b05612ac84cc9812362d85e3c1a0495163e6eb5c552aacbacfb4af94c4753758

General

Target

e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe
Size

15KB
MD5

e1083124cfdc87844d334cf6ff13d855
SHA1

1bdf971aec527214edd01eb31b4d93b2f3a783f4
SHA256

b05612ac84cc9812362d85e3c1a0495163e6eb5c552aacbacfb4af94c4753758
SHA512

cdda7b338b2c0a0ce23a1371448ad981af9bea138a8268d583024ded3f695d85ef45907073c04de9553cbabbc7721dfd3ae97e237e37b202d7d5fb231414f2a2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJBK:hDXWipuE+K3/SSHgxmbK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2580	DEM167D.exe
2548	DEM6BAE.exe
2356	DEMC0C0.exe
2288	DEM15C2.exe
2176	DEM6B12.exe
2480	DEMC024.exe

Loads dropped DLL 6 IoCs

pid	Process
2036	e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe
2580	DEM167D.exe
2548	DEM6BAE.exe
2356	DEMC0C0.exe
2288	DEM15C2.exe
2176	DEM6B12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2580	2036	e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe	29
PID 2036 wrote to memory of 2580	2036	e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe	29
PID 2036 wrote to memory of 2580	2036	e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe	29
PID 2036 wrote to memory of 2580	2036	e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe	29
PID 2580 wrote to memory of 2548	2580	DEM167D.exe	31
PID 2580 wrote to memory of 2548	2580	DEM167D.exe	31
PID 2580 wrote to memory of 2548	2580	DEM167D.exe	31
PID 2580 wrote to memory of 2548	2580	DEM167D.exe	31
PID 2548 wrote to memory of 2356	2548	DEM6BAE.exe	35
PID 2548 wrote to memory of 2356	2548	DEM6BAE.exe	35
PID 2548 wrote to memory of 2356	2548	DEM6BAE.exe	35
PID 2548 wrote to memory of 2356	2548	DEM6BAE.exe	35
PID 2356 wrote to memory of 2288	2356	DEMC0C0.exe	37
PID 2356 wrote to memory of 2288	2356	DEMC0C0.exe	37
PID 2356 wrote to memory of 2288	2356	DEMC0C0.exe	37
PID 2356 wrote to memory of 2288	2356	DEMC0C0.exe	37
PID 2288 wrote to memory of 2176	2288	DEM15C2.exe	39
PID 2288 wrote to memory of 2176	2288	DEM15C2.exe	39
PID 2288 wrote to memory of 2176	2288	DEM15C2.exe	39
PID 2288 wrote to memory of 2176	2288	DEM15C2.exe	39
PID 2176 wrote to memory of 2480	2176	DEM6B12.exe	41
PID 2176 wrote to memory of 2480	2176	DEM6B12.exe	41
PID 2176 wrote to memory of 2480	2176	DEM6B12.exe	41
PID 2176 wrote to memory of 2480	2176	DEM6B12.exe	41

C:\Users\Admin\AppData\Local\Temp\e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\DEM167D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM167D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\DEM6BAE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6BAE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\DEMC0C0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC0C0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Users\Admin\AppData\Local\Temp\DEM15C2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM15C2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Users\Admin\AppData\Local\Temp\DEM6B12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6B12.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\DEMC024.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC024.exe"
        7⤵
        Executes dropped EXE
        
        PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM15C2.exe

Filesize
15KB

MD5
1ccfa42d0c9bd956559ed0a511c2bdbb

SHA1
844e3fd1abf78f073566aaac7aea45dec6de02d7

SHA256
28c7ff66ada3a1b2f7a8d3de9d985eb7ceeef966143497a517302e95f7e648ac

SHA512
4c8c9a57f3740c932e205c3019376b5fe634ab27cbc3c9652657421405723962f0d4a3f1ee4ded87bc7c40ae85c78b885118297484addf0660582009fdec5d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM167D.exe

Filesize
15KB

MD5
9dd666284bb7c8f5ab2be4f9960427ea

SHA1
e72abe960dcfff69b528807384208aada6261bb4

SHA256
e1eb86e951e54f7e277d61a08945ecafa5ceae34020d88507981181c221842a1

SHA512
525eb1020c119adb7b66d0647795c12f7dcdaf7bfdd9c7061ce1612c14274557b213641368e6f954a4263252b952bd2095f0e38ac9e5123ab432047ca217db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6BAE.exe

Filesize
15KB

MD5
ee4c3b02fcffbf0488bcbba171f26137

SHA1
2405e4971d62b5ebfddb87f70260cd1ed2a1cc2f

SHA256
661369aeb3653e15cf023e03acf13800dd5e4e540ffda80438c8336b1eca380d

SHA512
e11ec4eb4c2daf826383e84a52c304aa6f0c10e3e49910ead7ebd1727ac29ddda8c45c991a8dfffec4e88da31a615f11b16401f3f1bdd75ed6392c7f806c79ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC0C0.exe

Filesize
15KB

MD5
13e87f5ec606756335604969d559691a

SHA1
8b4c1437fdcf01551aeffbc1aebe342992fe26be

SHA256
0595ed8fc5f6fe454e7372b71fa49d04a0fdb0e22480508402280517c50ae0db

SHA512
9706adea9b240b0089e342c597405fc75612b03b44dd8decee7ba6f5324f03fb174ba83729d462e96e3bf6d9570a1500496c63c792f94bd5d259def6d4c8f1a1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6B12.exe

Filesize
15KB

MD5
0c2f450e14ea2e06357cae161a513e6a

SHA1
157066c22cea1258b6437d6a04ad63a47b6280f7

SHA256
6c9564dc5101fa6ea07b809893eb57fa1a57e15061f7868af82afa74b89ff49d

SHA512
bc6bb790c208565b637bcdf7906cc39938aaac605d8f486e9baf7c0bce188419cb3307a45c747721ebecbc04a6816a0ce0eab682d454cc7019aeef55979148d4

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC024.exe

Filesize
15KB

MD5
28a6efbeece464d5935a4c289309990f

SHA1
9ce673bd37e00a3d0b44d693f70ec743fec8d768

SHA256
79b60561609b404752c376cccb6bd04069eb6008fb5f166041890b9ab76db378

SHA512
8107f55c464f3ac9d6b32b77db889042505febcec68d9d88cc37f1c398ef7ff0811c18406cc25e5693b95ce40652b8a2ae14e67be2d430f1d0bdcff1ff770704

Download Submit

Analysis

Sharing