ffa6ff884b941d0431103892fa4d2804e23f960bed61f726379dfcfc31151016

General

Target

ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe
Size

16KB
MD5

ec918e26cd1bb819a5481ce78b933f7d
SHA1

4510818d87d1c8b9c4879b8c932fa55f19b9560e
SHA256

ffa6ff884b941d0431103892fa4d2804e23f960bed61f726379dfcfc31151016
SHA512

f1bc08ac6cade686351253ee255d391e3a7b75e744e74834ecc4b599cb3536d50d6f253a334476af5e4ebf26600abe322b4be5dbd3da1edcfd78467d42814565
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYze:hDXWipuE+K3/SSHgxmze

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2128	DEM8804.exe
2032	DEMDE6D.exe
2252	DEM3498.exe
692	DEM8BCB.exe
1588	DEME206.exe
2272	DEM37A4.exe

Loads dropped DLL 6 IoCs

pid	Process
2612	ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe
2128	DEM8804.exe
2032	DEMDE6D.exe
2252	DEM3498.exe
692	DEM8BCB.exe
1588	DEME206.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2128	2612	ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2128	2612	ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2128	2612	ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2128	2612	ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2032	2128	DEM8804.exe	32
PID 2128 wrote to memory of 2032	2128	DEM8804.exe	32
PID 2128 wrote to memory of 2032	2128	DEM8804.exe	32
PID 2128 wrote to memory of 2032	2128	DEM8804.exe	32
PID 2032 wrote to memory of 2252	2032	DEMDE6D.exe	34
PID 2032 wrote to memory of 2252	2032	DEMDE6D.exe	34
PID 2032 wrote to memory of 2252	2032	DEMDE6D.exe	34
PID 2032 wrote to memory of 2252	2032	DEMDE6D.exe	34
PID 2252 wrote to memory of 692	2252	DEM3498.exe	36
PID 2252 wrote to memory of 692	2252	DEM3498.exe	36
PID 2252 wrote to memory of 692	2252	DEM3498.exe	36
PID 2252 wrote to memory of 692	2252	DEM3498.exe	36
PID 692 wrote to memory of 1588	692	DEM8BCB.exe	38
PID 692 wrote to memory of 1588	692	DEM8BCB.exe	38
PID 692 wrote to memory of 1588	692	DEM8BCB.exe	38
PID 692 wrote to memory of 1588	692	DEM8BCB.exe	38
PID 1588 wrote to memory of 2272	1588	DEME206.exe	40
PID 1588 wrote to memory of 2272	1588	DEME206.exe	40
PID 1588 wrote to memory of 2272	1588	DEME206.exe	40
PID 1588 wrote to memory of 2272	1588	DEME206.exe	40

C:\Users\Admin\AppData\Local\Temp\ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\DEM8804.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8804.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\DEMDE6D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDE6D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\DEM3498.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3498.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Users\Admin\AppData\Local\Temp\DEM8BCB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8BCB.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:692
      - C:\Users\Admin\AppData\Local\Temp\DEME206.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME206.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\DEM37A4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM37A4.exe"
        7⤵
        Executes dropped EXE
        
        PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMDE6D.exe

Filesize
16KB

MD5
ee502a67428a667158d29de24afffa3c

SHA1
98c4497a14e0ccace0156141d715ca7f6f362fc4

SHA256
7049054eaba763a93937782afa53a8436a08c3e8b349a9eced588ba420aee48a

SHA512
80fe860d36f160532e6a3ce3e97d823f14f1e43032ffddab62f98ed72785f65b7586cf601189a251f3f5f04a3f4272b49c87ad0fe01c822f3c7e30842df272d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME206.exe

Filesize
16KB

MD5
0ce60bb7aede283bee1c73533e25fe64

SHA1
c754f9756a14b17cc7998a5d3f46be8e05093a47

SHA256
43b0407673c1d664079b8c8e24b2eeaa8613af4be9d5adb37d9ee3e242abb9a7

SHA512
d88cfe362e91c79b84ef032b4db34022540504cc818d8e783533a6bdf35b705e8f47aa25ecca803925dc46d33c5c4c0e9aa9cfdc2b19be38ee243ade9c498327

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3498.exe

Filesize
16KB

MD5
a5ec50747b9a414d37ffd6b7228b39b1

SHA1
ea59ac9ea27d65d8fa562151009a8241d05e1e3b

SHA256
2a07bf9b4887ab93eada5b8313e18cccfc9533d47b98d41287e109f2b0eafdec

SHA512
1fe351cefef54bfc80e686d1ece867aee534c552475ed8814ba0835b3b84a5a08fd3458e2426dc2df8070d6273454bcb6e788e87e9d54f61374c23fb7da9c671

Download Submit
\Users\Admin\AppData\Local\Temp\DEM37A4.exe

Filesize
16KB

MD5
cacf74ebc707ddd12a5059cede2d47a6

SHA1
1b10ef4f72589df337a58699b3372df18b2b276b

SHA256
e65714f7cbab5ebbaccadac8c94e70c35c4a4f719d61757c288c18d7c04c0b4e

SHA512
b535c4362c3961519498492e3f43f525ddf3a18b262bbdce47ef9a05a2469f3aa2034ed9f27a3c017919ec125afc83ac86374417ecb17d39f47728c4314df93b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8804.exe

Filesize
16KB

MD5
dfea68b08b163cf8908864b1ff29fc80

SHA1
3c2dc6537cd3f5fa63b50d9dad25d9ef3ee87d0d

SHA256
79e0b7df128b72f5894acc5f808b9a3dfac1f885d9ec85799fb3d7c3ea4753d5

SHA512
9b771d3c73d14923b20ce10b9576b318b7516e096003504fe0b8a70205118cf8e02ed63d518290831db18180924314c579586f42a11b2ffd0a24964290af3d17

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8BCB.exe

Filesize
16KB

MD5
c295a9801345d342c44419b5afc8fd29

SHA1
54dbe2d103caafc362dbbc5c5f9c2318a959e10d

SHA256
3a30b42d7a4b465ed9ff4b3f2fc5bbfb6a1661e671417a9152e4f7a558aa47a5

SHA512
e1a5bd85d851fd29c4a6094283fd6b271603aa6055bcf230ef7454d8854140d1dd4452fbaeacbdfba6bf7d832609b8f09c0a434890bc5f6c486e1b3594dfa50f

Download Submit

Analysis

Sharing