72eac0d6d48506be0293e3026aa516d2fa8fd3367f3b4bcd3913b8a3ec0d18e5

General

Target

eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe
Size

15KB
MD5

eac85c7c0dc2a3e70d5ed5dc8a1fac7e
SHA1

56db2059e6858102e474023571beb922179d7e0b
SHA256

72eac0d6d48506be0293e3026aa516d2fa8fd3367f3b4bcd3913b8a3ec0d18e5
SHA512

9e5226e1833ff2ebc012aa0ce61f4e4769cf2b53d96f18fcdb54221d86b1a7adf1c3878de89a928032a183b71f8d55da0756a47ad5b0e2f735d61ecc3ef01cfc
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvAzx:hDXWipuE+K3/SSHgxm4l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2684	DEM25B9.exe
2604	DEM7B77.exe
2756	DEMD0D6.exe
552	DEM2694.exe
2784	DEM7BE4.exe
1372	DEMD124.exe

Loads dropped DLL 6 IoCs

pid	Process
1376	eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe
2684	DEM25B9.exe
2604	DEM7B77.exe
2756	DEMD0D6.exe
552	DEM2694.exe
2784	DEM7BE4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 2684	1376	eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe	29
PID 1376 wrote to memory of 2684	1376	eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe	29
PID 1376 wrote to memory of 2684	1376	eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe	29
PID 1376 wrote to memory of 2684	1376	eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe	29
PID 2684 wrote to memory of 2604	2684	DEM25B9.exe	33
PID 2684 wrote to memory of 2604	2684	DEM25B9.exe	33
PID 2684 wrote to memory of 2604	2684	DEM25B9.exe	33
PID 2684 wrote to memory of 2604	2684	DEM25B9.exe	33
PID 2604 wrote to memory of 2756	2604	DEM7B77.exe	35
PID 2604 wrote to memory of 2756	2604	DEM7B77.exe	35
PID 2604 wrote to memory of 2756	2604	DEM7B77.exe	35
PID 2604 wrote to memory of 2756	2604	DEM7B77.exe	35
PID 2756 wrote to memory of 552	2756	DEMD0D6.exe	37
PID 2756 wrote to memory of 552	2756	DEMD0D6.exe	37
PID 2756 wrote to memory of 552	2756	DEMD0D6.exe	37
PID 2756 wrote to memory of 552	2756	DEMD0D6.exe	37
PID 552 wrote to memory of 2784	552	DEM2694.exe	39
PID 552 wrote to memory of 2784	552	DEM2694.exe	39
PID 552 wrote to memory of 2784	552	DEM2694.exe	39
PID 552 wrote to memory of 2784	552	DEM2694.exe	39
PID 2784 wrote to memory of 1372	2784	DEM7BE4.exe	41
PID 2784 wrote to memory of 1372	2784	DEM7BE4.exe	41
PID 2784 wrote to memory of 1372	2784	DEM7BE4.exe	41
PID 2784 wrote to memory of 1372	2784	DEM7BE4.exe	41

C:\Users\Admin\AppData\Local\Temp\eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\DEM25B9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM25B9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\DEM7B77.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7B77.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\DEMD0D6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD0D6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Users\Admin\AppData\Local\Temp\DEM2694.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2694.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:552
      - C:\Users\Admin\AppData\Local\Temp\DEM7BE4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7BE4.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\DEMD124.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD124.exe"
        7⤵
        Executes dropped EXE
        
        PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7B77.exe

Filesize
15KB

MD5
bcb414503ac6146b5d9042c2abc2b9bc

SHA1
62c6bc2a764298db536ce5512621b6c47dddb77e

SHA256
ac26955f30f2c669bb72aeb9012d3e1e1493334f0fce256468bf1a22a0cf0430

SHA512
95d9963e25e1da2e3e6eb150bd183e21b299c74993a667f55e3922085155e556bc84c76d42434483960e3c61fa6d1dfb5ffd37a19ccdc5668cea77f62241a403

Download Submit
\Users\Admin\AppData\Local\Temp\DEM25B9.exe

Filesize
15KB

MD5
7e1529cfffd37265694c12110ce4dea8

SHA1
a77ac1c0b7b50533a699396c68755612ccd4498c

SHA256
0800b35ce88d035d22ae4a181cf847291550e7316345239a97d523c4b23a6a69

SHA512
875fa39256fccd3c260da354421d0ca8f43a67a0e89bc05cf4c6322d49f67e671cd60ad0b9086252b12d74723b5798dae4a7ff164608e894c6ca941634e1c1a1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2694.exe

Filesize
15KB

MD5
68117ab720bf95e30dfdb676398357a8

SHA1
857a50bd4608859710ef5ad40d7dbe9863c7d13b

SHA256
c283214ed68ee6cd76ce255153767b866298e7d1f28f02acdf867a581ec9422d

SHA512
ca3f4a950349f072929d4a5a5836a5d99a968db1e2bbbada6c028819b77f019388233ea9d4d94d4e6e88e8d4baebda8d23cf4204526cdba7c9d701048eca4f31

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7BE4.exe

Filesize
15KB

MD5
7d202a32cc8b8d67d830f7d1ae87f505

SHA1
9d508fc783424568ddf2c794be7e1b15211a29c5

SHA256
0af2bd457f6a3eed3fb21e104cc11a57c34672a275a5cc6a6c28d1e8d04679cb

SHA512
1f9b49c02bbb8aba19d81250297124cbfcbffccb414f1971241410bee65b1cf1b411ed35141403428c2a8786c31b2563683c0b7a2683973750c99621c47cb0cd

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD0D6.exe

Filesize
15KB

MD5
38b8395ed63804601ac0eeac3518906e

SHA1
beba1f937e7c29fd154060ecaf9fdfecdccf66a7

SHA256
0c4c94c502c316d55c4eb778ac0fd02e52321a469909c92ef4153e12fc8708ad

SHA512
3c5066e0a471a31febc7963b01851717c0bbf442101d5ad438bd58deecd1e404813c0456b7532ced5f8efb3c256d55aaaa2d74845f47cb2733b7dbf13f05c439

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD124.exe

Filesize
15KB

MD5
e5869e6c7896f81dca00b1108eb4ae4a

SHA1
e73af9a265ed7ff7e46c89b6f05d57bc60de837f

SHA256
c3c739679ad5146cbb37011c7c6225b6acf30689633da2cccd5a490f714bc578

SHA512
a803baa0b20f527b2a720347579d85e6bd37e6618f185d040dcfe14facfc7125671b3fe1affc8738a879b58ce8b8c50efdc063787f7dc1c3ec611354e4ecea67

Download Submit

Analysis

Sharing