11807bbfb89228c41f03eed7edb01430e9079db525fae32977b5659b0bb2e0f0

General

Target

fe17700e8b3629eb07d960a6a4e074ad_JaffaCakes118.exe
Size

14KB
MD5

fe17700e8b3629eb07d960a6a4e074ad
SHA1

1afe9ead08b0bd54b4b1ff2ece38fc7e7110932c
SHA256

11807bbfb89228c41f03eed7edb01430e9079db525fae32977b5659b0bb2e0f0
SHA512

a52d570f845c40e84a5b12b5158087db4ea9090b38516d6e544774866cc64028ff2d06d710e3cd53c5895fa239ee4ae664cf2ace25c6fcccaaa777f8be67d6cf
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5q:hDXWipuE+K3/SSHgxm4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1624	DEM10F2.exe
2652	DEM6642.exe
1964	DEMBB73.exe
1852	DEM10A4.exe
1828	DEM65E4.exe
2656	DEMBB53.exe

Loads dropped DLL 6 IoCs

pid	Process
2832	fe17700e8b3629eb07d960a6a4e074ad_JaffaCakes118.exe
1624	DEM10F2.exe
2652	DEM6642.exe
1964	DEMBB73.exe
1852	DEM10A4.exe
1828	DEM65E4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 1624	2832	fe17700e8b3629eb07d960a6a4e074ad_JaffaCakes118.exe	29
PID 2832 wrote to memory of 1624	2832	fe17700e8b3629eb07d960a6a4e074ad_JaffaCakes118.exe	29
PID 2832 wrote to memory of 1624	2832	fe17700e8b3629eb07d960a6a4e074ad_JaffaCakes118.exe	29
PID 2832 wrote to memory of 1624	2832	fe17700e8b3629eb07d960a6a4e074ad_JaffaCakes118.exe	29
PID 1624 wrote to memory of 2652	1624	DEM10F2.exe	31
PID 1624 wrote to memory of 2652	1624	DEM10F2.exe	31
PID 1624 wrote to memory of 2652	1624	DEM10F2.exe	31
PID 1624 wrote to memory of 2652	1624	DEM10F2.exe	31
PID 2652 wrote to memory of 1964	2652	DEM6642.exe	35
PID 2652 wrote to memory of 1964	2652	DEM6642.exe	35
PID 2652 wrote to memory of 1964	2652	DEM6642.exe	35
PID 2652 wrote to memory of 1964	2652	DEM6642.exe	35
PID 1964 wrote to memory of 1852	1964	DEMBB73.exe	37
PID 1964 wrote to memory of 1852	1964	DEMBB73.exe	37
PID 1964 wrote to memory of 1852	1964	DEMBB73.exe	37
PID 1964 wrote to memory of 1852	1964	DEMBB73.exe	37
PID 1852 wrote to memory of 1828	1852	DEM10A4.exe	39
PID 1852 wrote to memory of 1828	1852	DEM10A4.exe	39
PID 1852 wrote to memory of 1828	1852	DEM10A4.exe	39
PID 1852 wrote to memory of 1828	1852	DEM10A4.exe	39
PID 1828 wrote to memory of 2656	1828	DEM65E4.exe	41
PID 1828 wrote to memory of 2656	1828	DEM65E4.exe	41
PID 1828 wrote to memory of 2656	1828	DEM65E4.exe	41
PID 1828 wrote to memory of 2656	1828	DEM65E4.exe	41

C:\Users\Admin\AppData\Local\Temp\fe17700e8b3629eb07d960a6a4e074ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe17700e8b3629eb07d960a6a4e074ad_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\DEM10F2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM10F2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\DEM6642.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6642.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\DEMBB73.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBB73.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Users\Admin\AppData\Local\Temp\DEM10A4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM10A4.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Users\Admin\AppData\Local\Temp\DEM65E4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM65E4.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\DEMBB53.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBB53.exe"
        7⤵
        Executes dropped EXE
        
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6642.exe

Filesize
14KB

MD5
68f29d30b74b62d900333aa5c04cedad

SHA1
944842818ce3938eea88829ee10bd9f15707d0de

SHA256
9130e4d7eda2770404964a092f0aedddf06a34360a96a07b7dc704f2a1827cda

SHA512
9fb62f7f0424ae0da20a4656c7671df48cb18e8bd94b00e4424d88fe9fcb92475e9fdef3f715b54ca1f76e51c052e2d2add0b63f17c6eaf2e8dd4cd5ca4ffda2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBB53.exe

Filesize
15KB

MD5
4074fded3ce5f261be2921939a08791a

SHA1
0ab1c6fa66615856dcc203692701022a076bfabd

SHA256
71ac98a5ff5f3e05d6c856bb759f5ed49d9a4da3789bd34c29cd8b901809f5e7

SHA512
9f62ac92233e2b45f9935a1086cff5761fb0d218a2c2ca2a8b528d984f19ce36406875e3a78bae21dc948d94aaabf43fbfc3f98e553d78aaa3c1999338558a75

Download Submit
\Users\Admin\AppData\Local\Temp\DEM10A4.exe

Filesize
15KB

MD5
bb268990f5dfd1313fa641c27bf18d94

SHA1
0eb64c1fe812d3f41d54f9d6559a6d576ac99e64

SHA256
c0d5465ee3b501eba8777d6eba0b5bf04ffd8f294edd134c33831fee8432cedd

SHA512
ed194466847d39859b856eafae463445c5b563d16bd794cf5a58caeea4da51ad41c151bba9d6dcd81dda758ad5622630cb1cae1b20b4fd53b49be2349af7212e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM10F2.exe

Filesize
14KB

MD5
6e5596276f67bafd89e313e65fd2f4aa

SHA1
90e1e48fca9b80f0555290f1036525fe3851722d

SHA256
e17412c15ddfa2c4327dd8c0c76dbccd4dc549469fbcf7d9add4e02f8e8ea57b

SHA512
1bf92385c49837df2715ae1dff98544402ab25ff9a2ad512a7e3ea686527b8efa6ad5288b0ea32932b82151a71ec60312e29b750a1135a1eef7b6478db2f61e9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM65E4.exe

Filesize
15KB

MD5
1852a9dc20ee61098543fef8a4275d24

SHA1
970330433d69c867d44a19bba3026b95dc2ad533

SHA256
acf47998fb9300cc632b7ea451ba18753239a0200cbb97ae4cb95ee284dd4d73

SHA512
fc8fb26b8f071dfdce85d02867c5c7875403f89bf724cedaf8dfe1dbea13f87a1896891c984255e646bae287e3f70079a8e0c03cbec7a27851468f44a89a873a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBB73.exe

Filesize
14KB

MD5
630374d62edafa66a09bd383f92853a6

SHA1
10033480e5a784bc7efc6013a943fa68ec83313a

SHA256
1b69fe15040e16f08b68ae38160d77185b34d2ab44299206a52d5fbca54e37f3

SHA512
3e381015356ab715a8dbe5a7cf99eeacc1a59e7eb1b036f1d3dac67bc15861ee2ceaa9ab879f5731d50fcc631e2a93884df0cdc9f60147b13d037ca57aa17b45

Download Submit

Analysis

Sharing