6525f367c2bb3fed160a7cbd0b1728fa04edc7e4f5f988a8653bbd9f48388c3b

General

Target

ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe
Size

14KB
MD5

ffc17fd836338e7a3fd49c1e5476646c
SHA1

cba4ba66d716dc4212af2cf74168a6fdb03e0af7
SHA256

6525f367c2bb3fed160a7cbd0b1728fa04edc7e4f5f988a8653bbd9f48388c3b
SHA512

fff289c624b455e001d2027e53aebf66962f92767b49b61fb3a7e061b6ecf3b7315e4fec7aa302a0713d9e543377e4d6ab1214b05b727c8a686e28c326f56c7a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhpLJ:hDXWipuE+K3/SSHgxp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2596	DEME05.exe
2632	DEM6355.exe
2924	DEMB876.exe
1284	DEMDD6.exe
1924	DEM6307.exe
2120	DEMB838.exe

Loads dropped DLL 6 IoCs

pid	Process
2928	ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe
2596	DEME05.exe
2632	DEM6355.exe
2924	DEMB876.exe
1284	DEMDD6.exe
1924	DEM6307.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2596	2928	ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe	29
PID 2928 wrote to memory of 2596	2928	ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe	29
PID 2928 wrote to memory of 2596	2928	ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe	29
PID 2928 wrote to memory of 2596	2928	ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe	29
PID 2596 wrote to memory of 2632	2596	DEME05.exe	31
PID 2596 wrote to memory of 2632	2596	DEME05.exe	31
PID 2596 wrote to memory of 2632	2596	DEME05.exe	31
PID 2596 wrote to memory of 2632	2596	DEME05.exe	31
PID 2632 wrote to memory of 2924	2632	DEM6355.exe	35
PID 2632 wrote to memory of 2924	2632	DEM6355.exe	35
PID 2632 wrote to memory of 2924	2632	DEM6355.exe	35
PID 2632 wrote to memory of 2924	2632	DEM6355.exe	35
PID 2924 wrote to memory of 1284	2924	DEMB876.exe	37
PID 2924 wrote to memory of 1284	2924	DEMB876.exe	37
PID 2924 wrote to memory of 1284	2924	DEMB876.exe	37
PID 2924 wrote to memory of 1284	2924	DEMB876.exe	37
PID 1284 wrote to memory of 1924	1284	DEMDD6.exe	39
PID 1284 wrote to memory of 1924	1284	DEMDD6.exe	39
PID 1284 wrote to memory of 1924	1284	DEMDD6.exe	39
PID 1284 wrote to memory of 1924	1284	DEMDD6.exe	39
PID 1924 wrote to memory of 2120	1924	DEM6307.exe	41
PID 1924 wrote to memory of 2120	1924	DEM6307.exe	41
PID 1924 wrote to memory of 2120	1924	DEM6307.exe	41
PID 1924 wrote to memory of 2120	1924	DEM6307.exe	41

C:\Users\Admin\AppData\Local\Temp\ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\DEME05.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME05.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\DEM6355.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6355.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\DEMB876.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB876.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\DEMDD6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDD6.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1284
      - C:\Users\Admin\AppData\Local\Temp\DEM6307.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6307.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\DEMB838.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB838.exe"
        7⤵
        Executes dropped EXE
        
        PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6355.exe

Filesize
14KB

MD5
ab013fe455d521aee293ee704818d481

SHA1
895af38ccd5885934537947029e05de2f2acd5b0

SHA256
bbb28408e624748446c6d286059722f89bdeb91d27ee41fd5f4e0702ff0b532d

SHA512
0f6637279fad4a86f4c36a4dad4a53ed07c2a3cacbee2211c5c81a766436495ebd31d9749bfd4d1e89936717bc393884a886da31140a4982e84608e73f392226

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB876.exe

Filesize
14KB

MD5
a05b6c3e46280af7bdc7d6db73d8c456

SHA1
811f2f0f9a25b2ac94f213e32e9fff71932de953

SHA256
8862af1b5e1830d76a56810f602d9e13a09e1fb8406ec2fd533386ddb63eac3d

SHA512
b821079f98e7a61346cbfc481e8a867cb9125ad883c4e6c7be5c88c90df71241d7458c7a7c519f96140233e437cf955bdfe50488a578994f962087c8db81d3c2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6307.exe

Filesize
14KB

MD5
772efa18413c915f3c45f466a9eb7849

SHA1
c243a8390d17011216e3ac1b45335560f883fe2a

SHA256
bc215aef5669a69805d05c5d5c5e563fba20325b099d62765a9c68dd09593522

SHA512
5e821104e52da01210f7f011bb97e0cc4b64cf9ddcc6ff5ab0c70b85821b9a197857d9567b19ab81bbeb1489b05c2de16ce85be5c44c2c74399f0a101ff809c8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB838.exe

Filesize
14KB

MD5
f0b282ed427e10a1ed4436c0d2a03045

SHA1
5361fffecfd0470a1a6ff3431278dcc2423c691a

SHA256
274160a035ca0611522f380c53c5d8233cb480cf2d680b5549498380aca70575

SHA512
93fd397ca5593ae6f9ba6c835d09137b7bb46e4a29e82326184ac8569feaddb53cd14c8c4b53a9b1d7ba44599921a3d7e28bca331fb96eb6b82989a04abe1ab5

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDD6.exe

Filesize
14KB

MD5
2b80f63f1fabee2fa6225958bf7277d8

SHA1
fa74f0db4ee4f6158d10c1114390453913707fd1

SHA256
04e47aea24cf5ad3714add90438f0a9740d64668b2574280ed20e26ea3bd2f14

SHA512
a98fca8786033e1c24c6fe5ea9e3c54e863671ce8b409863d28e5ac7df704777ec642945ffac638b669e81191194ac1842fdcbd7724a4d35017c19495ce37162

Download Submit
\Users\Admin\AppData\Local\Temp\DEME05.exe

Filesize
14KB

MD5
fd696032c54e72aed48405de450b5195

SHA1
b110bc72cb19b5edad70872a13b27f14192db034

SHA256
87631d885c8dba070acc234a8fa21ba7aa31a1db696f44f2523b85b1fb60025b

SHA512
888a6ff989505058e9e25e9d0c79b19297f348c924b34a656b1298a26e88a02b30b1c81de5b711894ff9994935b3bf972f98fe1c5157695d25618965e8fb5228

Download Submit

Analysis

Sharing