1e26013d2acdcd11dde5c336e7f031c17460a0f45b7ef1c4becf5d860e1d03b6

General

Target

e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe
Size

15KB
MD5

e050f9bc8dc86a9027677e536b68bb5f
SHA1

429549303e0fc1a3bfa145a7df4a2fbbad00295b
SHA256

1e26013d2acdcd11dde5c336e7f031c17460a0f45b7ef1c4becf5d860e1d03b6
SHA512

c6675aed9be6e21842107610f51f4cc86e6bcdc0132e1ca136232595af3a29e0bdb9e463747efd972fc935fec727cdf7d9dd52d54150a72f8ff95c274272b17a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4l+aF:hDXWipuE+K3/SSHgxmg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3032	DEM5A9E.exe
2460	DEMB09A.exe
2640	DEM676.exe
808	DEM5C05.exe
1388	DEMB2BC.exe
1656	DEM982.exe

Loads dropped DLL 6 IoCs

pid	Process
1300	e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe
3032	DEM5A9E.exe
2460	DEMB09A.exe
2640	DEM676.exe
808	DEM5C05.exe
1388	DEMB2BC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 3032	1300	e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe	29
PID 1300 wrote to memory of 3032	1300	e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe	29
PID 1300 wrote to memory of 3032	1300	e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe	29
PID 1300 wrote to memory of 3032	1300	e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe	29
PID 3032 wrote to memory of 2460	3032	DEM5A9E.exe	33
PID 3032 wrote to memory of 2460	3032	DEM5A9E.exe	33
PID 3032 wrote to memory of 2460	3032	DEM5A9E.exe	33
PID 3032 wrote to memory of 2460	3032	DEM5A9E.exe	33
PID 2460 wrote to memory of 2640	2460	DEMB09A.exe	35
PID 2460 wrote to memory of 2640	2460	DEMB09A.exe	35
PID 2460 wrote to memory of 2640	2460	DEMB09A.exe	35
PID 2460 wrote to memory of 2640	2460	DEMB09A.exe	35
PID 2640 wrote to memory of 808	2640	DEM676.exe	37
PID 2640 wrote to memory of 808	2640	DEM676.exe	37
PID 2640 wrote to memory of 808	2640	DEM676.exe	37
PID 2640 wrote to memory of 808	2640	DEM676.exe	37
PID 808 wrote to memory of 1388	808	DEM5C05.exe	39
PID 808 wrote to memory of 1388	808	DEM5C05.exe	39
PID 808 wrote to memory of 1388	808	DEM5C05.exe	39
PID 808 wrote to memory of 1388	808	DEM5C05.exe	39
PID 1388 wrote to memory of 1656	1388	DEMB2BC.exe	41
PID 1388 wrote to memory of 1656	1388	DEMB2BC.exe	41
PID 1388 wrote to memory of 1656	1388	DEMB2BC.exe	41
PID 1388 wrote to memory of 1656	1388	DEMB2BC.exe	41

C:\Users\Admin\AppData\Local\Temp\e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\DEM5A9E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5A9E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\DEMB09A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB09A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\DEM676.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM676.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Local\Temp\DEM5C05.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5C05.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:808
      - C:\Users\Admin\AppData\Local\Temp\DEMB2BC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB2BC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\DEM982.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM982.exe"
        7⤵
        Executes dropped EXE
        
        PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMB09A.exe

Filesize
15KB

MD5
eba3caa6a36e67f3be3654646758433f

SHA1
8c944a3610078779632ee2839bb81ad3d2af3283

SHA256
b1cf765f2f189d9bccdea6797cedaf1df374e103be53dbbd52ddafcdfdefb80f

SHA512
58d063e357cc46ed24fbdc3f506ce66a0e672d2f8aeaf30d9143f791bc44f0311ef1743c97a1e56497e09d63e9e86ccb013a781ebdff400f6862d07d173eaebe

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5A9E.exe

Filesize
15KB

MD5
11ce39b85d04952ba5b909dabba65c9e

SHA1
8999ee0849054f8a3bf3580189c9ecbaa9f16726

SHA256
a46547b2939238f0a18e0f8a48c45e3ab9454452f1dad0f358feaca745980190

SHA512
9214e147507fbe46293d0423f0e3c372e823d152ce1deae569405cb2ea69d0c383226c6b6cda434b40fc701d7bf1aa47eea29281b2f235fefa7bd599817681b8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5C05.exe

Filesize
15KB

MD5
ad76eabfb7e0718530c04618c25b6d34

SHA1
bd09f48bed2fe6cdfd9a22191406a79cb6dc95c9

SHA256
fb3ffba14235cb98b72569c5efdc810a6a2ba7fdc0d12b4594070da0156af3f4

SHA512
e85a7d27aebe49fd5e36b9337f32b12dfa71c094481e70033ad448af016ac3d07edbf4d21ffe252308521cca570efc842979d9299c267f836459c38dea28e289

Download Submit
\Users\Admin\AppData\Local\Temp\DEM676.exe

Filesize
15KB

MD5
febf79335ce2c998b5d2a86cadd8a7c3

SHA1
9508fc808ebe7ac9d2eede5d2815f21bb004b1e4

SHA256
6a1b19dce55e8799dbe32e0b7d4eac1734dcfdc57f1013d2236d2f2fcae47323

SHA512
ad1183adabecacabac38efb619435800b070e6120feed23469ffa537acb8c13e931143274fa0ae438fc2239cb0cda0f17b360d04b39b17b67407210b11389f84

Download Submit
\Users\Admin\AppData\Local\Temp\DEM982.exe

Filesize
15KB

MD5
7462577d22a4b00f65833f5ed717e7a7

SHA1
50e781f2a7dd0c7a0370f3db8428176fc6483e4e

SHA256
cad1abf0d1a47a1c3a1bf3973bea85ae3db95774f2e78cc90a98f3c47014c6c2

SHA512
5e664c855b2171e0cd35c52d4329999f726f0bed3372be901aaeab92b3c97b3d0dc2545dada82391b229019bf7d55596a7d6a07abbb3c4ec4458625b1a419518

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB2BC.exe

Filesize
15KB

MD5
8bf4c3519ffab904c213b500b19522e3

SHA1
57bfc8e709397509be99d0ed4d579faf1199070b

SHA256
2e394228da264eea1da434ba65ff401b1832695e9f2e65a1d8db7dc4d2be157b

SHA512
785ff95bbc1b99ca78efe852a5d03834e0d52e99512c326bc8b6371ceb6225509688b1614aec3deecbc5449eb5ce4e9ecf849999dd1f8c61bac9dd280fdf0810

Download Submit

Analysis

Sharing