a84965c7fbcdab3dbafcb35aa216e564e535bbab5b0bf7ed6fa5835da631f9f7

General

Target

e0df47182cc49c0d28640c788d4a9c60_JaffaCakes118.exe
Size

15KB
MD5

e0df47182cc49c0d28640c788d4a9c60
SHA1

128a7cd9e1c03790103cebaba30ce5e2f434f075
SHA256

a84965c7fbcdab3dbafcb35aa216e564e535bbab5b0bf7ed6fa5835da631f9f7
SHA512

5c1f8a2ac5819df68527e6a233022e5704a1fd3887c602662554063994eb560b19d6cfbefbc400be0f247186c4241fa811a1ee0ab0e67443c01c91c435f724b8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEvzQ:hDXWipuE+K3/SSHgx4zQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1916	DEM435.exe
2736	DEM5985.exe
2212	DEMAF14.exe
1068	DEM445.exe
1576	DEM59B4.exe
2420	DEMAFCF.exe

Loads dropped DLL 6 IoCs

pid	Process
2180	e0df47182cc49c0d28640c788d4a9c60_JaffaCakes118.exe
1916	DEM435.exe
2736	DEM5985.exe
2212	DEMAF14.exe
1068	DEM445.exe
1576	DEM59B4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1916	2180	e0df47182cc49c0d28640c788d4a9c60_JaffaCakes118.exe	29
PID 2180 wrote to memory of 1916	2180	e0df47182cc49c0d28640c788d4a9c60_JaffaCakes118.exe	29
PID 2180 wrote to memory of 1916	2180	e0df47182cc49c0d28640c788d4a9c60_JaffaCakes118.exe	29
PID 2180 wrote to memory of 1916	2180	e0df47182cc49c0d28640c788d4a9c60_JaffaCakes118.exe	29
PID 1916 wrote to memory of 2736	1916	DEM435.exe	31
PID 1916 wrote to memory of 2736	1916	DEM435.exe	31
PID 1916 wrote to memory of 2736	1916	DEM435.exe	31
PID 1916 wrote to memory of 2736	1916	DEM435.exe	31
PID 2736 wrote to memory of 2212	2736	DEM5985.exe	35
PID 2736 wrote to memory of 2212	2736	DEM5985.exe	35
PID 2736 wrote to memory of 2212	2736	DEM5985.exe	35
PID 2736 wrote to memory of 2212	2736	DEM5985.exe	35
PID 2212 wrote to memory of 1068	2212	DEMAF14.exe	37
PID 2212 wrote to memory of 1068	2212	DEMAF14.exe	37
PID 2212 wrote to memory of 1068	2212	DEMAF14.exe	37
PID 2212 wrote to memory of 1068	2212	DEMAF14.exe	37
PID 1068 wrote to memory of 1576	1068	DEM445.exe	39
PID 1068 wrote to memory of 1576	1068	DEM445.exe	39
PID 1068 wrote to memory of 1576	1068	DEM445.exe	39
PID 1068 wrote to memory of 1576	1068	DEM445.exe	39
PID 1576 wrote to memory of 2420	1576	DEM59B4.exe	41
PID 1576 wrote to memory of 2420	1576	DEM59B4.exe	41
PID 1576 wrote to memory of 2420	1576	DEM59B4.exe	41
PID 1576 wrote to memory of 2420	1576	DEM59B4.exe	41

C:\Users\Admin\AppData\Local\Temp\e0df47182cc49c0d28640c788d4a9c60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0df47182cc49c0d28640c788d4a9c60_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\DEM435.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM435.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\DEM5985.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5985.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\DEMAF14.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAF14.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\DEM445.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM445.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Users\Admin\AppData\Local\Temp\DEM59B4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM59B4.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\DEMAFCF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAFCF.exe"
        7⤵
        Executes dropped EXE
        
        PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM435.exe

Filesize
15KB

MD5
3d606e291087cd0efe5a1d74fb02fdc9

SHA1
d0958eecdce47433d4102cc3d8ef1d474b5eb347

SHA256
d9af98e41fc99c124f1c3f90ebeae02462f44a2be39dd4c3438ca1eca804fc44

SHA512
6aa6dc76d3980fdad1aca37d9e107b5c7070c1e70be48465c51321c77c90c1da72d0d731352bcdd5144969a54f16050fb7a4743c8c1bc530695e18d43c75d614

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5985.exe

Filesize
15KB

MD5
cb984b5feb2e46b8eedef5ba1ab592ec

SHA1
6d59b46816ee400542e7d776eea0f8806f387fc0

SHA256
9a73ce43961224ff466c4e05d6eac671daf52b05a5516c8cf1f7ffb572495a37

SHA512
b142db4f63a3a55cf6ebfeac2df707981e70e009aaa0d96179a955c237e5ecf14bd49d52a72dac9665477a1853912c6cc58085df8a40e35dcc63d7bd11ae5555

Download Submit
\Users\Admin\AppData\Local\Temp\DEM445.exe

Filesize
15KB

MD5
7be1223c6dc7d5d50d825528f30c222d

SHA1
8ac5a3347178380eede33753ac7c3d86b56f5c00

SHA256
e270688dba9e8f41716f15b4339fbff6a69e06f831d9ebe7cb0fbfde9529d225

SHA512
d84ee85e76c2b4c00e67ac59bee6aa5989ea52af2b4fcceb9ee406393de609f702e35612774661009b7cf8efae569317d9e8232498f68816521c9d6ea93c8c43

Download Submit
\Users\Admin\AppData\Local\Temp\DEM59B4.exe

Filesize
15KB

MD5
11b60e58a5099f7cc04495e24472b19b

SHA1
c1b794c1f8034edbf79b48b6d1f719621c19345e

SHA256
07b2d88ec19f998309ed78dea15548646285668ba0146314e6167d4802b57a5f

SHA512
c0dfb1f0863a2ff93afe8cb7a9346d203097d02620f39ca33437e659b0506ad1da1e1b486e357e87d13bef750d4010cfbdb44d05695951ac7925beffd2bcf9d3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAF14.exe

Filesize
15KB

MD5
082ea4ce9594be984421042a4e3209f2

SHA1
0ac58aee98a01d57c23c9b6dc0b9add78c523c10

SHA256
31b2eab171df9de90230f2c2354d0b32f9731a87c1dad4adc5a12ab26da94351

SHA512
9fa37211feef111b59a1a925fec0c452bcd3d4de04759c1da1426255d8d5979f779e4b66ac91ee0062e897c1b8aad0d3ca2d40065fff943411435d8c2a616279

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAFCF.exe

Filesize
15KB

MD5
13ec260dcf924f0890c0fb34ade0b649

SHA1
0ccc0626a071a427a672a108e16f06907644a23c

SHA256
427b57429067bf0ce4b1909c3106132f37e0845a0559739ab98868821a8f5f56

SHA512
2fc4183be373aacac65be022485af3796995ceca40ea56092174fe6201d4be0036a2a5ac7e0123ce5572691a3243e1e7cf58275cb15cdfe67b79b4ab9b018cb0

Download Submit

Analysis

Sharing