8262a3a276e560c1ae8a61b23b3141d2ba25d2b400f6788fed585303cf8508ec

General

Target

eab90748e530303b6e27a7fc2c72ac38_JaffaCakes118.exe
Size

14KB
MD5

eab90748e530303b6e27a7fc2c72ac38
SHA1

986dba8dacb655abdaab1bfd23846a7e758550d8
SHA256

8262a3a276e560c1ae8a61b23b3141d2ba25d2b400f6788fed585303cf8508ec
SHA512

1ce988d85b248fc16c79af9b983fa279435792ff51da24cd2b5ec0c09bcd67518d8517a07fa24a63bf550fad6456e219300aa764031d1f10c2c703c38bfa8b19
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh5RWnx:hDXWipuE+K3/SSHgxkx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1920	DEM5CFE.exe
2424	DEMB3B5.exe
268	DEM9D0.exe
2236	DEM601A.exe
2444	DEMB77D.exe
2272	DEMD78.exe

Loads dropped DLL 6 IoCs

pid	Process
2252	eab90748e530303b6e27a7fc2c72ac38_JaffaCakes118.exe
1920	DEM5CFE.exe
2424	DEMB3B5.exe
268	DEM9D0.exe
2236	DEM601A.exe
2444	DEMB77D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1920	2252	eab90748e530303b6e27a7fc2c72ac38_JaffaCakes118.exe	29
PID 2252 wrote to memory of 1920	2252	eab90748e530303b6e27a7fc2c72ac38_JaffaCakes118.exe	29
PID 2252 wrote to memory of 1920	2252	eab90748e530303b6e27a7fc2c72ac38_JaffaCakes118.exe	29
PID 2252 wrote to memory of 1920	2252	eab90748e530303b6e27a7fc2c72ac38_JaffaCakes118.exe	29
PID 1920 wrote to memory of 2424	1920	DEM5CFE.exe	33
PID 1920 wrote to memory of 2424	1920	DEM5CFE.exe	33
PID 1920 wrote to memory of 2424	1920	DEM5CFE.exe	33
PID 1920 wrote to memory of 2424	1920	DEM5CFE.exe	33
PID 2424 wrote to memory of 268	2424	DEMB3B5.exe	35
PID 2424 wrote to memory of 268	2424	DEMB3B5.exe	35
PID 2424 wrote to memory of 268	2424	DEMB3B5.exe	35
PID 2424 wrote to memory of 268	2424	DEMB3B5.exe	35
PID 268 wrote to memory of 2236	268	DEM9D0.exe	37
PID 268 wrote to memory of 2236	268	DEM9D0.exe	37
PID 268 wrote to memory of 2236	268	DEM9D0.exe	37
PID 268 wrote to memory of 2236	268	DEM9D0.exe	37
PID 2236 wrote to memory of 2444	2236	DEM601A.exe	39
PID 2236 wrote to memory of 2444	2236	DEM601A.exe	39
PID 2236 wrote to memory of 2444	2236	DEM601A.exe	39
PID 2236 wrote to memory of 2444	2236	DEM601A.exe	39
PID 2444 wrote to memory of 2272	2444	DEMB77D.exe	41
PID 2444 wrote to memory of 2272	2444	DEMB77D.exe	41
PID 2444 wrote to memory of 2272	2444	DEMB77D.exe	41
PID 2444 wrote to memory of 2272	2444	DEMB77D.exe	41

C:\Users\Admin\AppData\Local\Temp\eab90748e530303b6e27a7fc2c72ac38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eab90748e530303b6e27a7fc2c72ac38_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\DEM5CFE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5CFE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\DEMB3B5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB3B5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\DEM9D0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9D0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:268
    - - C:\Users\Admin\AppData\Local\Temp\DEM601A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM601A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Users\Admin\AppData\Local\Temp\DEMB77D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB77D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\DEMD78.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD78.exe"
        7⤵
        Executes dropped EXE
        
        PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMB3B5.exe

Filesize
14KB

MD5
58eff9e29e17fe1d7a71a69066106520

SHA1
534cc02f0288e89b5b1cdb967b27d517981c78d0

SHA256
bb2208d78ca076e5fa671e0307d3433a1c54fe82f1748ea691f023e57d7cb11e

SHA512
809cf0106702fe8628fba237f159ee7116977e95fb52a2a89f3085b2fbd7b17c358bb5d77a12c8a6a902ebb3d3dcec1ecb615b61a2e83a4f508f5dac17658c6a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5CFE.exe

Filesize
14KB

MD5
1411b4694d54a3a0049bfbe47209a1ab

SHA1
b383eb7366221df4c8d916da63e9199774afd973

SHA256
f3138df5cddb585c59f51b9839d91510dc3ececc84d34b31fffc059b63a73955

SHA512
118d400dfd560d700173e7670d8b19490a19a721e329a687503a3509faae6de5b7629f963365d3be4b97b6a8304cd9de3c01c1cbb729e9b8ef4fca7c95cf0fcf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM601A.exe

Filesize
14KB

MD5
c54c612a4e55124c849dd2ee5399034c

SHA1
7e9d45b77924376aebdf2af0eb085ac90fa730ae

SHA256
129523753f90aaca18805740365b82626b835a9471041f6e42d31948e982bd5c

SHA512
ce9709372e086ae3eb781757118a63c4106241f7a12ff649c8e34d9296dd1419e5f8d05f4fbba63d6060256abb85a8bb0c7b9cd6c99f1498ae87cc3cca266528

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9D0.exe

Filesize
14KB

MD5
36dcf3829243392728c32d76b1ead75a

SHA1
099cffa52acdc788a8d1f16cb63ed5f60f75b97f

SHA256
13fc0e51937f027871f9ee2c1f19da79ded097ec576f1f873ece1a2c4296c10e

SHA512
82624e0d29afe90ca01fd55b835cd77a223fa8b25187c8538ac6198c36eff2df2411875fdd2a9d2b887c8a01732a7228f99d7e11083de1d8f324baaaa0effcbf

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB77D.exe

Filesize
14KB

MD5
818a88597d732931e54e3bfd4286f031

SHA1
6f781852d6d62feb5aaeae73badb0deb3b7115e9

SHA256
c352c93c33c7611813241bb13b584f88c39c9f5fe264690fd1ab1932d564b0b2

SHA512
c17bc888a53fe4a9d93a4c044e45d0381cb77cdf04ea48f6e6c74c5b67d858e1550ef00087917d0e37081554882164949323acd1957cc63a29d40a8db209171c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD78.exe

Filesize
14KB

MD5
b724ed6667b4fa1a8cf6941f9155d22d

SHA1
0e556e4dcbf65288d18d0867e293e0c6e9d5fe8a

SHA256
0dc6213a87daa0c4b84607357dce6a9ba8d74617bc2d89ef0eca3446bc34ba59

SHA512
c6a3a3c726b36e615795da6585dcf8e6cd1d72ecd4e437dc939a63a4d8ecd628668a55e7eff55207a1541c306feec4caee07de831d0b69b5243c08b2b56b28c8

Download Submit

Analysis

Sharing