c93d5e4c25a82b6054b2bcdf4a75e13b469e2daa1c2a89b67a1c626e3d5b778a

General

Target

e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe
Size

14KB
MD5

e7ab7dd100c12428964355f4328351ac
SHA1

6c25d81500c8a6660a5dd43dff8a12fee92d095b
SHA256

c93d5e4c25a82b6054b2bcdf4a75e13b469e2daa1c2a89b67a1c626e3d5b778a
SHA512

f95de35e76242146b860f385badf15c1b7b4871f7fb22355f1a7e3f8f7d1cd8f1b15d019099f8a7fe8f977c1217f731e0ce7971987e768238e8e49543961fbd2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhh7Ic:hDXWipuE+K3/SSHgxz8c

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2636	DEM4DF1.exe
2488	DEMA4E7.exe
2904	DEMFB7E.exe
2740	DEM5283.exe
292	DEMA89E.exe
1824	DEMFF46.exe

Loads dropped DLL 6 IoCs

pid	Process
1460	e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe
2636	DEM4DF1.exe
2488	DEMA4E7.exe
2904	DEMFB7E.exe
2740	DEM5283.exe
292	DEMA89E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2636	1460	e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe	29
PID 1460 wrote to memory of 2636	1460	e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe	29
PID 1460 wrote to memory of 2636	1460	e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe	29
PID 1460 wrote to memory of 2636	1460	e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe	29
PID 2636 wrote to memory of 2488	2636	DEM4DF1.exe	33
PID 2636 wrote to memory of 2488	2636	DEM4DF1.exe	33
PID 2636 wrote to memory of 2488	2636	DEM4DF1.exe	33
PID 2636 wrote to memory of 2488	2636	DEM4DF1.exe	33
PID 2488 wrote to memory of 2904	2488	DEMA4E7.exe	35
PID 2488 wrote to memory of 2904	2488	DEMA4E7.exe	35
PID 2488 wrote to memory of 2904	2488	DEMA4E7.exe	35
PID 2488 wrote to memory of 2904	2488	DEMA4E7.exe	35
PID 2904 wrote to memory of 2740	2904	DEMFB7E.exe	37
PID 2904 wrote to memory of 2740	2904	DEMFB7E.exe	37
PID 2904 wrote to memory of 2740	2904	DEMFB7E.exe	37
PID 2904 wrote to memory of 2740	2904	DEMFB7E.exe	37
PID 2740 wrote to memory of 292	2740	DEM5283.exe	39
PID 2740 wrote to memory of 292	2740	DEM5283.exe	39
PID 2740 wrote to memory of 292	2740	DEM5283.exe	39
PID 2740 wrote to memory of 292	2740	DEM5283.exe	39
PID 292 wrote to memory of 1824	292	DEMA89E.exe	41
PID 292 wrote to memory of 1824	292	DEMA89E.exe	41
PID 292 wrote to memory of 1824	292	DEMA89E.exe	41
PID 292 wrote to memory of 1824	292	DEMA89E.exe	41

C:\Users\Admin\AppData\Local\Temp\e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\DEM4DF1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4DF1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\DEMA4E7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA4E7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\DEMFB7E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFB7E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\DEM5283.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5283.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Users\Admin\AppData\Local\Temp\DEMA89E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA89E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\DEMFF46.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFF46.exe"
        7⤵
        Executes dropped EXE
        
        PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA4E7.exe

Filesize
14KB

MD5
ca5ebbdd7e06522b3c344bafd5f42587

SHA1
7e4cc26e120c9d5fc674126c7fb5704c519edc70

SHA256
d617911e8810585c41367938ea0e99f085efb304b09cc76ec5a0089ee1914767

SHA512
f448b32911d9fc5c8b1789cac4f6d9412b0c4ac52c04089a4a8fcbff7ed1a8bf2255dd54a156d7a61e194ce91317932b4bfc9798423768afd876882be484867d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4DF1.exe

Filesize
14KB

MD5
1271f22bbf7bde796c4869f60ca499a4

SHA1
360f4756b1c2e0e7e689e14c49522d7432fa2bfb

SHA256
274bfe206a0bb0fbaadf4fd23b570bc79219e8d51e74ecd53cbcecedf3386cbb

SHA512
3e62cada6c2b8f61241c73b67c1920033ee738d8ef2d45d82998d65b3326f0ad282746b0397e56541447739b2e2bb4d386792e18b06d189bf1b7b6dd8af469e3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5283.exe

Filesize
14KB

MD5
2880e8cb1a5f50d321ed37587b47d7ca

SHA1
b02e6ecaa37c16b1b5dab0c54a07d1f3cc09ad05

SHA256
497501c3dafc2813c2f0f4b83c55b0c4f51bf75f8bd62ecba7fce889d58373c7

SHA512
22aae4f80884c72030df7815c2eb263ba5bc0d560f031793baeec02a4c771099cd5e1333fd23bb63d05f2f3f1d974d03da8db808bd32eb429b7d3274428cdc62

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA89E.exe

Filesize
14KB

MD5
381c594c62d6bdaadf1fd72391b7411f

SHA1
1d47c216f358f268677258a71989b2666893ea5b

SHA256
a9d6d1b9752336118150289edbfe0fb1a13d90a77ff8dcfde03d634d7ac248bb

SHA512
d09ec9c26c33497188709e9f4b95d9b1e5d5e761855e5824de0227a9e2906405c927c4309387cdeedc0652e7cb0e9e6c873bbde6911802eb76149ae20a03fdea

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFB7E.exe

Filesize
14KB

MD5
bb5888cbf717f691b02a7777ac0a7785

SHA1
2a4f3a32a46a48579192f76bfd32b295de455127

SHA256
491655e6012c2b6a75cedf826141cd6c83b955cd271eec815bb967cafbbea76a

SHA512
a35bdcce973e306519dba1f1d2fef6a0325304818910fdf8b8ae9a20bd282dc23677e12da679720f5aab4e9c30afcd4d40cb938d61a28cd26266d2d5100a8d71

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFF46.exe

Filesize
14KB

MD5
9a9ca1b0b5fb817cd14783a6b28c586e

SHA1
e71fc52420e15e414da5c574146d2d17b5584e1d

SHA256
e6450797815a6aa0ecd0e4363618a2f1f1e12027f182d19fca43d6672a611941

SHA512
78045fbc9d94534fbf85a24230dd6040f79ad3511e52f92ee6bee43f69b307d7bf4bb3c07ad8770e433bc11d5464c8067cf3d98ab12a3d2a13111e1abad831c1

Download Submit

Analysis

Sharing