e81ab0feef80d542aa5836783ae52c8b4046512ce3416c6c9c9dcae20711725c

General

Target

e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe
Size

20KB
MD5

e137a9ce875a6a56260643975a9c1838
SHA1

c617d7226fb3d6b97f47508a1f256ce2589ce170
SHA256

e81ab0feef80d542aa5836783ae52c8b4046512ce3416c6c9c9dcae20711725c
SHA512

61b1a3c20493e456eefba64e4a7ebb1a10992e3bacce7b98ac619b27a60cba24908a2d74085fe141a09c1d5e5724ecb0385a11d71c3184c27d95225752930da8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4D:hDXWipuE+K3/SSHgxmHZD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2576	DEM19D7.exe
2840	DEM6FD3.exe
1164	DEMC561.exe
2800	DEM1AC1.exe
952	DEM6FF2.exe
1652	DEMC5BF.exe

Loads dropped DLL 6 IoCs

pid	Process
2924	e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe
2576	DEM19D7.exe
2840	DEM6FD3.exe
1164	DEMC561.exe
2800	DEM1AC1.exe
952	DEM6FF2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2576	2924	e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe	29
PID 2924 wrote to memory of 2576	2924	e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe	29
PID 2924 wrote to memory of 2576	2924	e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe	29
PID 2924 wrote to memory of 2576	2924	e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2840	2576	DEM19D7.exe	31
PID 2576 wrote to memory of 2840	2576	DEM19D7.exe	31
PID 2576 wrote to memory of 2840	2576	DEM19D7.exe	31
PID 2576 wrote to memory of 2840	2576	DEM19D7.exe	31
PID 2840 wrote to memory of 1164	2840	DEM6FD3.exe	35
PID 2840 wrote to memory of 1164	2840	DEM6FD3.exe	35
PID 2840 wrote to memory of 1164	2840	DEM6FD3.exe	35
PID 2840 wrote to memory of 1164	2840	DEM6FD3.exe	35
PID 1164 wrote to memory of 2800	1164	DEMC561.exe	37
PID 1164 wrote to memory of 2800	1164	DEMC561.exe	37
PID 1164 wrote to memory of 2800	1164	DEMC561.exe	37
PID 1164 wrote to memory of 2800	1164	DEMC561.exe	37
PID 2800 wrote to memory of 952	2800	DEM1AC1.exe	39
PID 2800 wrote to memory of 952	2800	DEM1AC1.exe	39
PID 2800 wrote to memory of 952	2800	DEM1AC1.exe	39
PID 2800 wrote to memory of 952	2800	DEM1AC1.exe	39
PID 952 wrote to memory of 1652	952	DEM6FF2.exe	41
PID 952 wrote to memory of 1652	952	DEM6FF2.exe	41
PID 952 wrote to memory of 1652	952	DEM6FF2.exe	41
PID 952 wrote to memory of 1652	952	DEM6FF2.exe	41

C:\Users\Admin\AppData\Local\Temp\e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\DEM19D7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM19D7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\DEM6FD3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6FD3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\DEMC561.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC561.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\DEM1AC1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1AC1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Users\Admin\AppData\Local\Temp\DEM6FF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6FF2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\DEMC5BF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC5BF.exe"
        7⤵
        Executes dropped EXE
        
        PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6FD3.exe

Filesize
20KB

MD5
047d0353de6c3ee759fb61f7425b30f6

SHA1
4ac26170505f3aeb032f83809ca6a1355471d25f

SHA256
748750b6201200085fa95f84c698ba2c195bafd1eaf797baed611fceac047848

SHA512
9d10731621eb77a135ec8b6c05ae4d73399d56730680cef2dc13cdca3339d58e32c0f73a81f9280ea0fbb165c49cbaf546eec78acf3813e1c37cf372c9ebe5a6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM19D7.exe

Filesize
20KB

MD5
6158571cedfd797942172c63cf9b63cf

SHA1
abdbf88449d2cb801a13fcce37deec3837222785

SHA256
f07cef2973ab494fb2dacd6ace3976bc96679741de3ca9080b92ecdd9fe1cc43

SHA512
56a31ab1dd6c5f4396ad9564608ad2a03406ee1e11a3863ba13192c28c94e9c4b274996997e3af0b215b2be1c898358274a8a295c28b6c022654bb01c826a1c8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1AC1.exe

Filesize
20KB

MD5
812c4add07e6f1847b1785fcbd71baa9

SHA1
b4dbcf98492a8fc3bb35c3afb691828f6cc07c13

SHA256
3cd61ade96af31c749c8a0d32242f1235c526df895f119527c0e707df2214587

SHA512
9659df036ffd7430651d0542c9109b57f376d9a1a48463116e34c8291c0549fc214d705ee6fa31e687e40f95c353a2e9a064e3a5e6987202372ab61c86770738

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6FF2.exe

Filesize
20KB

MD5
a846ccf71fbebe58ca6665fe37fa0f8f

SHA1
c7a0047d86dbe7a74dbcc3519e7a68dcb6a443d8

SHA256
7a1c0e4ddf1d425b6b69f1b9459ff75e731924a3f3f0f039fa79089e3b932598

SHA512
3573b07696c767fde7a5ebb485ac959491a7f7ae109bbb2457f2ad6e74b53445b0b70fbd5df98803bbd88e4397f2c2bfe6c08711034bff6c81b7c90ce4e3c4a2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC561.exe

Filesize
20KB

MD5
d92f11dc49e2290a89fd2c357cfcf5ac

SHA1
8ee877f2dda7d258949c033b517563a430cdbcd5

SHA256
ce0df05fcf962279860b1e37177ac42f21eba42b2d1bf9255dbbf926d01b5af2

SHA512
8e7cf430c1f3992a479bf9914d94a75dcf3616d8c42a864975e8fb0721cf0e50433b33feeca567a2790b1123a4a696554821cf860de92cac1ba168efa75e8af3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC5BF.exe

Filesize
20KB

MD5
528bcd8b77ac538f3c85a84632b2f803

SHA1
e65832114c7dfd04648ffe9c647b5d06f52d9ece

SHA256
e2fe7959415b1c7a85e33c98ba38b124655cb14a815c5a82151e56256bd80ca7

SHA512
bdc11b0e38efda4a39376eca56578e2dc085fa2eb2532108cbdd8bd445e8537bef133cd32083a136984c9d75e6f51e788730263b817e14de4b299bbd107d291d

Download Submit

Analysis

Sharing