eec7ae872cd9eef16d244662f1e7707b813815ca5ac998d67fd9e7e9ee18cddd

General

Target

f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe
Size

15KB
MD5

f172b297116042c0d34ad2a92df81bb4
SHA1

bc1e7af495aa0e059cd7683cdea07e868795520e
SHA256

eec7ae872cd9eef16d244662f1e7707b813815ca5ac998d67fd9e7e9ee18cddd
SHA512

d565d77daf5c22f14ac41d03d524d1f8cabf9e76c4a2c17ca19c5ad9a095ffeb82e9e7f5ef1448ecdbe6fea3d1ee8b56a34262eadd9588b088941894e6830628
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYLNBq:hDXWipuE+K3/SSHgxmLzq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2580	DEM3C26.exe
2504	DEM92FC.exe
2760	DEME994.exe
1748	DEM3F42.exe
1152	DEM94D0.exe
1676	DEMEA4F.exe

Loads dropped DLL 6 IoCs

pid	Process
804	f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe
2580	DEM3C26.exe
2504	DEM92FC.exe
2760	DEME994.exe
1748	DEM3F42.exe
1152	DEM94D0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2580	804	f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe	29
PID 804 wrote to memory of 2580	804	f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe	29
PID 804 wrote to memory of 2580	804	f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe	29
PID 804 wrote to memory of 2580	804	f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe	29
PID 2580 wrote to memory of 2504	2580	DEM3C26.exe	33
PID 2580 wrote to memory of 2504	2580	DEM3C26.exe	33
PID 2580 wrote to memory of 2504	2580	DEM3C26.exe	33
PID 2580 wrote to memory of 2504	2580	DEM3C26.exe	33
PID 2504 wrote to memory of 2760	2504	DEM92FC.exe	35
PID 2504 wrote to memory of 2760	2504	DEM92FC.exe	35
PID 2504 wrote to memory of 2760	2504	DEM92FC.exe	35
PID 2504 wrote to memory of 2760	2504	DEM92FC.exe	35
PID 2760 wrote to memory of 1748	2760	DEME994.exe	37
PID 2760 wrote to memory of 1748	2760	DEME994.exe	37
PID 2760 wrote to memory of 1748	2760	DEME994.exe	37
PID 2760 wrote to memory of 1748	2760	DEME994.exe	37
PID 1748 wrote to memory of 1152	1748	DEM3F42.exe	39
PID 1748 wrote to memory of 1152	1748	DEM3F42.exe	39
PID 1748 wrote to memory of 1152	1748	DEM3F42.exe	39
PID 1748 wrote to memory of 1152	1748	DEM3F42.exe	39
PID 1152 wrote to memory of 1676	1152	DEM94D0.exe	41
PID 1152 wrote to memory of 1676	1152	DEM94D0.exe	41
PID 1152 wrote to memory of 1676	1152	DEM94D0.exe	41
PID 1152 wrote to memory of 1676	1152	DEM94D0.exe	41

C:\Users\Admin\AppData\Local\Temp\f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\DEM3C26.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3C26.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\DEM92FC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM92FC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\DEME994.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME994.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\DEM3F42.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3F42.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\DEM94D0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM94D0.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\DEMEA4F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEA4F.exe"
        7⤵
        Executes dropped EXE
        
        PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM92FC.exe

Filesize
15KB

MD5
1f9b4724102615f7a02ad9c874fbb07f

SHA1
0728ed6d52d23fdb537164e7adb6da0dc850801d

SHA256
ce299579925cc636647c2f83128972ed51857ee72beebac4366d3949ef1aa867

SHA512
acd997cda299da18a8cb90593a41bc5766c7efe2f6b760c4a362fd0b5337b93a007656be98868da9142d0146d53107396bdb8def2d41b8b2c5ab687ce8aada86

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME994.exe

Filesize
15KB

MD5
2ce49e166b0954adb412a280a4a178fe

SHA1
82f43e3a7fd58e6a37ed802e19b08e865f0a8898

SHA256
d290d5276bdc92b3152dc30d82864a43e72455183fd45fd6302cc3ba6664d47f

SHA512
085802d18b3661a275311d61ec6749e728237844c1add5e04a784c61b0dbb4bc9582a6a8d97986b2a5cd83f7140d6473d4a7b15450eb9c91039a24ac4a38a45f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3C26.exe

Filesize
15KB

MD5
58d3385ff48ddd4d49f04c351c1d9b84

SHA1
a2c98ce30ecd5f6b015494d62e66fc1f4d44f298

SHA256
1b60359bbf9d81589f285cfc3af65c244c427808187b15b9dc4116f0d868f52b

SHA512
55c8b6552d88d6de0ad8fab52d1e0355b40675251b4c083f541d9a72b2e81e1ced1741577990441e6aa87e111185a8a701041a70e538240bf995c4d897978e67

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3F42.exe

Filesize
15KB

MD5
80bc4011a441178628405d49467fe892

SHA1
70d4590827527a7a5e3f6770e442ea280df73860

SHA256
1223297d1f17f7e4d8a50ae07fd01cbb0f35bdbf80aa9200d7b317790b7e872f

SHA512
d8d25c6df5b3016aff913ebf696f3239a09bd8e5b68da8b2870b394f8744c30d99350094425e3ec5dccdcecf96aa1cbdb7aae083fe0b1c7eacd5b55abffdc342

Download Submit
\Users\Admin\AppData\Local\Temp\DEM94D0.exe

Filesize
15KB

MD5
6f19b81df232c265832d57d8c847af60

SHA1
7bf9b93f0228c446d58b6f38131d9b4cd4586b43

SHA256
82b0df921c3167d86c8769fb97ab3e42555293adc435d1416d96a880161e1503

SHA512
bc1fa27d336bc310629d0add9966ad26c5b480616e10c8e5f34cf716d096feb386b5abfa5e6e04c2e727a7bb1b5cf822c2dc4aa3a31fa9092fc69f0ff7d23c58

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEA4F.exe

Filesize
15KB

MD5
ae1ce8b91c26d417ab3b82011107fab2

SHA1
a0257f6f6c1dd572a4119e928b71066d73289691

SHA256
107c0975a62c272b8efa22a588ee17ef7961b1c1969cb9e42ce8fd96d27735cb

SHA512
4ca9d00ba6b8450dc6ff48bb662a94c16abd9d9589114b8be1944850532f384901261ea3d02b71c2aa81d06bfce6cab9c467995022bcd3062c80c51dd6b57d5e

Download Submit

Analysis

Sharing