7cd4d57e5eacfa1098fbea111e1a6aaafdaf7405179f03469475a999b3824568

General

Target

e1be675c36a8873311cccb5a18a975bb_JaffaCakes118.exe
Size

16KB
MD5

e1be675c36a8873311cccb5a18a975bb
SHA1

a9c9d9738001d072fd77ef5e295caf8c9fc2e19c
SHA256

7cd4d57e5eacfa1098fbea111e1a6aaafdaf7405179f03469475a999b3824568
SHA512

69f555405985b1a882ef6509d107cd6542133584d83bd9238a2e65cd703b19de97ca333337a5591a4d5743fb00d08ac7dcf3df7d93b73159cbc29db140dcddd7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhA3gkHS:hDXWipuE+K3/SSHgxhkHS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2928	DEM40A8.exe
2904	DEM9666.exe
2840	DEMEBC6.exe
2696	DEM4116.exe
1504	DEM96A4.exe
1256	DEMEC14.exe

Loads dropped DLL 6 IoCs

pid	Process
2368	e1be675c36a8873311cccb5a18a975bb_JaffaCakes118.exe
2928	DEM40A8.exe
2904	DEM9666.exe
2840	DEMEBC6.exe
2696	DEM4116.exe
1504	DEM96A4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2928	2368	e1be675c36a8873311cccb5a18a975bb_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2928	2368	e1be675c36a8873311cccb5a18a975bb_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2928	2368	e1be675c36a8873311cccb5a18a975bb_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2928	2368	e1be675c36a8873311cccb5a18a975bb_JaffaCakes118.exe	29
PID 2928 wrote to memory of 2904	2928	DEM40A8.exe	33
PID 2928 wrote to memory of 2904	2928	DEM40A8.exe	33
PID 2928 wrote to memory of 2904	2928	DEM40A8.exe	33
PID 2928 wrote to memory of 2904	2928	DEM40A8.exe	33
PID 2904 wrote to memory of 2840	2904	DEM9666.exe	35
PID 2904 wrote to memory of 2840	2904	DEM9666.exe	35
PID 2904 wrote to memory of 2840	2904	DEM9666.exe	35
PID 2904 wrote to memory of 2840	2904	DEM9666.exe	35
PID 2840 wrote to memory of 2696	2840	DEMEBC6.exe	37
PID 2840 wrote to memory of 2696	2840	DEMEBC6.exe	37
PID 2840 wrote to memory of 2696	2840	DEMEBC6.exe	37
PID 2840 wrote to memory of 2696	2840	DEMEBC6.exe	37
PID 2696 wrote to memory of 1504	2696	DEM4116.exe	39
PID 2696 wrote to memory of 1504	2696	DEM4116.exe	39
PID 2696 wrote to memory of 1504	2696	DEM4116.exe	39
PID 2696 wrote to memory of 1504	2696	DEM4116.exe	39
PID 1504 wrote to memory of 1256	1504	DEM96A4.exe	41
PID 1504 wrote to memory of 1256	1504	DEM96A4.exe	41
PID 1504 wrote to memory of 1256	1504	DEM96A4.exe	41
PID 1504 wrote to memory of 1256	1504	DEM96A4.exe	41

C:\Users\Admin\AppData\Local\Temp\e1be675c36a8873311cccb5a18a975bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1be675c36a8873311cccb5a18a975bb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\DEM40A8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM40A8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\DEM9666.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9666.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\DEMEBC6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEBC6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\DEM4116.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4116.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Users\Admin\AppData\Local\Temp\DEM96A4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM96A4.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\DEMEC14.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEC14.exe"
        7⤵
        Executes dropped EXE
        
        PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM40A8.exe

Filesize
16KB

MD5
f24f20cb088d0bff9ca6f10b5bd2df76

SHA1
69f9961a8ac8b9abca88d2f19ac1b79425045cac

SHA256
7bc0ab45b47850939b77b72086bc7d5ccf872a60ae14029af576cbb4a0902ff8

SHA512
98c488db687f2e1a30afb0075bab8da673005939a50b4500edcff5ff3817a3654a1f215666f0c6b5ac46f6c3e4e4e2c40d0781b5d990217259a59ba2b0bac097

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9666.exe

Filesize
16KB

MD5
8e4c098455eb811e8d14d00df0ee7b28

SHA1
8774750b47220e376a3f47c665c14227d69bb730

SHA256
508ac00eae952122a62acc989a4a0030ebc8be62349a8f91e913f0623da285b7

SHA512
73d85bfcc49dab8ef65955d1b067e6411ae05c40716924d77b94b250aa6f97d8fc791c663f7340c6993cf420d19c36564c684a8de179de5e562a5e729f00e2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM96A4.exe

Filesize
16KB

MD5
17c183b127f8f0826d5965dbbba9b50c

SHA1
aa30f6d3b34670b14e33b656c03d3b65c2a66f42

SHA256
6a7f232b2b9fd4cca034488f44b3b917196f1d26b67b171d34f925ef0b7601ab

SHA512
320001a9e49f9c04f7e0ee75e31200426725b13edaa4556fc374b90de5243f7a4179a16e21c42d8232790c669624b881528a7316e4bd3f3054376273897e4f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEBC6.exe

Filesize
16KB

MD5
c110804a35393dba64a78e4e0f0720a8

SHA1
d5996808b8009900cc3ee6ce77810b4ee96dddba

SHA256
0890b3e6b1d7297c18b77e502f68038aa60da1a03e50404a03abd9d12afde740

SHA512
1d0f41f864d70061c1ac7de189942a3b7c790931deab1ff74f60bdf96f16fe266cf6609f296e7b410985a0c9606f431bf279e8235945411f058e19ef6212cfb8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4116.exe

Filesize
16KB

MD5
e7de205f571e70e406b37a1e713fdd00

SHA1
04a8622043164a7a59aaf3718b6999847b53f7fd

SHA256
64b4ce0c943f2556d7b69b8d0867ba4544378590cd6f0fe88faef20d21d7610e

SHA512
f74fe520d552345a54441511a55d95a61c5dab5904b7fc391d9170832d84aed3399c24ce39bb5e87887397bd3f32f0bc8a21a02a66774430362fc3b68e9831ad

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEC14.exe

Filesize
16KB

MD5
8cd709f58ba2a37517a5c662e2207365

SHA1
20b4b1dacf12e1fa79f7d707060636a52b7ff067

SHA256
cd10df00f307323e4947a62a006174e684235cc67b5811b38d9194f981ae7283

SHA512
a1b0b51978fc8a8f2eb22eaac1efb77b3b86763a262e4727082b25d9aa4b9afeee13fab41c6840f6117762e4104ceb8632842a355e798f5a110194229c6b5f7a

Download Submit

Analysis

Sharing