eae7d51154ab442a59dfe4fd65bbdcadbebed9daeb2ae60f34bd105aea5e8bf4

General

Target

ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe
Size

14KB
MD5

ea4023b76c3c97c7417069f20fcce905
SHA1

2f1a3164ba37e77c2bc64f4e4b5eecd428b0cdbb
SHA256

eae7d51154ab442a59dfe4fd65bbdcadbebed9daeb2ae60f34bd105aea5e8bf4
SHA512

c26c01c9c58bed30b24787518f51941e6c8e34d390e7f87cc511347c2a9ada7aa86705e62c7c4570e402ef2dcee7bf4134d246137a7e768102569fa7f8036559
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYEH:hDXWipuE+K3/SSHgxmc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2564	DEM8B4F.exe
2444	DEME1C7.exe
824	DEM37C3.exe
2856	DEM8E5B.exe
1048	DEME408.exe
1680	DEM3978.exe

Loads dropped DLL 6 IoCs

pid	Process
856	ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe
2564	DEM8B4F.exe
2444	DEME1C7.exe
824	DEM37C3.exe
2856	DEM8E5B.exe
1048	DEME408.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2564	856	ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe	29
PID 856 wrote to memory of 2564	856	ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe	29
PID 856 wrote to memory of 2564	856	ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe	29
PID 856 wrote to memory of 2564	856	ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe	29
PID 2564 wrote to memory of 2444	2564	DEM8B4F.exe	33
PID 2564 wrote to memory of 2444	2564	DEM8B4F.exe	33
PID 2564 wrote to memory of 2444	2564	DEM8B4F.exe	33
PID 2564 wrote to memory of 2444	2564	DEM8B4F.exe	33
PID 2444 wrote to memory of 824	2444	DEME1C7.exe	35
PID 2444 wrote to memory of 824	2444	DEME1C7.exe	35
PID 2444 wrote to memory of 824	2444	DEME1C7.exe	35
PID 2444 wrote to memory of 824	2444	DEME1C7.exe	35
PID 824 wrote to memory of 2856	824	DEM37C3.exe	37
PID 824 wrote to memory of 2856	824	DEM37C3.exe	37
PID 824 wrote to memory of 2856	824	DEM37C3.exe	37
PID 824 wrote to memory of 2856	824	DEM37C3.exe	37
PID 2856 wrote to memory of 1048	2856	DEM8E5B.exe	39
PID 2856 wrote to memory of 1048	2856	DEM8E5B.exe	39
PID 2856 wrote to memory of 1048	2856	DEM8E5B.exe	39
PID 2856 wrote to memory of 1048	2856	DEM8E5B.exe	39
PID 1048 wrote to memory of 1680	1048	DEME408.exe	41
PID 1048 wrote to memory of 1680	1048	DEME408.exe	41
PID 1048 wrote to memory of 1680	1048	DEME408.exe	41
PID 1048 wrote to memory of 1680	1048	DEME408.exe	41

C:\Users\Admin\AppData\Local\Temp\ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\DEM8B4F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8B4F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\DEME1C7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME1C7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\DEM37C3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM37C3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:824
    - - C:\Users\Admin\AppData\Local\Temp\DEM8E5B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E5B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\DEME408.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME408.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\DEM3978.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3978.exe"
        7⤵
        Executes dropped EXE
        
        PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM37C3.exe

Filesize
14KB

MD5
fa15a866f121e8dda92122854e14ba93

SHA1
13b9b55cfa57883d5e821b80d017bded33a6e99c

SHA256
4169957d3587872646f5c99d4ee98fbee239ff5ef35109873cfffe2374b5cc2e

SHA512
157389d4ec1a4f0ab18312009b76571d3a71fc8d7ba8b868ec2d87f11e710c20f4dfe12b34d2da3bc7a95969f0c7c5b6a0f42fea7b1b42252c725270759926b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B4F.exe

Filesize
14KB

MD5
fe920db7bf5c17cbf0ca46389596ebac

SHA1
4c837e4a4cfc2058a96ba3c0fcfa64250c316f40

SHA256
a094877fc1a4db68e3548d7310ef0990bb650d7dada5d62c50f5413034006727

SHA512
e8772c4c4c2dfcf2c4555a2d120dd99c725c07b21bb779ff9d3240567c160a609415e1c8ebd49fa0557fbf8b6697cb07d235099b0c2c335a83c29c84846c9eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME1C7.exe

Filesize
14KB

MD5
f3fc34ad764b512f135d41f0f005b06c

SHA1
947a99f9c5323de28f20c8da2b00742118606fc3

SHA256
f61c5ef73c05546d44e1c76d9e0666d9dc4336b0627f5c380884782d3dca70fe

SHA512
76aa0a8fc6b45c373f59df1d5cc6151eb5a21863487497174cc1d2c0f4f10507dc77bb657d0e54ec1b251b1d518b35843d51b4aa99ba2214c461d8fc83b763e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME408.exe

Filesize
14KB

MD5
9d8423361792ba28b32a79f5af57fc02

SHA1
a082b814fe5bbc86be1597b6583ac6afe8677975

SHA256
1f950953b5c874054eb87c9a660dcead1c03ff0434630a840bd6f446e04959ea

SHA512
5dbb9cd30bd95e70d3ba38eb155e675d4bdb023c3aabf2340f2931172ee77579c0ef300971d7fba82542dddce60ea502c27de3a5bc7051d8e59ae2223251ba8a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3978.exe

Filesize
14KB

MD5
2a76f5ea14be42dacbdb08b6da03ca9d

SHA1
9e3bb94c89bbc950450997756033ee5f33f8dc4e

SHA256
1311201e8ae5d105c02899fd4672a845ad4880bf2f684f9d3ef433ba493d643b

SHA512
8b78dbaca9f4ba008349c595abb163c57ebe58fac26c6db7281bd12d2c0707a0a414a18853e9056dd5b20967744674899ab85bc85ecfb9101a9dc39af06f6c55

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8E5B.exe

Filesize
14KB

MD5
d3bda2601ceed3dd9ef186e2925471e9

SHA1
1b811aa8c48d7e4f8134edd75ecf298333b741ec

SHA256
dd1f2c1213f69f62ec2677d2a2fc1e68b78d3c770cc18c6b0b675ef12b355074

SHA512
8fb2ade9fdd14b0ffea8b05b01b01c7755b5476ad0d3b4be2951f0e23e60433cd706e50458ece21f8de8c5417e52993ba44e3dfeef84f3ee166eb9a5d0a8f841

Download Submit

Analysis

Sharing