067e2fa8d83c87959e8b99bbe246bd2867172faa2807b05d119e71e7d954d79b

General

Target

e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe
Size

14KB
MD5

e931a7648532915c19b2c953496fdbf7
SHA1

0f90cd101d31f8258338232e4a4183cf3c78c821
SHA256

067e2fa8d83c87959e8b99bbe246bd2867172faa2807b05d119e71e7d954d79b
SHA512

ed13d52acd14f3bae9e29b888cb46e0073110c0bbf7202fe6c26d4ea2ed26fbeb90a52878279e276ae87e9f58853aa708f5be480a436e665567b89667f6597d9
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHukP:hDXWipuE+K3/SSHgx3NHHnP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2628	DEM6577.exe
2232	DEMBC0F.exe
1556	DEM11FB.exe
1748	DEM6825.exe
2684	DEMBEBD.exe
320	DEM1545.exe

Loads dropped DLL 6 IoCs

pid	Process
2040	e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe
2628	DEM6577.exe
2232	DEMBC0F.exe
1556	DEM11FB.exe
1748	DEM6825.exe
2684	DEMBEBD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2628	2040	e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe	29
PID 2040 wrote to memory of 2628	2040	e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe	29
PID 2040 wrote to memory of 2628	2040	e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe	29
PID 2040 wrote to memory of 2628	2040	e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe	29
PID 2628 wrote to memory of 2232	2628	DEM6577.exe	33
PID 2628 wrote to memory of 2232	2628	DEM6577.exe	33
PID 2628 wrote to memory of 2232	2628	DEM6577.exe	33
PID 2628 wrote to memory of 2232	2628	DEM6577.exe	33
PID 2232 wrote to memory of 1556	2232	DEMBC0F.exe	35
PID 2232 wrote to memory of 1556	2232	DEMBC0F.exe	35
PID 2232 wrote to memory of 1556	2232	DEMBC0F.exe	35
PID 2232 wrote to memory of 1556	2232	DEMBC0F.exe	35
PID 1556 wrote to memory of 1748	1556	DEM11FB.exe	37
PID 1556 wrote to memory of 1748	1556	DEM11FB.exe	37
PID 1556 wrote to memory of 1748	1556	DEM11FB.exe	37
PID 1556 wrote to memory of 1748	1556	DEM11FB.exe	37
PID 1748 wrote to memory of 2684	1748	DEM6825.exe	39
PID 1748 wrote to memory of 2684	1748	DEM6825.exe	39
PID 1748 wrote to memory of 2684	1748	DEM6825.exe	39
PID 1748 wrote to memory of 2684	1748	DEM6825.exe	39
PID 2684 wrote to memory of 320	2684	DEMBEBD.exe	41
PID 2684 wrote to memory of 320	2684	DEMBEBD.exe	41
PID 2684 wrote to memory of 320	2684	DEMBEBD.exe	41
PID 2684 wrote to memory of 320	2684	DEMBEBD.exe	41

C:\Users\Admin\AppData\Local\Temp\e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\DEM6577.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6577.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\DEMBC0F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBC0F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\DEM11FB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM11FB.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Users\Admin\AppData\Local\Temp\DEM6825.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6825.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\DEMBEBD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBEBD.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\DEM1545.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1545.exe"
        7⤵
        Executes dropped EXE
        
        PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMBC0F.exe

Filesize
14KB

MD5
32a3f98b71de1dd96c12e48b936771b6

SHA1
7e0193b4cb360506c503d47ed5dc957f59968555

SHA256
39ce5bf894eac4a2d3f34e6aaf7a71e5b437345831fea98f48dac3ecebeaf9ac

SHA512
a860c8820d4729adab680f10e2ad9afd33a21c5cd58598944bb7d5c5c9f044423aed81606d7407aee2640d3623dbd2d834e8dd9b154ddb4f56834d2db5bf9db7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM11FB.exe

Filesize
14KB

MD5
db1aa1d59e99557cb51a397d00c33ee3

SHA1
ed52fa252a0f259f1d9d5a2e09660342ab412899

SHA256
e6cd6bedd61c0305c53074c8f2555ffd15ce53370c259860c515b342af5f8793

SHA512
b57031e70731c5eda964f72c8b0542b3869b6feed7aa873ed814bfc3da2ab533650869f3e99ba75225b725bce83da7546cb56760a473b5ea955a501f9a1fa45c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1545.exe

Filesize
14KB

MD5
3e69d854288ec3cc39958d64502639f1

SHA1
0eb4def5d86944172010008d32f98e3159b0fa75

SHA256
6120d90cd3fca41991d6df3f5fbb6b4891bc20e0482748a0ef88831098dd4bbd

SHA512
c0a47c059f83457fe6c3a46c3aab72a693e92700bc10a9a2343ed08e90999b2798e218fc74f74b847ce5a3cd1ef606b9cff1fac08980de4e1a0968308e7dc58f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6577.exe

Filesize
14KB

MD5
153c40286223501c127247cb509abd42

SHA1
865b6daad8bfe187c5ec8b5e3377cd1d4204d4b0

SHA256
dcd00d669e94f955df6ee60442c27593d0f133b17b398f16af1cad650128bf9e

SHA512
b0730d58a95809608ed2357a680b9c34137d40cc1bf35763482b0341976bf5e3b9f593d19d6757468e969eeaf57cc072a967aed519d505c6854f42c711e5663e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6825.exe

Filesize
14KB

MD5
cf946f8c64df5d41a816304fafac5fc4

SHA1
835d7f316e778820acd38b07615ab9280a5e9599

SHA256
ea738862fe1574782bdfc6109a22ddf96405cae075316a0879f65f1196a6f795

SHA512
8c3bdffe99296a381cbee3b5d2249699c325b4ae2c69844af4e7304fd33590129c85521979e0e9a2842fcd084d7d3e71d5d1224767563339c8c7f20ac7f3dfe8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBEBD.exe

Filesize
14KB

MD5
2a15c94d4107e406af78244a98d6e63c

SHA1
dcd2bdf42847e50287138becf077c9ab6bf1eaf9

SHA256
16ce39ef107d9f662a8347ecfd60023ead58250ce1fb3add39d3a36a329db297

SHA512
1e1e4d29b7d364b59311fca0d5e69bcdb9da3f3de9d6cfd602d7699f2184cb0c7b44fb5db820b292d7634b313670b5c2dae8683001a7076e6b91f3b09ba6aa28

Download Submit

Analysis

Sharing