1e574e14bed8135977e6b68629d838e8fcf1d1d7e1c57f2fc2ec67b53790ce51

General

Target

fa21ca2667e4e8d466860b90d5ee6949_JaffaCakes118.exe
Size

15KB
MD5

fa21ca2667e4e8d466860b90d5ee6949
SHA1

524f817dab0c45e1f1c9b5d766b1624316993dbd
SHA256

1e574e14bed8135977e6b68629d838e8fcf1d1d7e1c57f2fc2ec67b53790ce51
SHA512

6bd6b972f406991ca777090cc243d2580479f254135798c83f3546fd1d6ad438af9a924b4de596a5606eafbc6ad91934be0e98381236cc7c49c4969efec5cd7b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhig:hDXWipuE+K3/SSHgxLig

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2568	DEMBE3.exe
2644	DEM6181.exe
2992	DEMB75D.exe
348	DEMC9E.exe
2952	DEM61EE.exe
2904	DEMB71F.exe

Loads dropped DLL 6 IoCs

pid	Process
2292	fa21ca2667e4e8d466860b90d5ee6949_JaffaCakes118.exe
2568	DEMBE3.exe
2644	DEM6181.exe
2992	DEMB75D.exe
348	DEMC9E.exe
2952	DEM61EE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2568	2292	fa21ca2667e4e8d466860b90d5ee6949_JaffaCakes118.exe	29
PID 2292 wrote to memory of 2568	2292	fa21ca2667e4e8d466860b90d5ee6949_JaffaCakes118.exe	29
PID 2292 wrote to memory of 2568	2292	fa21ca2667e4e8d466860b90d5ee6949_JaffaCakes118.exe	29
PID 2292 wrote to memory of 2568	2292	fa21ca2667e4e8d466860b90d5ee6949_JaffaCakes118.exe	29
PID 2568 wrote to memory of 2644	2568	DEMBE3.exe	31
PID 2568 wrote to memory of 2644	2568	DEMBE3.exe	31
PID 2568 wrote to memory of 2644	2568	DEMBE3.exe	31
PID 2568 wrote to memory of 2644	2568	DEMBE3.exe	31
PID 2644 wrote to memory of 2992	2644	DEM6181.exe	35
PID 2644 wrote to memory of 2992	2644	DEM6181.exe	35
PID 2644 wrote to memory of 2992	2644	DEM6181.exe	35
PID 2644 wrote to memory of 2992	2644	DEM6181.exe	35
PID 2992 wrote to memory of 348	2992	DEMB75D.exe	37
PID 2992 wrote to memory of 348	2992	DEMB75D.exe	37
PID 2992 wrote to memory of 348	2992	DEMB75D.exe	37
PID 2992 wrote to memory of 348	2992	DEMB75D.exe	37
PID 348 wrote to memory of 2952	348	DEMC9E.exe	39
PID 348 wrote to memory of 2952	348	DEMC9E.exe	39
PID 348 wrote to memory of 2952	348	DEMC9E.exe	39
PID 348 wrote to memory of 2952	348	DEMC9E.exe	39
PID 2952 wrote to memory of 2904	2952	DEM61EE.exe	41
PID 2952 wrote to memory of 2904	2952	DEM61EE.exe	41
PID 2952 wrote to memory of 2904	2952	DEM61EE.exe	41
PID 2952 wrote to memory of 2904	2952	DEM61EE.exe	41

C:\Users\Admin\AppData\Local\Temp\fa21ca2667e4e8d466860b90d5ee6949_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa21ca2667e4e8d466860b90d5ee6949_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\DEMBE3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBE3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\DEM6181.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6181.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\DEMB75D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB75D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\DEMC9E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC9E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:348
      - C:\Users\Admin\AppData\Local\Temp\DEM61EE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM61EE.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\DEMB71F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB71F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6181.exe

Filesize
15KB

MD5
8bf3e92203f4bba0e4b2055bb3b35a1d

SHA1
2b34b60b201463376605f123bbf35654770704c5

SHA256
3f675dadbb2c73114539fb22f1cc871db817cc243d4ecd32f25ee12fcd819f17

SHA512
c9f93bcb474814c49be81c6968ad31533d1049d1b0506638e65965989796de57a338a30bb42521adb421fabdd42b491ae57acc3b1d7e24c8b0f4095fdcd72c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBE3.exe

Filesize
15KB

MD5
b0af86285b79006133c0b21141d75f09

SHA1
c2adfc842260c07c605df1ddce1ff44b0666b411

SHA256
c0cede4224523ab3f0987f884b516a5540ecd4d53db4e1b30a8eaf516d1b3bec

SHA512
82a9da537a8bf07be492579c5e899afbb99546ca7b1c5d9ad08adf6299d09b9ba8dca592ec8eaecec5dc5e47529d876b179b88e453d6ffd2d7daaf772fdc0c85

Download Submit
\Users\Admin\AppData\Local\Temp\DEM61EE.exe

Filesize
15KB

MD5
9b085a63a4ea3e67f58e3f42cb4f73d7

SHA1
ef7b1cd8974f8114b3e9d4cfbee2f4434c854339

SHA256
d1ff7fb4600821a5ab8fe1a3598a55b2de8f8cb93af2701b3720333d30c3b82c

SHA512
1016fcba677b9ef3e3002c1576ccbf85683fc10c808ac9dbf3bd315c3a008afd6f7985980f7749978451eb9b5d32081404f9f47b8f7f060f9640fa88db337e94

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB71F.exe

Filesize
15KB

MD5
7db58f0a3e66828483e2ce44ab9423b0

SHA1
8e518a114d52f78ff5a787350722d668194bad50

SHA256
1977b4ab4224bf2857f87199044a0b02734a2f215b4e90314af79a83bb6ecba0

SHA512
653244eea1eb2f9591e2a93825b6d3a1a44ed37e144b627528440387275afd3f157706262f523d0e275ff37fe3ebabd7fe6af2d3ceebea0d7aff5c2fa408ec3d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB75D.exe

Filesize
15KB

MD5
5f7947517721a64d869d05910984c30e

SHA1
09ebdcd96e189415324c2b2dfb5ff9cf31dfdea3

SHA256
1f10f8c0da81b3e7cc2ef35111e9fa59ce684a40ed0ce024ed2d2d49253e081f

SHA512
aa7b97709767aa4e7b9b2e0b25403f99e76f08c186bbd4db14432a3475f0be4a59195d0b5422652a77848e47956df423e83e40772540fc2d0ca1e89ffacdce28

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC9E.exe

Filesize
15KB

MD5
cee5f1a20d48925dc147164dfc6ea18b

SHA1
1cee295b18eeaf94a9955cbf17f5e3c9922efdcf

SHA256
fe1da549fe87064129973ccbbc0207e11902d797556d1ed369d21259d8a4b6aa

SHA512
120293af97317c00dc098e4eae7c2445f5abe8961a4dd1781dc2eace28d3fcf527b3c2f5fcd257af0b54c4deb5d8207440ce2770ff8a20da0eca4e41fcda0261

Download Submit

Analysis

Sharing