2044	DEMD3A.exe

Loads dropped DLL 6 IoCs

pid	Process
2856	dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe
2576	DEM6078.exe
1724	DEMB664.exe
2724	DEMBC4.exe
1556	DEM620D.exe
592	DEMB76D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2576	2856	dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe	29
PID 2856 wrote to memory of 2576	2856	dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe	29
PID 2856 wrote to memory of 2576	2856	dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe	29
PID 2856 wrote to memory of 2576	2856	dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe	29
PID 2576 wrote to memory of 1724	2576	DEM6078.exe	33
PID 2576 wrote to memory of 1724	2576	DEM6078.exe	33
PID 2576 wrote to memory of 1724	2576	DEM6078.exe	33
PID 2576 wrote to memory of 1724	2576	DEM6078.exe	33
PID 1724 wrote to memory of 2724	1724	DEMB664.exe	35
PID 1724 wrote to memory of 2724	1724	DEMB664.exe	35
PID 1724 wrote to memory of 2724	1724	DEMB664.exe	35
PID 1724 wrote to memory of 2724	1724	DEMB664.exe	35
PID 2724 wrote to memory of 1556	2724	DEMBC4.exe	37
PID 2724 wrote to memory of 1556	2724	DEMBC4.exe	37
PID 2724 wrote to memory of 1556	2724	DEMBC4.exe	37
PID 2724 wrote to memory of 1556	2724	DEMBC4.exe	37
PID 1556 wrote to memory of 592	1556	DEM620D.exe	39
PID 1556 wrote to memory of 592	1556	DEM620D.exe	39
PID 1556 wrote to memory of 592	1556	DEM620D.exe	39
PID 1556 wrote to memory of 592	1556	DEM620D.exe	39
PID 592 wrote to memory of 2044	592	DEMB76D.exe	41
PID 592 wrote to memory of 2044	592	DEMB76D.exe	41
PID 592 wrote to memory of 2044	592	DEMB76D.exe	41
PID 592 wrote to memory of 2044	592	DEMB76D.exe	41

C:\Users\Admin\AppData\Local\Temp\dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\DEM6078.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6078.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\DEMB664.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB664.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\DEMBC4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBC4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\DEM620D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM620D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Users\Admin\AppData\Local\Temp\DEMB76D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB76D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\DEMD3A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD3A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMB664.exe

Filesize
14KB

MD5
f15755f3361b852147f8aefee826289c

SHA1
cbe84a631d9fcdf8f73a7adf3ddd6a34d0763de3

SHA256
eb2009cf2761e0259c9e573f972405c4a408a67be08b160a11b3a04a26cc0035

SHA512
050fcf88a426232bc1a9188d466134168efb54a6958d215df2d3109f75e1506dc23191d6b94c156b1686d6a74dc127c78e78b41bd628dff0276887f4fd4116a7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6078.exe

Filesize
14KB

MD5
701e645d3b7c77bc0d2b271ae69f0323

SHA1
28f372fc0547093662f4ceefe516d3d2d089c496

SHA256
8e1d82bdbba763d31b6236301632773d4abdf01ab20dcc5b6af801e8191d2085

SHA512
e80ea4e1354f6c3516cdf853573112f0c9c6af4b785cba360c4e913fcecca849fb781be888e231e5f161db5623a9598967f74e80d5df05a06c5dde7bc559c72f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM620D.exe

Filesize
14KB

MD5
398f17a5011111c0b244e0b94546fad6

SHA1
1d457a8b0dfce4796a230c4e43cec7825aa487c4

SHA256
93b2d304c3af9b9bcc362bd2eef606c808329db15f663b2374f81869cf440801

SHA512
92e266e25a38b391b807bf3f840e7f0b49153d172d92983206453ec21ed90212685cfe319135b5b5cf81febc162d3ad77c53aa3b3bdb85915e17af757c3fcdf9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB76D.exe

Filesize
14KB

MD5
21aa4e1907383264ff1121a924b8246b

SHA1
d05fe4c46e8299dadfb528cdf6bcae8a42fb41fb

SHA256
00f7e24338ca85459bd45e9cbce7869d2e7974c1400e38576336d738ce11159c

SHA512
a2e34361baf66b630ea495078e69db6d7ceb59db437de946c67f3b506978f9291bf62b01a8a7048c8cc1e2cc2b94005038f0f738a0e3db9387602ad7fd90720b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBC4.exe

Filesize
14KB

MD5
d78436c9f66d1b5289e12754e9bb7d16

SHA1
c8652a7c7cc05d815c9eaa0d90ea1a0702766143

SHA256
ae97eae5c4d3233a52c15fbb18ec4c52d0d182bf80e75f8f13da476fcaae1e2b

SHA512
0d7537083a4a67c240cd1d58d66801002c02fe160575a34c81a3346ab3601257ba9290d9d2407a5819c10aa6f5607fe0ee50672fd3a8b7473a3d7d3e4622264b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD3A.exe

Filesize
14KB

MD5
4993bcc5f65b81b8aa6897f79100fe05

SHA1
2d4447fc0af02197a962e229d0420432c79dc2b1

SHA256
d52646ee78c69054da962f6d5db7075e9ba14d88ceb1bd42f55b2b76b5a6645e

SHA512
daabd58bf5eea1ed70feb6d40ce5c54cf87839ca3b98c83180c3ade4695f16d74c34bc0774aff057af7e2613dd730b955cac8e6236eecebd132dc82b0b450dac

Download Submit

Analysis

Sharing