a8b5f70af7c99dd506c3b77a1c7495ef24d3c8e7946ce2aa1288bd6902e024c0

General

Target

e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe
Size

16KB
MD5

e84bd538bedd4c96b5e4de5ff94066bb
SHA1

18596dd0d77102c339cbd7e8a9df76420025f4fb
SHA256

a8b5f70af7c99dd506c3b77a1c7495ef24d3c8e7946ce2aa1288bd6902e024c0
SHA512

859d06d22cdc44a79c656a4c91aa87a68d0196d0c4ef32314a1a20adfe2d34ce80a3d64f4441f21f41eeaeaca68ba52d94cd083911da170febfa922187a17048
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYHzP:hDXWipuE+K3/SSHgxmHz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2980	DEM122A.exe
2748	DEM67A9.exe
1416	DEMBCCA.exe
912	DEM1287.exe
1572	DEM6845.exe
2036	DEMBDA4.exe

Loads dropped DLL 6 IoCs

pid	Process
2016	e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe
2980	DEM122A.exe
2748	DEM67A9.exe
1416	DEMBCCA.exe
912	DEM1287.exe
1572	DEM6845.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2980	2016	e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe	29
PID 2016 wrote to memory of 2980	2016	e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe	29
PID 2016 wrote to memory of 2980	2016	e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe	29
PID 2016 wrote to memory of 2980	2016	e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe	29
PID 2980 wrote to memory of 2748	2980	DEM122A.exe	31
PID 2980 wrote to memory of 2748	2980	DEM122A.exe	31
PID 2980 wrote to memory of 2748	2980	DEM122A.exe	31
PID 2980 wrote to memory of 2748	2980	DEM122A.exe	31
PID 2748 wrote to memory of 1416	2748	DEM67A9.exe	35
PID 2748 wrote to memory of 1416	2748	DEM67A9.exe	35
PID 2748 wrote to memory of 1416	2748	DEM67A9.exe	35
PID 2748 wrote to memory of 1416	2748	DEM67A9.exe	35
PID 1416 wrote to memory of 912	1416	DEMBCCA.exe	37
PID 1416 wrote to memory of 912	1416	DEMBCCA.exe	37
PID 1416 wrote to memory of 912	1416	DEMBCCA.exe	37
PID 1416 wrote to memory of 912	1416	DEMBCCA.exe	37
PID 912 wrote to memory of 1572	912	DEM1287.exe	39
PID 912 wrote to memory of 1572	912	DEM1287.exe	39
PID 912 wrote to memory of 1572	912	DEM1287.exe	39
PID 912 wrote to memory of 1572	912	DEM1287.exe	39
PID 1572 wrote to memory of 2036	1572	DEM6845.exe	41
PID 1572 wrote to memory of 2036	1572	DEM6845.exe	41
PID 1572 wrote to memory of 2036	1572	DEM6845.exe	41
PID 1572 wrote to memory of 2036	1572	DEM6845.exe	41

C:\Users\Admin\AppData\Local\Temp\e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\DEM122A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM122A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\DEM67A9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM67A9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\DEMBCCA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBCCA.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1416
    - - C:\Users\Admin\AppData\Local\Temp\DEM1287.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1287.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:912
      - C:\Users\Admin\AppData\Local\Temp\DEM6845.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6845.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\DEMBDA4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBDA4.exe"
        7⤵
        Executes dropped EXE
        
        PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1287.exe

Filesize
16KB

MD5
5a74a7e38c54368500a8ca34464dcf31

SHA1
6bfc2b14e020bed883498239cf06956d75f302bb

SHA256
186df316054030c19d2d3e5c00c91761bc05bff47eac043f3dea8385df52c988

SHA512
79b80f36a234dde4affc70c58b76695198b948a0d09d59dc74976b2959c37e84bf03c18c1958c4bf571c656a66411dc2c208d57d3a63430068e7174c0ee696ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM67A9.exe

Filesize
16KB

MD5
4a405c044ece42c0181e7c2c5a4dba83

SHA1
afb0418b7f5b5129f43042bd0e1b4a4855d384c2

SHA256
34102a9b16194ef673912e1769870e11b9b289dbbb2063f3f2db8f4c81cec89a

SHA512
1445c659a9e596935ca27a80e6d3ca45ae393939fe574071a72c0ab84a1f2a9cab83ee1b476a188f7e914985f749105ca2c3b951289a59f944f050b41b48e862

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBDA4.exe

Filesize
16KB

MD5
0499aedc2a04c8697208de061ac2d95a

SHA1
ee304f347540c3a61aea0ef17a846f2ebfb0ebfd

SHA256
bdaf7181acc4366bd703548a577f32d7a50e3bef6c50c0b73333da5b32dee31d

SHA512
a44006bab36d967189160b16b98639bc0e8f39b7c9e0074ae9c7a95c28d9ef5ef50fd91aa938705ea3f789d8c4954c9a565d9a62eb040587c7e2ff7bb06aca49

Download Submit
\Users\Admin\AppData\Local\Temp\DEM122A.exe

Filesize
16KB

MD5
a49ef4051b43e6947d8243d387f81946

SHA1
78c876080188691eae8e13042ed2335f8ed288c5

SHA256
3a9ae8f0a87e064f00cb41a2513fbffacdefccd7b5b739479f6b9041d2155b2b

SHA512
c64e517ba3273b9986eaeb40c5a72de07c02c5a5b518649ec2cdc430defc427788b213492553e079bf2bf28f8abdf25abd7c5a8312cf016736b1cdc3e672743a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6845.exe

Filesize
16KB

MD5
66494d1b3460fc9528c422fab6e80e5d

SHA1
cb8c90124a509d0724978d586aa28b6280c4e948

SHA256
2ebc41918ff03f93e96114859771c0c5f35fd654cd098132464cea181f423416

SHA512
0264dc8cb1123a5a90f479650dc7aa4c170a5625fb6df0ea1bae9b62d7c93042f7d738cb2ee250009ed48a12e01bbe8ff6869a19973d3a7f13e055d243a59321

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBCCA.exe

Filesize
16KB

MD5
c38753a98742e02dc65e9c80c02d2959

SHA1
4a77fba691044c6a4692942ebdc2c05130dd20ea

SHA256
f41015e7e8178428ef4f2b0a18d47e5b50e0defe79d7b0001264c3553c1b742e

SHA512
6ccfb83f6a8a7fcfa1a1de43704860cfaffe0b748e406d750bf63228d622d753f9d6a7439524f18f258933ee0e9e71f6c0a4efccdae8650a498513a0796d4347

Download Submit

Analysis

Sharing