839c71d92874a0afa93a974f6bbdf89a6e299a6cd41efd3c546c4368eefe6409

General

Target

e03bad6114504264cef91d1bd3ecdb4d_JaffaCakes118.exe
Size

14KB
MD5

e03bad6114504264cef91d1bd3ecdb4d
SHA1

e2501b1b99dc92490d76d8dae21231ffb7e9c132
SHA256

839c71d92874a0afa93a974f6bbdf89a6e299a6cd41efd3c546c4368eefe6409
SHA512

6278ec1530191b8c5211515f0c51d7b3b41ba1bda92b69ccae244f7a008f928709efa0da6b3206d569b2920f71e991db8b7950a9179d2a07ff09cf0a2c0f31cf
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR06:hDXWipuE+K3/SSHgx46

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2680	DEM2B64.exe
2944	DEM80A5.exe
2700	DEMD5B6.exe
1612	DEM2AB8.exe
1404	DEM7FCA.exe
2764	DEMD4DC.exe

Loads dropped DLL 6 IoCs

pid	Process
2168	e03bad6114504264cef91d1bd3ecdb4d_JaffaCakes118.exe
2680	DEM2B64.exe
2944	DEM80A5.exe
2700	DEMD5B6.exe
1612	DEM2AB8.exe
1404	DEM7FCA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2680	2168	e03bad6114504264cef91d1bd3ecdb4d_JaffaCakes118.exe	29
PID 2168 wrote to memory of 2680	2168	e03bad6114504264cef91d1bd3ecdb4d_JaffaCakes118.exe	29
PID 2168 wrote to memory of 2680	2168	e03bad6114504264cef91d1bd3ecdb4d_JaffaCakes118.exe	29
PID 2168 wrote to memory of 2680	2168	e03bad6114504264cef91d1bd3ecdb4d_JaffaCakes118.exe	29
PID 2680 wrote to memory of 2944	2680	DEM2B64.exe	33
PID 2680 wrote to memory of 2944	2680	DEM2B64.exe	33
PID 2680 wrote to memory of 2944	2680	DEM2B64.exe	33
PID 2680 wrote to memory of 2944	2680	DEM2B64.exe	33
PID 2944 wrote to memory of 2700	2944	DEM80A5.exe	35
PID 2944 wrote to memory of 2700	2944	DEM80A5.exe	35
PID 2944 wrote to memory of 2700	2944	DEM80A5.exe	35
PID 2944 wrote to memory of 2700	2944	DEM80A5.exe	35
PID 2700 wrote to memory of 1612	2700	DEMD5B6.exe	37
PID 2700 wrote to memory of 1612	2700	DEMD5B6.exe	37
PID 2700 wrote to memory of 1612	2700	DEMD5B6.exe	37
PID 2700 wrote to memory of 1612	2700	DEMD5B6.exe	37
PID 1612 wrote to memory of 1404	1612	DEM2AB8.exe	39
PID 1612 wrote to memory of 1404	1612	DEM2AB8.exe	39
PID 1612 wrote to memory of 1404	1612	DEM2AB8.exe	39
PID 1612 wrote to memory of 1404	1612	DEM2AB8.exe	39
PID 1404 wrote to memory of 2764	1404	DEM7FCA.exe	41
PID 1404 wrote to memory of 2764	1404	DEM7FCA.exe	41
PID 1404 wrote to memory of 2764	1404	DEM7FCA.exe	41
PID 1404 wrote to memory of 2764	1404	DEM7FCA.exe	41

C:\Users\Admin\AppData\Local\Temp\e03bad6114504264cef91d1bd3ecdb4d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e03bad6114504264cef91d1bd3ecdb4d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\DEM2B64.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2B64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\DEMD5B6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD5B6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Users\Admin\AppData\Local\Temp\DEM2AB8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2AB8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\DEM7FCA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7FCA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\DEMD4DC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD4DC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7FCA.exe

Filesize
14KB

MD5
a9251feeb69f750774531f49743efda4

SHA1
13ecffdcbcce1362065a8c170ec66d1dccba7cf7

SHA256
0af8280fc209703d6cfc5bd0f5f26a4852b9fd91df961d314af608c33a270272

SHA512
04219fabc352e31426eb3f5d434d81565ee30108cfcc626d14dd7da0da59a7fd3bedfc1fa47c1ad2f479ea6ccd86d096f1734e8681ee5fcb45650a3ed40d91a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe

Filesize
14KB

MD5
8b280737b631454a3b61470c55e157d4

SHA1
048cdd69265d19c3531539efa06f214667ce51bf

SHA256
5c0ab6c86b8cfe8d5d90a54f10aafe8db1058c26e701c9436bdfc7bd96c483b1

SHA512
26972ad52c923ca02695c033992618157811a9c744e0a97eaf728a40923b1c494633b96a7a41dd5ae22857e2afc88ffb6bebf2091292b13b8a5735912024c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD5B6.exe

Filesize
14KB

MD5
2f2635a53ef95210e2d6bce63c10db07

SHA1
6b143135d2acf55d7a610c50b8923ecb2825c3af

SHA256
94700c45d4527921b005e341f506dc9706dde5031a9cbed9865eb98db3abe952

SHA512
3c13004949e4e09984a9304964947fe970894101a8e69afdd94aeba50062929e19ed248a8288743d3a523a8d9bb97cdbfdd77f757cbf9e3c8c4c36ed79d4396e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2AB8.exe

Filesize
14KB

MD5
731f633e22d4a5a88bf510510c881b7e

SHA1
9fdfceb32fea0439378e6798dcada51384f03c88

SHA256
ecdb948a7768bfa15b916894b406bf971ef4c59fa93880de6c1ce3be43576cf4

SHA512
edc592c2b5c8f6040773bccc577b605c1e277d0e95ddf1c9e5292fea00b0980877c940a007cdf8f42738e96e34232177977cbb99ad7b9246ddc6168a13d319f1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2B64.exe

Filesize
14KB

MD5
97d892bea5b2379552993a0e8582885c

SHA1
626830571c83e5e8ebf80b53547a2bcc5311e8b7

SHA256
fd987787e5db33397816d432b02b54fec84e2d26929ba06b66b4cdb6daacc104

SHA512
915565520a684e97c20b8611a1774cec8bf50b0b097a3ca6b612eb81602e68772aa3dac315bfe41777f4a413b3242c23af85f4bfa1a1d6879b21242e5fb546d2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD4DC.exe

Filesize
14KB

MD5
d83cbd951d33688124e7b12e666f8245

SHA1
ada977f80c8196635ec266a67ed2f949a8774ba9

SHA256
402a2ca3beba938e004e482c45a90b4e023f5f5b1ab7d2272f865c685be38db0

SHA512
394fbf76a43fdf7f48fcd10613ca30450ad538316353068e69e8bdbfa3e0ee9000585d77e4a0609e200f517c53bf24ee80538e4a8fade45f58ff13f23b82eca2

Download Submit

Analysis

Sharing