aa2b5dfdbcdc575e456161b37d4290444070217e874b9e66276cfa687f1090cc

General

Target

fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe
Size

14KB
MD5

fa3bb13c3afb72fe3c4ad1f3eec80bc0
SHA1

2a936b3b7742fad42f65c50c2a9202d12bc403b5
SHA256

aa2b5dfdbcdc575e456161b37d4290444070217e874b9e66276cfa687f1090cc
SHA512

71a851b4b4d50d9d1abfb2a23de797a8733bd7be0986e3acc24d707c4c9205fbed7f0b67d9e5b5a589487c0da74e96e96dfd9bfdadc5158fd143be7558a4f355
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5N:hDXWipuE+K3/SSHgxmz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2504	DEM6162.exe
2692	DEMB847.exe
2252	DEMF0E.exe
1964	DEM6587.exe
2500	DEMBCAB.exe
2812	DEM12C6.exe

Loads dropped DLL 6 IoCs

pid	Process
2944	fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe
2504	DEM6162.exe
2692	DEMB847.exe
2252	DEMF0E.exe
1964	DEM6587.exe
2500	DEMBCAB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2504	2944	fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2504	2944	fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2504	2944	fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2504	2944	fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe	29
PID 2504 wrote to memory of 2692	2504	DEM6162.exe	33
PID 2504 wrote to memory of 2692	2504	DEM6162.exe	33
PID 2504 wrote to memory of 2692	2504	DEM6162.exe	33
PID 2504 wrote to memory of 2692	2504	DEM6162.exe	33
PID 2692 wrote to memory of 2252	2692	DEMB847.exe	35
PID 2692 wrote to memory of 2252	2692	DEMB847.exe	35
PID 2692 wrote to memory of 2252	2692	DEMB847.exe	35
PID 2692 wrote to memory of 2252	2692	DEMB847.exe	35
PID 2252 wrote to memory of 1964	2252	DEMF0E.exe	37
PID 2252 wrote to memory of 1964	2252	DEMF0E.exe	37
PID 2252 wrote to memory of 1964	2252	DEMF0E.exe	37
PID 2252 wrote to memory of 1964	2252	DEMF0E.exe	37
PID 1964 wrote to memory of 2500	1964	DEM6587.exe	39
PID 1964 wrote to memory of 2500	1964	DEM6587.exe	39
PID 1964 wrote to memory of 2500	1964	DEM6587.exe	39
PID 1964 wrote to memory of 2500	1964	DEM6587.exe	39
PID 2500 wrote to memory of 2812	2500	DEMBCAB.exe	41
PID 2500 wrote to memory of 2812	2500	DEMBCAB.exe	41
PID 2500 wrote to memory of 2812	2500	DEMBCAB.exe	41
PID 2500 wrote to memory of 2812	2500	DEMBCAB.exe	41

C:\Users\Admin\AppData\Local\Temp\fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\DEM6162.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6162.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\DEMB847.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB847.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\DEMF0E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF0E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Users\Admin\AppData\Local\Temp\DEM6587.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6587.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\DEMBCAB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBCAB.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\DEM12C6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM12C6.exe"
        7⤵
        Executes dropped EXE
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMB847.exe

Filesize
14KB

MD5
e6aa1f1b978ea023e1ca87812832733e

SHA1
d0ff941021ec6f86c9438d3e950280e59bd37b57

SHA256
9156cac330b6bc52c527c6db3269dfd251063e7665560b0dbce642a409b94332

SHA512
ef7da5be276e5b9c425bd8c0f73d616b9bef428a7956ef700d119e4c248031d6f485b75453fe94e46bb76e8a32f13aff756484e11d03b9dedb7f529923ab562e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM12C6.exe

Filesize
15KB

MD5
508fee6bf6207cab6df007548b38460d

SHA1
3b219c5fd722b469959e92f801f7f1ab0a21e30d

SHA256
7a2e2b313bf505e2f3634d06988edb005c5680983e0dcdfe67e3f2bd08a359ff

SHA512
2c54952c5e03a8140408e4e2ddad7c348d75815b191a13ad76b6dfc54b674bfb4ba3bfd0a6b23a6ae27fa6195e000b794d62973d012f0130636a6a606b6365cf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6162.exe

Filesize
14KB

MD5
10097a4780e3031c5815bac19d35e58d

SHA1
d68812c0c40665e1d78bdad878f518c32456cdd1

SHA256
f21d38eb59ac1a4651b7baf53481eb77102b5b9f71bca466b635f7ea6ec78df3

SHA512
99d5776ca563ae23a72ca7b0f5ea0a312e6ebe6e9fdf994e0205f39ee5617ce087453fe5aa2aa68c097ba583681549389d99435fba301fc1493b58ddef044f81

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6587.exe

Filesize
14KB

MD5
24f04440db78fea7aff277e764ddebb1

SHA1
fe3f01b7d55a98e6db60050dde3ff63d2e428372

SHA256
6be36a7f7b4b8dcdd06eba8eb1f6898e5ed16e6c9eae87d304e3d6d7ecbb5e98

SHA512
82bd7bf7979145fa2233c794885b82a64331ffd0129a42a88f1934454f9b7c04ec474f15b3d4db0b6add1fb671a31e8f1da905c8e56d63366153a451c1f26430

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBCAB.exe

Filesize
14KB

MD5
f8df0bd82651dc728ac911e992fe59cb

SHA1
cebc764c593235a497fa2eeb7c2abb75b1a7d9d0

SHA256
b985387f52c75e325d6a6745a46cb83907f1feb07cc2c424e5e53ef74fb0055b

SHA512
4eeeb2e3aa190b13ad04d1b566ec9063612be277d9135154e0b5cb6007e9a5a329c859e006ae71766732be7699daccbe53d43311b5697f41c88fc923c336beb8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF0E.exe

Filesize
14KB

MD5
825898e001e94a02de24b2ec03f1f0c6

SHA1
ebbda9ce6cf4a70f005c4dc791af6aaf4f1a8597

SHA256
1c95ae11d55ffb0983e5d101d34626e59561e96c0f337aa7879d3751225fa923

SHA512
f246b9ba16040815c429c470c07eb7aab5a1dd116fea8eebfbafc6756f51cc69d11c024760fe715005e11700cdc92e43c4b6696659fb54dc2df90c1a2f388b2c

Download Submit

Analysis

Sharing