2b3345178159dc3c7542ea9e146d5c747c4d6f6fd21239dfa65add0a16556e40

General

Target

e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe
Size

20KB
MD5

e198e87970a4a2616d9b000b9af2d6cc
SHA1

ff0c0c4974e4c5a81df02d42bd85e787b1f81d67
SHA256

2b3345178159dc3c7542ea9e146d5c747c4d6f6fd21239dfa65add0a16556e40
SHA512

120dee20c52314b6d6f2e6eaefb739aadefc711a0ef36de29a74eead1a49623efdfc8e7d1a4ee4495ea927693314ca13bce325bee38e5ff04478fb03690e2885
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4A:hDXWipuE+K3/SSHgxmHZA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2548	DEM5947.exe
2448	DEMB08A.exe
2804	DEM732.exe
2520	DEM5CFF.exe
2944	DEMB358.exe
2032	DEM8D7.exe

Loads dropped DLL 6 IoCs

pid	Process
548	e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe
2548	DEM5947.exe
2448	DEMB08A.exe
2804	DEM732.exe
2520	DEM5CFF.exe
2944	DEMB358.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2548	548	e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe	29
PID 548 wrote to memory of 2548	548	e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe	29
PID 548 wrote to memory of 2548	548	e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe	29
PID 548 wrote to memory of 2548	548	e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2448	2548	DEM5947.exe	33
PID 2548 wrote to memory of 2448	2548	DEM5947.exe	33
PID 2548 wrote to memory of 2448	2548	DEM5947.exe	33
PID 2548 wrote to memory of 2448	2548	DEM5947.exe	33
PID 2448 wrote to memory of 2804	2448	DEMB08A.exe	35
PID 2448 wrote to memory of 2804	2448	DEMB08A.exe	35
PID 2448 wrote to memory of 2804	2448	DEMB08A.exe	35
PID 2448 wrote to memory of 2804	2448	DEMB08A.exe	35
PID 2804 wrote to memory of 2520	2804	DEM732.exe	37
PID 2804 wrote to memory of 2520	2804	DEM732.exe	37
PID 2804 wrote to memory of 2520	2804	DEM732.exe	37
PID 2804 wrote to memory of 2520	2804	DEM732.exe	37
PID 2520 wrote to memory of 2944	2520	DEM5CFF.exe	39
PID 2520 wrote to memory of 2944	2520	DEM5CFF.exe	39
PID 2520 wrote to memory of 2944	2520	DEM5CFF.exe	39
PID 2520 wrote to memory of 2944	2520	DEM5CFF.exe	39
PID 2944 wrote to memory of 2032	2944	DEMB358.exe	41
PID 2944 wrote to memory of 2032	2944	DEMB358.exe	41
PID 2944 wrote to memory of 2032	2944	DEMB358.exe	41
PID 2944 wrote to memory of 2032	2944	DEMB358.exe	41

C:\Users\Admin\AppData\Local\Temp\e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\DEM5947.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5947.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\DEMB08A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB08A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\DEM732.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM732.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Users\Admin\AppData\Local\Temp\DEM5CFF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5CFF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Users\Admin\AppData\Local\Temp\DEMB358.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB358.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\DEM8D7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8D7.exe"
        7⤵
        Executes dropped EXE
        
        PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5CFF.exe

Filesize
20KB

MD5
af11ad00fea612f71b9495bdf5c4dba2

SHA1
987395e2d4b34baa166b996b55e0c18d0e68e29a

SHA256
fe801f20cf150574abcedd53bf0037f3d59c84f30fd3c1e8d408aa008511e32f

SHA512
e86ce34f80bd00e2751fb12f2072484f0001207ce2bb20c38301ce3226d8aff30e64c51355a2edaf744a05530b833a4ec01019cbd9ca49a5e373b936754318c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8D7.exe

Filesize
20KB

MD5
0eca1e4566fca49da1c225df8137dcf6

SHA1
25486c05eab8dea81f9426d1e522dba5ed6d18df

SHA256
6b9235798d82531577c0ae5d49b21cb56b384b74bca92b0464fa18eca795cc34

SHA512
ebc73721c8ef45cce08fb1fd3bbb65a137926e01e4145afaad5addd52f1876b7be70004adf29d57ed8a14ee4d37ee83cc236dbe42ac90fc9e5379033dea7dced

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB08A.exe

Filesize
20KB

MD5
2c26cac947e57dc943f6cf308793a10e

SHA1
f03aff7eec956eccc2b91c720221b72da9714042

SHA256
509f98fd17bca99e97888ba9fa61bdc200ca890462f2458ca144dd0071461434

SHA512
ca67eb845aa49733ffb6b7fa026fc1126a4263b33ff514c61f75029567bec4a0bb6621a5a3fdf3b2a4a79d5e9917b42b51b0c066f56482211e70d1190ae1f9cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB358.exe

Filesize
20KB

MD5
e64736ed07028e40a78199f8153db729

SHA1
8f2abc05a8148663b5f2966d436d5b24a7ebad96

SHA256
84290313d7831115aca1284be35cf0b2d247d9c2d19e4e7e3ce70a483cdca9f5

SHA512
4b5ea7020609697de56738bf2a2979cf5d34626afe7cb161975294342c86f437ee5b8678b29d6a7443c5cd2fc1593fa88ad80301863a2dc20b7f0abce08f4c50

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5947.exe

Filesize
20KB

MD5
88b5d54f1c4ce2f605716bb2413313af

SHA1
c5654042cda00b5e8cd1ff18539066532cd171af

SHA256
42903b4d6091ad05371d7388534f007f6db0d3764e83092762e0e46ca599da9f

SHA512
16dd1b8d49ed612739828dc9f5c04bac91d1dd768400f78aaa4607100ddcbc4b51e2806eca86faf506f0a7d35602b079e38ff93568df8de57248a28c588e5dc8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM732.exe

Filesize
20KB

MD5
ece49381c37a20035ceea7060d3e86c9

SHA1
dd60d8d89c310c7ac1fd25b4b8f4ec76c9ec45fe

SHA256
d8309b390c57740035034755c8469c16c90ea6b4cebdc4654f51126ea2486091

SHA512
fb5bb29ff246155b0a03dd9c3b5aedb9a9bd3cd4a0e9cd924d64b44771ff967ce77515e9c01e74c9d02ef97e3cb1b71fdb4267d7b7cbe21bca4661ec45fd7eec

Download Submit

Analysis

Sharing