0faeae1e8caa3851feca99e3664e05a878d9916f44e3dd35489c809764b0f6e1

General

Target

ebbdb63520bc1c04ce0f86da4be7f16e_JaffaCakes118.exe
Size

20KB
MD5

ebbdb63520bc1c04ce0f86da4be7f16e
SHA1

a4f7eedd42f3870f893b5ee4121714dedf51ad62
SHA256

0faeae1e8caa3851feca99e3664e05a878d9916f44e3dd35489c809764b0f6e1
SHA512

5f6785500b53c1c5790a001a179540345ac253b51735ce606a51f9153f59b4b005d99c8ecffd86f1d33ef964f268a698e4fb9882a7c5e25afb46443ab5c010ae
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L41t:hDXWipuE+K3/SSHgxmHZ1t

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2400	DEM7FC.exe
2800	DEM5D5C.exe
2004	DEMB2AC.exe
1992	DEM7ED.exe
2544	DEM5D2D.exe
1968	DEMB22F.exe

Loads dropped DLL 6 IoCs

pid	Process
2868	ebbdb63520bc1c04ce0f86da4be7f16e_JaffaCakes118.exe
2400	DEM7FC.exe
2800	DEM5D5C.exe
2004	DEMB2AC.exe
1992	DEM7ED.exe
2544	DEM5D2D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2400	2868	ebbdb63520bc1c04ce0f86da4be7f16e_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2400	2868	ebbdb63520bc1c04ce0f86da4be7f16e_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2400	2868	ebbdb63520bc1c04ce0f86da4be7f16e_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2400	2868	ebbdb63520bc1c04ce0f86da4be7f16e_JaffaCakes118.exe	29
PID 2400 wrote to memory of 2800	2400	DEM7FC.exe	31
PID 2400 wrote to memory of 2800	2400	DEM7FC.exe	31
PID 2400 wrote to memory of 2800	2400	DEM7FC.exe	31
PID 2400 wrote to memory of 2800	2400	DEM7FC.exe	31
PID 2800 wrote to memory of 2004	2800	DEM5D5C.exe	35
PID 2800 wrote to memory of 2004	2800	DEM5D5C.exe	35
PID 2800 wrote to memory of 2004	2800	DEM5D5C.exe	35
PID 2800 wrote to memory of 2004	2800	DEM5D5C.exe	35
PID 2004 wrote to memory of 1992	2004	DEMB2AC.exe	37
PID 2004 wrote to memory of 1992	2004	DEMB2AC.exe	37
PID 2004 wrote to memory of 1992	2004	DEMB2AC.exe	37
PID 2004 wrote to memory of 1992	2004	DEMB2AC.exe	37
PID 1992 wrote to memory of 2544	1992	DEM7ED.exe	39
PID 1992 wrote to memory of 2544	1992	DEM7ED.exe	39
PID 1992 wrote to memory of 2544	1992	DEM7ED.exe	39
PID 1992 wrote to memory of 2544	1992	DEM7ED.exe	39
PID 2544 wrote to memory of 1968	2544	DEM5D2D.exe	41
PID 2544 wrote to memory of 1968	2544	DEM5D2D.exe	41
PID 2544 wrote to memory of 1968	2544	DEM5D2D.exe	41
PID 2544 wrote to memory of 1968	2544	DEM5D2D.exe	41

C:\Users\Admin\AppData\Local\Temp\ebbdb63520bc1c04ce0f86da4be7f16e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebbdb63520bc1c04ce0f86da4be7f16e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\DEM7FC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7FC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\DEM5D5C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5D5C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\DEMB2AC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB2AC.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\DEM7ED.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7ED.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Users\Admin\AppData\Local\Temp\DEM5D2D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5D2D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\DEMB22F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB22F.exe"
        7⤵
        Executes dropped EXE
        
        PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5D2D.exe

Filesize
20KB

MD5
0c2c6e02a27f901d1b2a5b5cd2a2bdb1

SHA1
36869e8ae44c60642182a6bb67a1162d8b6cb5de

SHA256
96b451c38aadd7bfcf7152445a66c0ffd78435acdabda4b559a8fe26a5064f61

SHA512
885fa647628c847caaede7b9fb23fccd664ce8c1ba04c552edfeb4bec07ba4b7595687b3f99c63813dd0e83f2549f2e2df8a5b1b9a0f4fa4af1a13d4f0021e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5D5C.exe

Filesize
20KB

MD5
ee807307ec3c5b79ef9790474f29cc9b

SHA1
d412544eff7a6fe597002dba1740dc098d942538

SHA256
f349fc3880c1866782a6a87e6ddf1cb38d0b6d4035d51e0b4469d3ea0d2ba2df

SHA512
db1c4b613ca326465f88517e40cea236fb2131144ceb0033204165ed857421f7acd082f5af5dbdcd17ac47439db66f89aea239e630a845dc0aacd7c88897d925

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7ED.exe

Filesize
20KB

MD5
b42d200e2afef782a5deac0dd7e8d910

SHA1
ef45044a1e96c0e383400bcd8e912d1bfce60ea4

SHA256
d67788f7771e73fdaf985e31d20c81b3aff41185e273b77d33dd4c4c1f43d5b6

SHA512
5c6f796fd91fceb0dd6c332646577aee2bbb8e68c1ad57916b47ed192a1968673adeb0705da4aebb1b8dbd4c1f5ae417e4a8d098fff993bb5cc9fade9c5a398f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7FC.exe

Filesize
20KB

MD5
5efb598475c060c2fd9624aadf032765

SHA1
797826bf1c25d523485b58d068f691dd548a9e77

SHA256
2dd3c48b80bff394783f02d4cb3f5bdd3bb0b95351984bb9b8f68dde9f49643e

SHA512
89702a95f767143978b1992f50124a81719401828ae4a29ea7b6ad311fc540bc7f1261b2fca1ae1253ccbd179510994e4bedad89b1df7266705fb3abe887509e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB22F.exe

Filesize
20KB

MD5
8f5ee0555cd762e31949526aa402f5fe

SHA1
cc92fef712646e567a769d6941f99a3a2cd3038f

SHA256
fe5671587d730a4ac590665d9fc3a667828ffc2182a1ad2faf9f174ef5ca8e33

SHA512
90f845c98d398f22e0ca52aa7b27dcb82bbcd53441014c4be7451154638b438056e10165005f19060c8371bbdd025f8ad7f9fc5210e7e246e0a27d6d75f37828

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB2AC.exe

Filesize
20KB

MD5
ae3fc7d1fce460bb5677b938f301a408

SHA1
263e8518fb0f78046d2d150fc9c224690808a1c0

SHA256
3ed819346e79c3b2faa6a64bfb7825749673bce61d0fa8f9d5aaa29f171f5ab5

SHA512
de7d02a3502bd0eeced7e69ea6ef8117542449f8193d31cffdee23bb11014a271ac6e595926c7739f976fd404cecea1634e349611ea7b8e67534403e04c85668

Download Submit

Analysis

Sharing