612283312320ca4443ad95625af994b6d7c10819858c6d780ff2d4a297a025be

General

Target

e1be0508b280ff377d2cba2aa8959119_JaffaCakes118.exe
Size

14KB
MD5

e1be0508b280ff377d2cba2aa8959119
SHA1

d6a87f1472f2be0cf162a8e22be644a7fdfa6985
SHA256

612283312320ca4443ad95625af994b6d7c10819858c6d780ff2d4a297a025be
SHA512

7b2addeb0e5d16be4606d61f9a8d606472a47c18c2e0f88c0b9105f683a9c45fac074a5158b3a496cf10483993d5817dd7edd59ae31c68ee72d7f1738d154136
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh3:hDXWipuE+K3/SSHgxt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2016	DEM1A25.exe
2672	DEM6FC3.exe
2868	DEMC542.exe
804	DEM1AA2.exe
1512	DEM7040.exe
2064	DEMC5EE.exe

Loads dropped DLL 6 IoCs

pid	Process
3048	e1be0508b280ff377d2cba2aa8959119_JaffaCakes118.exe
2016	DEM1A25.exe
2672	DEM6FC3.exe
2868	DEMC542.exe
804	DEM1AA2.exe
1512	DEM7040.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2016	3048	e1be0508b280ff377d2cba2aa8959119_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2016	3048	e1be0508b280ff377d2cba2aa8959119_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2016	3048	e1be0508b280ff377d2cba2aa8959119_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2016	3048	e1be0508b280ff377d2cba2aa8959119_JaffaCakes118.exe	29
PID 2016 wrote to memory of 2672	2016	DEM1A25.exe	31
PID 2016 wrote to memory of 2672	2016	DEM1A25.exe	31
PID 2016 wrote to memory of 2672	2016	DEM1A25.exe	31
PID 2016 wrote to memory of 2672	2016	DEM1A25.exe	31
PID 2672 wrote to memory of 2868	2672	DEM6FC3.exe	35
PID 2672 wrote to memory of 2868	2672	DEM6FC3.exe	35
PID 2672 wrote to memory of 2868	2672	DEM6FC3.exe	35
PID 2672 wrote to memory of 2868	2672	DEM6FC3.exe	35
PID 2868 wrote to memory of 804	2868	DEMC542.exe	37
PID 2868 wrote to memory of 804	2868	DEMC542.exe	37
PID 2868 wrote to memory of 804	2868	DEMC542.exe	37
PID 2868 wrote to memory of 804	2868	DEMC542.exe	37
PID 804 wrote to memory of 1512	804	DEM1AA2.exe	39
PID 804 wrote to memory of 1512	804	DEM1AA2.exe	39
PID 804 wrote to memory of 1512	804	DEM1AA2.exe	39
PID 804 wrote to memory of 1512	804	DEM1AA2.exe	39
PID 1512 wrote to memory of 2064	1512	DEM7040.exe	41
PID 1512 wrote to memory of 2064	1512	DEM7040.exe	41
PID 1512 wrote to memory of 2064	1512	DEM7040.exe	41
PID 1512 wrote to memory of 2064	1512	DEM7040.exe	41

C:\Users\Admin\AppData\Local\Temp\e1be0508b280ff377d2cba2aa8959119_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1be0508b280ff377d2cba2aa8959119_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\DEM1A25.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1A25.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\DEM6FC3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6FC3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\DEMC542.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC542.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\DEM1AA2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1AA2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:804
      - C:\Users\Admin\AppData\Local\Temp\DEM7040.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7040.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\DEMC5EE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC5EE.exe"
        7⤵
        Executes dropped EXE
        
        PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6FC3.exe

Filesize
14KB

MD5
9c00742732725b6cbffd1b1a43f21c39

SHA1
80a3d6e166f24839c97fb849cfdc88449d8b52d0

SHA256
2cabc8aa35198936260e8526815904debbe33ec95bc398c6ea240c333b18d2e2

SHA512
3db6aa9b342aa15385c60ebbd23136ef951fb153a6bf0878bd8d59fe33d834a6068de3efa0c81dae5e179f0f840269410c1efca729f0abc83ead064da1abc91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC542.exe

Filesize
14KB

MD5
3e2b6249f6b59a1165094fdfcf3c6200

SHA1
338ce2a82b2df3fe66c705db629a3b160bf77e4e

SHA256
46ea5460abe5184c21bac6775962f543283cd761a850a25092e6d6b468ca3cdb

SHA512
915481f8d485d05eab288f030a5d69eb747a9329e304027fd5cbb21ee33f3b88cd52c360ae526e399386254ca9bf2cdbb5a9289add154c1d9c7bc458ae7b9b5d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1A25.exe

Filesize
14KB

MD5
e30dafc4d3eb40950a2e255c01b34d35

SHA1
d0f83d180734ca31a93bfd890d67bd0a62b31ed8

SHA256
c933b4366aebaec2522145ca131020e51896b2348d546f0fe920322138af492e

SHA512
32ecb13a6d9f6c2e2789ddd1ea4637baa6db43b7f7575ed7b5a75735cde2558d3b83e5cb827cd11853f50d8d089aebf7848599f2127deb95eff1498431e51f02

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1AA2.exe

Filesize
14KB

MD5
106a55593c50ebf56a305d2ac9885644

SHA1
cb13186de46bb12544e828fd0c115dfdf25f496d

SHA256
5aebbe0280361e40a69726779404b802b6523dd4ec535c9200651dceb010a13c

SHA512
191a5c2228782552a9866ad304a25bf6d5fc906ade6a246301b5de77c99ae3d7fe54940d82cb0df93dfed5a44b4ec6b7945517b05c833f346017fc549e20991e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7040.exe

Filesize
14KB

MD5
2d3f15efb87d95c2b3d094b762eebfc7

SHA1
a17fb99077b8e68f4fa6587eb42ca5b8c92716ec

SHA256
f439445fb28410c13f1fc59ecd838d043942e8b1a07c786ded9d868768bc73d9

SHA512
532dcc37cc47d6a94b8d9006a9969ad7afe0248c4a10d2832e7d2095b902366267390e437f00b75e8677c757f8f1cd662b5a8fb7689c5411b15e86b2deb46152

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC5EE.exe

Filesize
14KB

MD5
359b7505af13d3295ddd5e57bbf0e3f4

SHA1
2797ba8d8bbf27e48197994b2136a2bbe0a7f997

SHA256
c9aa1cae92c92a788030dcae8ac00f414446f586e989e27792e9d4a63b6a004a

SHA512
1b13af623045a5b9b63674ed4b0ec0cae9de775899ccd20580a45c527e9efcd25a7977c9c40af2f12a7c7a5fc64c4b9a18ad425dffdb6597ce7a4e0d904da51e

Download Submit

Analysis

Sharing