ade850aee028fb296ae3327224cf7fe36c54c5ade9e0c341d4bb4bd49b7ddc3e

General

Target

e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe
Size

15KB
MD5

e154affc048bd0bbb3b15680d9e93201
SHA1

09613df556f4e1bd2dba542ea3643babe429fa04
SHA256

ade850aee028fb296ae3327224cf7fe36c54c5ade9e0c341d4bb4bd49b7ddc3e
SHA512

c11f324f797a9702eec4a2a290b09e2529d04ee84b6408f27bf800dd92d396d8f09fedf3d86bc429585e52f17696050994aab84291323246d455124df6b28071
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh6V:hDXWipuE+K3/SSHgxmyh6V

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2568	DEM1DCD.exe
2616	DEM733D.exe
2648	DEMC86D.exe
1376	DEM1DAE.exe
2652	DEM72CF.exe
3008	DEMC7F1.exe

Loads dropped DLL 6 IoCs

pid	Process
2856	e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe
2568	DEM1DCD.exe
2616	DEM733D.exe
2648	DEMC86D.exe
1376	DEM1DAE.exe
2652	DEM72CF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2568	2856	e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe	29
PID 2856 wrote to memory of 2568	2856	e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe	29
PID 2856 wrote to memory of 2568	2856	e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe	29
PID 2856 wrote to memory of 2568	2856	e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe	29
PID 2568 wrote to memory of 2616	2568	DEM1DCD.exe	31
PID 2568 wrote to memory of 2616	2568	DEM1DCD.exe	31
PID 2568 wrote to memory of 2616	2568	DEM1DCD.exe	31
PID 2568 wrote to memory of 2616	2568	DEM1DCD.exe	31
PID 2616 wrote to memory of 2648	2616	DEM733D.exe	35
PID 2616 wrote to memory of 2648	2616	DEM733D.exe	35
PID 2616 wrote to memory of 2648	2616	DEM733D.exe	35
PID 2616 wrote to memory of 2648	2616	DEM733D.exe	35
PID 2648 wrote to memory of 1376	2648	DEMC86D.exe	37
PID 2648 wrote to memory of 1376	2648	DEMC86D.exe	37
PID 2648 wrote to memory of 1376	2648	DEMC86D.exe	37
PID 2648 wrote to memory of 1376	2648	DEMC86D.exe	37
PID 1376 wrote to memory of 2652	1376	DEM1DAE.exe	39
PID 1376 wrote to memory of 2652	1376	DEM1DAE.exe	39
PID 1376 wrote to memory of 2652	1376	DEM1DAE.exe	39
PID 1376 wrote to memory of 2652	1376	DEM1DAE.exe	39
PID 2652 wrote to memory of 3008	2652	DEM72CF.exe	41
PID 2652 wrote to memory of 3008	2652	DEM72CF.exe	41
PID 2652 wrote to memory of 3008	2652	DEM72CF.exe	41
PID 2652 wrote to memory of 3008	2652	DEM72CF.exe	41

C:\Users\Admin\AppData\Local\Temp\e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\DEM1DCD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1DCD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\DEM733D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM733D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\DEMC86D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC86D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Users\Admin\AppData\Local\Temp\DEM1DAE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1DAE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\Users\Admin\AppData\Local\Temp\DEM72CF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM72CF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\DEMC7F1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC7F1.exe"
        7⤵
        Executes dropped EXE
        
        PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1DAE.exe

Filesize
15KB

MD5
e1d66bb82cd6e1966e4dee735b860f43

SHA1
6a0dc421b5ff9fe8784215ce290d5c7fd2f5a7ef

SHA256
67b89353e1b089ffa0efc2c067f648c99d47145dfb26afc7d9be40416bf17e97

SHA512
446a3f4f13d8469a35385370f7046ca48a054f6f02f34fef9905ca088d55dc44914f058e632574dc499748402a806efe428eb30962b414bf6297b01eb95c4400

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM72CF.exe

Filesize
15KB

MD5
385e126a2543436a320b5fe895e88dfe

SHA1
6d418f50a610ac477a125c63e8dd73d820ac067b

SHA256
f50d5af63a503985243b8aa1bea708f0f857685f1fae7246363cc0ed803b201b

SHA512
cc98692004844f77d543a2126112fd2083acd915ccfcf622cda4ec9807ba1c2ef32d3dcb4741bd7913386ec2c4f37ae30b60a41c23c0b63c992d81dde14a6028

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM733D.exe

Filesize
15KB

MD5
08a9966a77a29bbaf2233775e648a5c0

SHA1
7c55e4362aa46ce393a7742498fd73b9fc340c6d

SHA256
21720f0c06e78ec60d6748bde022de9bdfe622fd9591e2274fb7781c08621e87

SHA512
c415094e53eae8504d4722ee8408c3d9eefcdba9517e029a9a8ab9bb48e7f17c6e6e8562745eae003e34ee1709acfaac74d601354438bba0d8b32d33231a125d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1DCD.exe

Filesize
15KB

MD5
7d278269b53a9a04338d96c7bc8d1162

SHA1
b9f9451a0a57082474d7ce5bbc65173676a19e3f

SHA256
7f0711018d71942a2a58e9f5974359b36fd7dff8b77f10a620d7990b54a26fa4

SHA512
c62e5df83ad028d8f869576616cc99be53306d74e14ad5dc2e6e9dd264b679344fbae78ba00e79e8ea3133203762806f9707a6fac1d98f1536aff58a6b1bede9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC7F1.exe

Filesize
15KB

MD5
65faf18962edc16dcc60b1fe9ff08b00

SHA1
c9077c8f8f83c7957265933c710ab52165e036d2

SHA256
f67a40b64b9bca33ca3de409a4f0beadec0ea8b53c12890ac4299a83b4deb894

SHA512
36d223dec652b3bc3af3a0db3863cb2758e5b13716b389fc9d1acfc5c3c6eab7283caeabbf2b915f1b7e0fad2ad6dbb424d160b5db8d5686507ac9d0906af00e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC86D.exe

Filesize
15KB

MD5
862950c7e44fccd0411767d1b72cbb07

SHA1
7fb3abf3b1b66e462263bc0f851647811dcd6d11

SHA256
1cae6e895b501e9e447e0e75546bde36e878f9dd4fa647c58c5d7a15666ad41f

SHA512
f8d26cda8f482c8de22689a96c88f78b4673f8150c5021c569487f4377b33eb0efd7f97db5e6709e56a54cfdaca2aff180167116d5ae9fe9e5e7eab943d7ff1a

Download Submit

Analysis

Sharing