82af692db99c3ba7b9ae8896cae0d00b78bd3df6331a3c3ca99a5fd65d6d8637

General

Target

edeccdffc1bd333c05d43387b7ba7b51_JaffaCakes118.exe
Size

15KB
MD5

edeccdffc1bd333c05d43387b7ba7b51
SHA1

560147057f2393a4cc1bae629ec8d87f5a96e0a1
SHA256

82af692db99c3ba7b9ae8896cae0d00b78bd3df6331a3c3ca99a5fd65d6d8637
SHA512

2068796db3107b20b4d881a3fa7e0088458631294ad5f4f4a8a271ea5b8a1f3f4c74b26c7dc06e37c4b00c7af1a49ba2f8b86f9cbee6af7e9386b8a8867537eb
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRUqtrY:hDXWipuE+K3/SSHgx3q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1588	DEM5B59.exe
2416	DEMB1F1.exe
572	DEM7BE.exe
1364	DEM5EB3.exe
2616	DEMB51C.exe
2076	DEMB95.exe

Loads dropped DLL 6 IoCs

pid	Process
2976	edeccdffc1bd333c05d43387b7ba7b51_JaffaCakes118.exe
1588	DEM5B59.exe
2416	DEMB1F1.exe
572	DEM7BE.exe
1364	DEM5EB3.exe
2616	DEMB51C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1588	2976	edeccdffc1bd333c05d43387b7ba7b51_JaffaCakes118.exe	29
PID 2976 wrote to memory of 1588	2976	edeccdffc1bd333c05d43387b7ba7b51_JaffaCakes118.exe	29
PID 2976 wrote to memory of 1588	2976	edeccdffc1bd333c05d43387b7ba7b51_JaffaCakes118.exe	29
PID 2976 wrote to memory of 1588	2976	edeccdffc1bd333c05d43387b7ba7b51_JaffaCakes118.exe	29
PID 1588 wrote to memory of 2416	1588	DEM5B59.exe	33
PID 1588 wrote to memory of 2416	1588	DEM5B59.exe	33
PID 1588 wrote to memory of 2416	1588	DEM5B59.exe	33
PID 1588 wrote to memory of 2416	1588	DEM5B59.exe	33
PID 2416 wrote to memory of 572	2416	DEMB1F1.exe	35
PID 2416 wrote to memory of 572	2416	DEMB1F1.exe	35
PID 2416 wrote to memory of 572	2416	DEMB1F1.exe	35
PID 2416 wrote to memory of 572	2416	DEMB1F1.exe	35
PID 572 wrote to memory of 1364	572	DEM7BE.exe	37
PID 572 wrote to memory of 1364	572	DEM7BE.exe	37
PID 572 wrote to memory of 1364	572	DEM7BE.exe	37
PID 572 wrote to memory of 1364	572	DEM7BE.exe	37
PID 1364 wrote to memory of 2616	1364	DEM5EB3.exe	39
PID 1364 wrote to memory of 2616	1364	DEM5EB3.exe	39
PID 1364 wrote to memory of 2616	1364	DEM5EB3.exe	39
PID 1364 wrote to memory of 2616	1364	DEM5EB3.exe	39
PID 2616 wrote to memory of 2076	2616	DEMB51C.exe	41
PID 2616 wrote to memory of 2076	2616	DEMB51C.exe	41
PID 2616 wrote to memory of 2076	2616	DEMB51C.exe	41
PID 2616 wrote to memory of 2076	2616	DEMB51C.exe	41

C:\Users\Admin\AppData\Local\Temp\edeccdffc1bd333c05d43387b7ba7b51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edeccdffc1bd333c05d43387b7ba7b51_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\DEM5B59.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5B59.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\DEMB1F1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB1F1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\DEM7BE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7BE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Users\Admin\AppData\Local\Temp\DEM5EB3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5EB3.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Users\Admin\AppData\Local\Temp\DEMB51C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB51C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\DEMB95.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB95.exe"
        7⤵
        Executes dropped EXE
        
        PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMB1F1.exe

Filesize
15KB

MD5
baaea23a9f2616be9ddebe9a58528724

SHA1
a9c019df354c788c5c6aebc6b7157f685de6a989

SHA256
392c933cf153d5dee1ce952db88cb765f7fd4b4f5e7c15aba33e52c0ef514396

SHA512
d1193eedd63ed98cec5f604e319c0f65b40f0d7c9e0c3c48c2948907a2d2d88eea1194f569628b9682a81cf830f8abf5719c4e612dbae9f8dd2f60900e4883de

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB51C.exe

Filesize
15KB

MD5
04c6c42b35a9d80fc12efaea0fb9c328

SHA1
baf6498c9ac6555a2d639434c3d56f298ecfac65

SHA256
5f4171c75147934eebecd79ede0c0add3504372eceee0dca6bfa31d2badc844b

SHA512
1a94b1e4fcafbc1127bb21956bf9251e378c8221738a97d00a3a5153a2ed1c8d3d2f3765a1ea52cdb936265d254831f368407cbdcd4ba7dde0833b31888cd12d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5B59.exe

Filesize
15KB

MD5
ab828eece49a878e3d6e34959c84f31e

SHA1
af5f02dbd97b1974f2d4730994a50db2365f4a04

SHA256
64879b6313b61975a4503749c0ec92c6c1ba58977c86f3ce7541e840c7adeb9e

SHA512
bed8ee8f18a5ff23863b1f851f2e6361c0d7f71df193a17bc9b5a2d2e56f6e37d2d4ed53fb9b74c6b7c624491eea886af4aea9e6e3479b4da165053d7521c4ef

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5EB3.exe

Filesize
15KB

MD5
5dd34c012bb71a211f6593bb48f793dc

SHA1
a1ce7bb606423c4f4e4ee7ba3677c56b84b01b8b

SHA256
5fb62cdce4a122a0c86b10ad964e62914614629cbb04937334a4406244ce2701

SHA512
071edb10109e5a8914f2c8bb9662656db5bdd5377bdf171fb8abf57fac16da0e0e7d9941d8fa49af0966b05fca06d88c40cf864bb3f255af9ff7a774ab403aee

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7BE.exe

Filesize
15KB

MD5
e1a92f296e92a99109ea7656da075ce7

SHA1
54522e056e05cc76529d9d6da3c840a6c3914f85

SHA256
e79a2b0a94b36f740f5e553f0913e7274da99ae796d27ef5f8a73b1378c7084d

SHA512
b878c65b0d69145f5fbb6807f664a4bb731ea477e21b24f23965024abe36addab992806b4c4e91fa17774fbc68cef881e9aa10cc4251b32522cbbaabc0e1a97f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB95.exe

Filesize
15KB

MD5
c155502777e4b3a8f18cb1aaafc1aa79

SHA1
bd3044b1cbb56bf087681bd91fc035385e62f1b9

SHA256
0f0f5f6c839d71e9fb6fd702210e3e835ab4ba8d352bca7b9d39a69622d6370f

SHA512
03060affd7acc550604a338fce47c942dc055847af6dd8592ffbbbb4ed5aca8352d9e78310f973f9006fb70b00a2e6f272153631629d864ee7849254aa0105a0

Download Submit

Analysis

Sharing