104ecef10133e39916d7cfb59e2e335cd7b0358407124781f567efdf8fffa164

General

Target

f2b96afe78a86a27c3682a6456c7124c_JaffaCakes118.exe
Size

14KB
MD5

f2b96afe78a86a27c3682a6456c7124c
SHA1

c886bdb830d85eb860fb2b3a987291ff3ef7841e
SHA256

104ecef10133e39916d7cfb59e2e335cd7b0358407124781f567efdf8fffa164
SHA512

d19317dc48db3c1b61bfca6d959217370eb9554ad1e83a02e10ea2f1eaf24d73185e9033d1b8e83323bf530af8649debe1004c301462239b07aec99214f32ec9
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhkRE9i:hDXWipuE+K3/SSHgxB9i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2128	DEM6D4.exe
2980	DEM5C53.exe
1868	DEMB29D.exe
1484	DEM82B.exe
2812	DEM5E27.exe
2216	DEMB413.exe

Loads dropped DLL 6 IoCs

pid	Process
1540	f2b96afe78a86a27c3682a6456c7124c_JaffaCakes118.exe
2128	DEM6D4.exe
2980	DEM5C53.exe
1868	DEMB29D.exe
1484	DEM82B.exe
2812	DEM5E27.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2128	1540	f2b96afe78a86a27c3682a6456c7124c_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2128	1540	f2b96afe78a86a27c3682a6456c7124c_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2128	1540	f2b96afe78a86a27c3682a6456c7124c_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2128	1540	f2b96afe78a86a27c3682a6456c7124c_JaffaCakes118.exe	29
PID 2128 wrote to memory of 2980	2128	DEM6D4.exe	31
PID 2128 wrote to memory of 2980	2128	DEM6D4.exe	31
PID 2128 wrote to memory of 2980	2128	DEM6D4.exe	31
PID 2128 wrote to memory of 2980	2128	DEM6D4.exe	31
PID 2980 wrote to memory of 1868	2980	DEM5C53.exe	35
PID 2980 wrote to memory of 1868	2980	DEM5C53.exe	35
PID 2980 wrote to memory of 1868	2980	DEM5C53.exe	35
PID 2980 wrote to memory of 1868	2980	DEM5C53.exe	35
PID 1868 wrote to memory of 1484	1868	DEMB29D.exe	37
PID 1868 wrote to memory of 1484	1868	DEMB29D.exe	37
PID 1868 wrote to memory of 1484	1868	DEMB29D.exe	37
PID 1868 wrote to memory of 1484	1868	DEMB29D.exe	37
PID 1484 wrote to memory of 2812	1484	DEM82B.exe	39
PID 1484 wrote to memory of 2812	1484	DEM82B.exe	39
PID 1484 wrote to memory of 2812	1484	DEM82B.exe	39
PID 1484 wrote to memory of 2812	1484	DEM82B.exe	39
PID 2812 wrote to memory of 2216	2812	DEM5E27.exe	41
PID 2812 wrote to memory of 2216	2812	DEM5E27.exe	41
PID 2812 wrote to memory of 2216	2812	DEM5E27.exe	41
PID 2812 wrote to memory of 2216	2812	DEM5E27.exe	41

C:\Users\Admin\AppData\Local\Temp\f2b96afe78a86a27c3682a6456c7124c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2b96afe78a86a27c3682a6456c7124c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\DEM6D4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6D4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\DEM5C53.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5C53.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\DEMB29D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB29D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Users\Admin\AppData\Local\Temp\DEM82B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM82B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Users\Admin\AppData\Local\Temp\DEM5E27.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5E27.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\DEMB413.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB413.exe"
        7⤵
        Executes dropped EXE
        
        PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5C53.exe

Filesize
14KB

MD5
299e25ada6afc07f87974bde231ee07f

SHA1
7cf3b08ae90e76f09cb4a8fb65e6e529262c3a21

SHA256
87bac275ec23836babb9058bc533f9bc73fc4008f00d05673f4c4d38619f7a0c

SHA512
27184239a9f82d560e0dcc72d62d69f4e6a3880dddfe170294e22d7b82f2ebfd1c81b383f19f63fa1bfe0a9e9cba84a7bd9d1486980546bfcca6cb79e9ed906d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM82B.exe

Filesize
14KB

MD5
f9020354a8ec309e45e65d28d2bea0de

SHA1
9678e2afb9d7745aab297738c8fdfb84b2c6d8b0

SHA256
8ce4ae2b0e9ed28ed0a0d5024b679af1f36788a6d9567c0ec51f84c3639aa671

SHA512
f82d271b827a7d812290cce1505809e5deaf8019464f4610f7b5da7aa5f355aba86c0f4add776120dd49abba909df31f712ad2a859d938206079337f62690420

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5E27.exe

Filesize
14KB

MD5
f638da9630fdd0bf51d99f71d0c87a7f

SHA1
e5f819d6708c0a860d5a01c906ea05f37f55a0c4

SHA256
c77cb0c5cdb5cdc0e4224d176831e7392b05693e7bbaf5f3999c955958f8d216

SHA512
a11d64405dc87b05df5d8c0a6c8a319c4e3028685ab26b0f43cf72b294a69c3ee912eb36a5d1a08f74e7cfd50d1fd44fd0733b52cc6e1d7fe3f6c74c9a98d594

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6D4.exe

Filesize
14KB

MD5
4e7332ce8c9178ae0d7a6f5e3412a14b

SHA1
d5661cef9c2a06ae66de4deb14820892d7041c98

SHA256
00353c33e725148634cab32731a356c2c5e87dee931bd0975a2cf340ff100e51

SHA512
6c400e8e8894532480d65b36e82b030369cc1928a8b19511fcfb532e42c42e5f8de72ac5fe86ac783e594ad6f63c27e19b99c548a6ef2ef4bde59fed938453a3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB29D.exe

Filesize
14KB

MD5
8a48bcbd826def89bf49804f5cc32aa6

SHA1
bb6714284c47484a4e84d819a3914daf1df8fad3

SHA256
1b5d8160c48b0071144165399b5f4da9a2dc33eb34b802ba8dfcaeaac39a1204

SHA512
9834ef8f27997b84d973c4f0556486edce58c441323dce527ff7e5498194c38ee5a2a0be2eba5a9a27f364e119c87cc81dcf517a3fb981fa69cb9c5f93ebf505

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB413.exe

Filesize
14KB

MD5
312d41ec0b2dd45a1bf52271dae8af6f

SHA1
e4e3368248e86eec8bd33993cf8d7f1db9ead3af

SHA256
f1a84aee415e4b52158ea3281ef26e275efb05e42889d84c2875b6107163f25a

SHA512
de5ac7fbe906b290a9909be5f9bdc18d0475384db0d1bf4f60a1181d6884a1b9f169c5ea02e9c0138a895c3f12b75acbe6b266223bb38b38303fbdbd10f39e4e

Download Submit

Analysis

Sharing