aa69803e52805a85b69ad7681eb2de5138dfe69a4a5b7990ecb8c17059ce1c92

General

Target

f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe
Size

14KB
MD5

f00609e6ddd807c310af00e9620fce29
SHA1

57aacb299c0bb54ff13af3cf364ef530de4e29f2
SHA256

aa69803e52805a85b69ad7681eb2de5138dfe69a4a5b7990ecb8c17059ce1c92
SHA512

d9775c5a85e8f9df5a670c3b41a30959cea7f0161395e58b9b52358dc16f739ca488d385415d1c694465c943cf9036dd575966ecbc62759cc8fd4c7850db7d91
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhiiC:hDXWipuE+K3/SSHgxLiiC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2676	DEM8BFA.exe
2404	DEME282.exe
572	DEM392A.exe
1812	DEM8EC8.exe
1296	DEME57F.exe
748	DEM3B0D.exe

Loads dropped DLL 6 IoCs

pid	Process
2776	f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe
2676	DEM8BFA.exe
2404	DEME282.exe
572	DEM392A.exe
1812	DEM8EC8.exe
1296	DEME57F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2676	2776	f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2676	2776	f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2676	2776	f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2676	2776	f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2404	2676	DEM8BFA.exe	33
PID 2676 wrote to memory of 2404	2676	DEM8BFA.exe	33
PID 2676 wrote to memory of 2404	2676	DEM8BFA.exe	33
PID 2676 wrote to memory of 2404	2676	DEM8BFA.exe	33
PID 2404 wrote to memory of 572	2404	DEME282.exe	35
PID 2404 wrote to memory of 572	2404	DEME282.exe	35
PID 2404 wrote to memory of 572	2404	DEME282.exe	35
PID 2404 wrote to memory of 572	2404	DEME282.exe	35
PID 572 wrote to memory of 1812	572	DEM392A.exe	37
PID 572 wrote to memory of 1812	572	DEM392A.exe	37
PID 572 wrote to memory of 1812	572	DEM392A.exe	37
PID 572 wrote to memory of 1812	572	DEM392A.exe	37
PID 1812 wrote to memory of 1296	1812	DEM8EC8.exe	39
PID 1812 wrote to memory of 1296	1812	DEM8EC8.exe	39
PID 1812 wrote to memory of 1296	1812	DEM8EC8.exe	39
PID 1812 wrote to memory of 1296	1812	DEM8EC8.exe	39
PID 1296 wrote to memory of 748	1296	DEME57F.exe	41
PID 1296 wrote to memory of 748	1296	DEME57F.exe	41
PID 1296 wrote to memory of 748	1296	DEME57F.exe	41
PID 1296 wrote to memory of 748	1296	DEME57F.exe	41

C:\Users\Admin\AppData\Local\Temp\f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\DEM8BFA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8BFA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\DEME282.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME282.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\DEM392A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM392A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Users\Admin\AppData\Local\Temp\DEM8EC8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8EC8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Users\Admin\AppData\Local\Temp\DEME57F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME57F.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\DEM3B0D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3B0D.exe"
        7⤵
        Executes dropped EXE
        
        PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEME282.exe

Filesize
14KB

MD5
b77af0cb70abe33ea64ddf794abdad96

SHA1
1246ff6c4085afaa6ec4a55e2186ac12ff2c9fc3

SHA256
2d658745eb8c74d30ffd5784bf9d39806d60d1f71552c3f29218c31b5cc5aca8

SHA512
de43fe804fbd6cd3f14b16fc34e3ca0b6d9079807a4e01606458a2c9540fa4fdbe49b3f894f5c94ae2ece03087e5ad04c05b16d5f4376f2487f58e44a952139b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM392A.exe

Filesize
14KB

MD5
7a61477f6838be851781854d7502caae

SHA1
590b1b655fe30151ba01665ba427d95f21fb3d27

SHA256
d76d345f841863f8d9475b389518d5da5d34610650da77ca824e0a0261a955d2

SHA512
36c0db0beffa8e09f49da3f5fbcc8a3fd7d69c5b578239470cc101bbc09ce63b610dd381152d7e401be1b2672971088fb174307a7d738c4f30f6b4bfbf175569

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3B0D.exe

Filesize
14KB

MD5
8c9e0e9628c88f12b5e5f6009f3c403d

SHA1
e57e4128a6c168ef20cbf7cd6756fa4b5e779ac7

SHA256
5fefbe7195812dbd87ad0a58e147bac043d22ce6cc41e198e82e6b9895adef46

SHA512
3696a5cba570ea08dae8cd8b1a038c517ccdf4ae978447fbe9aec362c7da933d46cdcb452004d09512eae33f409ec6637a4521b88bcf68a018c16fee0fb1a1fe

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8BFA.exe

Filesize
14KB

MD5
b8f8bb6ae124e7f6a615b8eaf354b0cc

SHA1
69d0c90443e4bd10790100d44dd869f1a8056c20

SHA256
dfa916f227b5cc0cc08d17ab02f30be0d2f8569fa4151ff3c465762f6c2a32f3

SHA512
37fd7831be6455ff04ef49ba0f72c9df439efc956dc728f7d69d917270c0892da1eec4c935ccb3fa59d8a5e37253093b8f7e71ade7c0b1ca5d33c4f8fb5999f2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8EC8.exe

Filesize
14KB

MD5
69f1f9155c9c1e143e46c70ed505dd86

SHA1
a23f19a05596fc1b9791faa8c0c205183a0b6de0

SHA256
7461bf87cb20605e7ee26d18f886295144bd853463f0797c5215de284efe66c0

SHA512
439ed17db43095e38f95cb88e523435e49b138df0d90a36bd35300c3e3d681f04e1fdfd2feb3e40e6cdc344a819f2523d1fdafc035d7e9704004a4175f49d5b3

Download Submit
\Users\Admin\AppData\Local\Temp\DEME57F.exe

Filesize
14KB

MD5
89de1fa87936557a54e84393d2bdcb31

SHA1
728f6a0915ad3da938853b0128a6af2508639e13

SHA256
94f7f5dabf73405ffd47c57d6aeff5eb1441f06592992f759f6a4c324dac145c

SHA512
839f3ad1e3e6204b856d76883d35fec8939e7d9d041f9cd85d60035eae3c0644097ceb6e8d43f5372d12429a95fa384bbcb0fd88efb1b9fd35b0476251679124

Download Submit

Analysis

Sharing