7a84f5e90e164cb3d76c823a829c1ca04afdc926f8c1c69b06c3c4386d63b244

General

Target

ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe
Size

15KB
MD5

ed3cff1d54cd28a9fc56878d6ebd6be3
SHA1

966589883559d847d2c43bec00a97719297303fa
SHA256

7a84f5e90e164cb3d76c823a829c1ca04afdc926f8c1c69b06c3c4386d63b244
SHA512

d525f5f90ad03c3c77854190c102673ddc9c6dbed804d22d56b359ef5acc15f0266f6d75212c1f6022797432c0fabf9eab397d13b6868bf921c04fb7cedefd6c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh66:hDXWipuE+K3/SSHgxmyh66

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2584	DEM12C6.exe
2652	DEM6835.exe
2716	DEMBD95.exe
2124	DEM1362.exe
2180	DEM68B2.exe
2248	DEMBDD3.exe

Loads dropped DLL 6 IoCs

pid	Process
2872	ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe
2584	DEM12C6.exe
2652	DEM6835.exe
2716	DEMBD95.exe
2124	DEM1362.exe
2180	DEM68B2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2584	2872	ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2584	2872	ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2584	2872	ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2584	2872	ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe	29
PID 2584 wrote to memory of 2652	2584	DEM12C6.exe	31
PID 2584 wrote to memory of 2652	2584	DEM12C6.exe	31
PID 2584 wrote to memory of 2652	2584	DEM12C6.exe	31
PID 2584 wrote to memory of 2652	2584	DEM12C6.exe	31
PID 2652 wrote to memory of 2716	2652	DEM6835.exe	35
PID 2652 wrote to memory of 2716	2652	DEM6835.exe	35
PID 2652 wrote to memory of 2716	2652	DEM6835.exe	35
PID 2652 wrote to memory of 2716	2652	DEM6835.exe	35
PID 2716 wrote to memory of 2124	2716	DEMBD95.exe	37
PID 2716 wrote to memory of 2124	2716	DEMBD95.exe	37
PID 2716 wrote to memory of 2124	2716	DEMBD95.exe	37
PID 2716 wrote to memory of 2124	2716	DEMBD95.exe	37
PID 2124 wrote to memory of 2180	2124	DEM1362.exe	39
PID 2124 wrote to memory of 2180	2124	DEM1362.exe	39
PID 2124 wrote to memory of 2180	2124	DEM1362.exe	39
PID 2124 wrote to memory of 2180	2124	DEM1362.exe	39
PID 2180 wrote to memory of 2248	2180	DEM68B2.exe	41
PID 2180 wrote to memory of 2248	2180	DEM68B2.exe	41
PID 2180 wrote to memory of 2248	2180	DEM68B2.exe	41
PID 2180 wrote to memory of 2248	2180	DEM68B2.exe	41

C:\Users\Admin\AppData\Local\Temp\ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\DEM12C6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM12C6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\DEM6835.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6835.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\DEMBD95.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBD95.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Users\Admin\AppData\Local\Temp\DEM1362.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1362.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Users\Admin\AppData\Local\Temp\DEM68B2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM68B2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\DEMBDD3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBDD3.exe"
        7⤵
        Executes dropped EXE
        
        PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6835.exe

Filesize
15KB

MD5
3237429aa106b396574e5cfbb384b1aa

SHA1
9e385abd21e66ca0e40fe34ceaf9eb8de5315298

SHA256
bd5e43ea34fc4d600089e5777411ce386bf5813c20562d799c0bb5f75a390654

SHA512
f5e38f778e47cc998208e5253f982cb7766f846dc8e792d639080ebd0b0f8119da70dbb71f8e1ae98cb4c58b04b8fe336814a83722d90b44ea61c2a59455d8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBDD3.exe

Filesize
15KB

MD5
ddeaa805c4b118cfb133387a0ce505f6

SHA1
109d475732e5ae868a0ea7cc4527e3b0796d8747

SHA256
33b4e0e8d9d198f60cbad073f021543b2749c291e4549d193ffe532555ef0e4b

SHA512
cbb6f832c6219beb153d019b85063fe149a47fe691923dcc1c4f051e396baf6e36ef9014bf39583a9b2d173ecf3820ec599aea844583bc6f47f505075337afe0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM12C6.exe

Filesize
15KB

MD5
583941f7d58d1d6d49ad8338414b2da5

SHA1
c87ed6382971a24f9825f4a6c8e5ae51d0d7365b

SHA256
08efbf83fd58f7fcf607bef85880125d004ac193b4d6c030ca7fc0dc0c107ced

SHA512
27b1e7ea253cf4bcbc91297a7793a3dbe94a4be3b8b78fbabc8add762d1c159784dc46a1f2852fcc73f5e885b9e9f657b07d37afcc7bb6192b9fcc0599aa18f4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1362.exe

Filesize
15KB

MD5
06140c490ac07c3420481d7def311bd1

SHA1
d06f9f02c22a988e7ddfee221cfdc6ead9bdecbd

SHA256
cdf0400675dff37e2d47d72717ccd7a935c6ca8fc0e1e6472f7f68bfa322853c

SHA512
29e15066a5f71a8ae644d6daacdea1dd4cf80d0f888ec8e127478e3678ac103f6d8bcc666416a95818d54913b08655e0681ffd5142a49bb99788b18cd031caab

Download Submit
\Users\Admin\AppData\Local\Temp\DEM68B2.exe

Filesize
15KB

MD5
89e8adc04c56f7911ae3477a20c97bef

SHA1
4c28c3eb087d848e941ecb065153f7acc86dc390

SHA256
ea68ce05c04a663383d94d68562b8f254355e4d97b25f78a4c02d0ec6987a1f3

SHA512
93f3a7343be0f20529ffc9d2b7749296e1df3537698841a498e2c601cf8f39966d1e5ca26eeb9da35a80f04514455369ab74598094177d6b9c5baf4b12e9978b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBD95.exe

Filesize
15KB

MD5
3e782e783e85ea413958b3d16b0ec4af

SHA1
83caae23256797e312ee430ab6cc6c75d533d6bd

SHA256
33d2cd1040506613e7a9b76b44b3dc3049263f0e0714fd72b0d2390bb451ebd0

SHA512
94de806af0f909f478efc1b1729bde6e56abba286c183d1cfd53b1511e95e8ad87c6be7a5609f11b3d3e1b82071be73c811ddcc8ef9b96338b5b880fe0ce1c7f

Download Submit

Analysis

Sharing