1a5370a55acf6877d9f3ce635982256ed9c92356966dc53fcc72c7697fd28aad

General

Target

f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe
Size

16KB
MD5

f8fae6346f86f1f2a9034a2077f98765
SHA1

3361ad68095212097d88767e28c803440dcff6ca
SHA256

1a5370a55acf6877d9f3ce635982256ed9c92356966dc53fcc72c7697fd28aad
SHA512

b4f6fdcd268e8e0034dbb943c34355ee422af9d7274c34b633cd2924aa4f67d4ae34d248cb20fe6e485b94df8a4492b926cc51543014a36e9e489e702576d572
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZlHfqr:hDXWipuE+K3/SSHgx3l/2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3000	DEM63F1.exe
2368	DEMB9ED.exe
2508	DEM1027.exe
1848	DEM6632.exe
1116	DEMBB92.exe
2820	DEM115F.exe

Loads dropped DLL 6 IoCs

pid	Process
2168	f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe
3000	DEM63F1.exe
2368	DEMB9ED.exe
2508	DEM1027.exe
1848	DEM6632.exe
1116	DEMBB92.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3000	2168	f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe	29
PID 2168 wrote to memory of 3000	2168	f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe	29
PID 2168 wrote to memory of 3000	2168	f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe	29
PID 2168 wrote to memory of 3000	2168	f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe	29
PID 3000 wrote to memory of 2368	3000	DEM63F1.exe	33
PID 3000 wrote to memory of 2368	3000	DEM63F1.exe	33
PID 3000 wrote to memory of 2368	3000	DEM63F1.exe	33
PID 3000 wrote to memory of 2368	3000	DEM63F1.exe	33
PID 2368 wrote to memory of 2508	2368	DEMB9ED.exe	35
PID 2368 wrote to memory of 2508	2368	DEMB9ED.exe	35
PID 2368 wrote to memory of 2508	2368	DEMB9ED.exe	35
PID 2368 wrote to memory of 2508	2368	DEMB9ED.exe	35
PID 2508 wrote to memory of 1848	2508	DEM1027.exe	37
PID 2508 wrote to memory of 1848	2508	DEM1027.exe	37
PID 2508 wrote to memory of 1848	2508	DEM1027.exe	37
PID 2508 wrote to memory of 1848	2508	DEM1027.exe	37
PID 1848 wrote to memory of 1116	1848	DEM6632.exe	39
PID 1848 wrote to memory of 1116	1848	DEM6632.exe	39
PID 1848 wrote to memory of 1116	1848	DEM6632.exe	39
PID 1848 wrote to memory of 1116	1848	DEM6632.exe	39
PID 1116 wrote to memory of 2820	1116	DEMBB92.exe	41
PID 1116 wrote to memory of 2820	1116	DEMBB92.exe	41
PID 1116 wrote to memory of 2820	1116	DEMBB92.exe	41
PID 1116 wrote to memory of 2820	1116	DEMBB92.exe	41

C:\Users\Admin\AppData\Local\Temp\f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\DEM63F1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM63F1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\DEMB9ED.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB9ED.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\DEM1027.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1027.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Users\Admin\AppData\Local\Temp\DEM6632.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6632.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Users\Admin\AppData\Local\Temp\DEMBB92.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBB92.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\DEM115F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM115F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMB9ED.exe

Filesize
16KB

MD5
460a4c94c7009165d4664c9372316584

SHA1
8e83bf75b0aa89cc49fed9a39e3134a6a27d058f

SHA256
d60df58cd7e8447b3242b4c2f207658997de54e060e1e28b6cbe25a161522d2e

SHA512
925ef63469a138e4f4f658d573c5a03b834d37948ca110dedd3985a5157ae9700ec06fce050c75dbcd3840dd08a28d119376f02461b2b64280c3b6528376674f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1027.exe

Filesize
16KB

MD5
757c39033e8110259159e0667de16d81

SHA1
0519bf4f7dc5d09840c94c8821334ca597b77944

SHA256
fe653927d3ca6df26472a06fe89c56ded880dde30e78294dbaa69a6b5e0dbf53

SHA512
3314275e483f4d6f28d9aebe0ee6415b88eec5a9f0b377b4d6a498a503df693f93093512dd0a04cbab378eb3627edafedeac5a0c28b57aca926f36285230ed13

Download Submit
\Users\Admin\AppData\Local\Temp\DEM115F.exe

Filesize
16KB

MD5
284c53f80f481ba7b33f920ae633dd96

SHA1
4c72d83b32e3f04f897c938a8febef6e1c759a26

SHA256
db7c1733c0550007d4385bc02d641f0983d22dc9b6dff460be32051cd791d47f

SHA512
c9d7e3ae38728d8918a7f440cf798626f226295a6c9016b67f64ac43cbde06192a7fa9a265f987dda42bc1e4d28db462f08b257fc3d8f166a6db655ee74ce2de

Download Submit
\Users\Admin\AppData\Local\Temp\DEM63F1.exe

Filesize
16KB

MD5
214f62f23224a28f20a76a56ef76c5fc

SHA1
062d7eff0f107cbf364b4b4032c210770349ed86

SHA256
f70ce0049fd9245bab42133c81f8106c846b5ba6eaf6707840fc92c169ade09e

SHA512
889a0397190bfe917ab66086b1711c5778e16365cf939e6cc7d9167e7d66e7bc36f8d213d3c4a6924ae195ace40c409a434ec5c03c959cd9cbf350445991a3b7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6632.exe

Filesize
16KB

MD5
1f65c7e0272aa0f08bd9ddca4ce961ec

SHA1
3a567a3b52ea9a7ed54e4f5a3c5440db87ce7dd9

SHA256
1dfc36c5cb852a9eed23e06630660bea511191144beff7484005435ba0ba5a6d

SHA512
a74027cc58d6255cd911e4657abeb908905eb14f1a76edfda12cf58d37530dbeb5cc396bda576db052c373ac54653af5d3f2ad5c83b58973f55651bfefbb6f6f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBB92.exe

Filesize
16KB

MD5
0f9c58164ffe33ebb90bacdfcaffc4be

SHA1
b2e1afaadd9e4f5d55a889dbd9c1983e6223cb6b

SHA256
6172897507cb2a5ff7a4509677b2325b4577574b5c67aae037324183e3b58a98

SHA512
9f430786a52eecaf573c5e781b7002512968fd7e64c76cb812da3616fea69bed7a0e532e9587816bcd3cc2ca265effc70895c14921b6e3118064ef73e3ca8f7f

Download Submit

Analysis

Sharing