cb419dcf90f437fdb25d381de7200057e053a936c96812a03e287bde25dbac33

General

Target

edba5359964664eda4aa0933b6dcf3dd_JaffaCakes118.exe
Size

15KB
MD5

edba5359964664eda4aa0933b6dcf3dd
SHA1

4ab61c86679586fc85498975874afc84bd5a1da7
SHA256

cb419dcf90f437fdb25d381de7200057e053a936c96812a03e287bde25dbac33
SHA512

873109a292141921e3e7b3fd28929fc4289dc2481895681853a1ab300142850804e42b1b6236ace3dc1c48ff69ccf2efe1c3a7bf97f56c9446c73c40c6581922
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlBN:hDXWipuE+K3/SSHgxmlBN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2576	DEM7A1F.exe
2396	DEMD182.exe
1720	DEM27DB.exe
1232	DEM7D89.exe
2508	DEMD356.exe
1932	DEM2923.exe

Loads dropped DLL 6 IoCs

pid	Process
3048	edba5359964664eda4aa0933b6dcf3dd_JaffaCakes118.exe
2576	DEM7A1F.exe
2396	DEMD182.exe
1720	DEM27DB.exe
1232	DEM7D89.exe
2508	DEMD356.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2576	3048	edba5359964664eda4aa0933b6dcf3dd_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2576	3048	edba5359964664eda4aa0933b6dcf3dd_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2576	3048	edba5359964664eda4aa0933b6dcf3dd_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2576	3048	edba5359964664eda4aa0933b6dcf3dd_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2396	2576	DEM7A1F.exe	33
PID 2576 wrote to memory of 2396	2576	DEM7A1F.exe	33
PID 2576 wrote to memory of 2396	2576	DEM7A1F.exe	33
PID 2576 wrote to memory of 2396	2576	DEM7A1F.exe	33
PID 2396 wrote to memory of 1720	2396	DEMD182.exe	35
PID 2396 wrote to memory of 1720	2396	DEMD182.exe	35
PID 2396 wrote to memory of 1720	2396	DEMD182.exe	35
PID 2396 wrote to memory of 1720	2396	DEMD182.exe	35
PID 1720 wrote to memory of 1232	1720	DEM27DB.exe	37
PID 1720 wrote to memory of 1232	1720	DEM27DB.exe	37
PID 1720 wrote to memory of 1232	1720	DEM27DB.exe	37
PID 1720 wrote to memory of 1232	1720	DEM27DB.exe	37
PID 1232 wrote to memory of 2508	1232	DEM7D89.exe	39
PID 1232 wrote to memory of 2508	1232	DEM7D89.exe	39
PID 1232 wrote to memory of 2508	1232	DEM7D89.exe	39
PID 1232 wrote to memory of 2508	1232	DEM7D89.exe	39
PID 2508 wrote to memory of 1932	2508	DEMD356.exe	41
PID 2508 wrote to memory of 1932	2508	DEMD356.exe	41
PID 2508 wrote to memory of 1932	2508	DEMD356.exe	41
PID 2508 wrote to memory of 1932	2508	DEMD356.exe	41

C:\Users\Admin\AppData\Local\Temp\edba5359964664eda4aa0933b6dcf3dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edba5359964664eda4aa0933b6dcf3dd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\DEM7A1F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7A1F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\DEMD182.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD182.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\DEM27DB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM27DB.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Users\Admin\AppData\Local\Temp\DEM7D89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7D89.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Users\Admin\AppData\Local\Temp\DEMD356.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD356.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\DEM2923.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2923.exe"
        7⤵
        Executes dropped EXE
        
        PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM27DB.exe

Filesize
15KB

MD5
0275a4572d9cfcd94087dd82515d9ac8

SHA1
5e6540a45b4292a302ce701569c8cc3a7084de25

SHA256
00f27bddf651cdfe7b478aab60f83f0abfd855305c11dac45fbce76a5ebae134

SHA512
5102a4ea898de6eccf854544bdb1993f650c13b1cf138545b93b00e5d1ac4c22a64d6d2b8ff72860b1e597d99929141d3ca29605b7ea355cf73540ea7176d643

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A1F.exe

Filesize
15KB

MD5
3b0ffa954cc4ee4529ee44257485cb68

SHA1
2a180be96ee34c88d7570ba81d07fafcc844c5af

SHA256
ac4616a26c1ec676c883681642ae6e276249c223e1fedd29c63397f3aa98b351

SHA512
ad4f523356ffe31fcb82dcc2e662df0ca4a716873ab3e39c5ae693681e19cc66066c2ef51dbfc956c3b368d825d2dca2dcb87fcc83ce10dd7ee4a49aec6b1570

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD182.exe

Filesize
15KB

MD5
16a233d533a7a1faa13b6be207d807ae

SHA1
0e6570764ccc0ec8d9625a5fbc09f5ffda96a9a3

SHA256
80392b83c6ec715e640ab43c2263b4572038c1d3955511c7e26be343d685e6ea

SHA512
c9f8267867706df413a9c809d5b02824fcf7c6301ade65143cfeb72ee203971b45044d61d66db8bacad06e52db328849217504fd4691e8c742c97270ef69fb16

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2923.exe

Filesize
15KB

MD5
2ef831b086c9b631a866ef6e1e694b31

SHA1
6f4bb29651dbe58d33fcf4c1bb752423b383595c

SHA256
acf236cbdc2f7c0ac7c618628c5e3accc5b218cba3390242f99c9c89a841b6c8

SHA512
f7977d929b7019ec162f0cd26a78f586d2188a1dc2afbf3517789503d5d9a66e511c8c19961465bd9735b7cab6d4d2f99037f0892f4952135053a56a4e04cbda

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7D89.exe

Filesize
15KB

MD5
38fdb42492f184e3994b992e0c482957

SHA1
2eff5ada652ee0331efa01489af867a9408f8e58

SHA256
3fdcb1a00dc262d804aeff8e597f4e3e7c36a2016b190557d1f43668d43b97b9

SHA512
fdbab322896860718c1fa6a6da60c9066f86cc7306f563ec0d1e01cece473cd3100a4d3daeb4b4593e90b7aecc98da8b9891a99108b9635c4c2f6ed75b36b763

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD356.exe

Filesize
15KB

MD5
1214aa205bd5fe58ddce93023ae032b7

SHA1
5a45cc1691a165b3325fe501d01732359e0ab93e

SHA256
d545c233b27436f298e990d372dd899597a07e09943b49b2b48c57b4fba852d0

SHA512
5dd9d607f37a2c553e9442718753f9348cc9c91f2687087cb8bb86c9f0c482856ef32111e78d7c4aa5a30a4b4ceff4f6f814aa06a7beb81d36fb3ff4c12ba3db

Download Submit

Analysis

Sharing