ba31660aaea6e1db272ed051f10edb68c2aa8618d595a1c784a8eaf8b98716cc

General

Target

0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe
Size

14KB
MD5

0af5cf02ae4e6ddfed1bc9d927d9738f
SHA1

3e515fe0be70cc8111c109e57b1af675106b878b
SHA256

ba31660aaea6e1db272ed051f10edb68c2aa8618d595a1c784a8eaf8b98716cc
SHA512

6381133476861152c414384295c4660aabcd68680c19cb1778cde5930929bfbaea703e7ca6c3cfa8ca2b523f1c85d39e8e034cb86d1f08f93c0bdd8a36cab73d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYT/:hDXWipuE+K3/SSHgxmT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2172	DEM1584.exe
2852	DEM6B12.exe
2840	DEMC043.exe
1944	DEM1593.exe
2712	DEM6AE3.exe
2140	DEMC024.exe

Loads dropped DLL 6 IoCs

pid	Process
3024	0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe
2172	DEM1584.exe
2852	DEM6B12.exe
2840	DEMC043.exe
1944	DEM1593.exe
2712	DEM6AE3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2172	3024	0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe	29
PID 3024 wrote to memory of 2172	3024	0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe	29
PID 3024 wrote to memory of 2172	3024	0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe	29
PID 3024 wrote to memory of 2172	3024	0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe	29
PID 2172 wrote to memory of 2852	2172	DEM1584.exe	31
PID 2172 wrote to memory of 2852	2172	DEM1584.exe	31
PID 2172 wrote to memory of 2852	2172	DEM1584.exe	31
PID 2172 wrote to memory of 2852	2172	DEM1584.exe	31
PID 2852 wrote to memory of 2840	2852	DEM6B12.exe	35
PID 2852 wrote to memory of 2840	2852	DEM6B12.exe	35
PID 2852 wrote to memory of 2840	2852	DEM6B12.exe	35
PID 2852 wrote to memory of 2840	2852	DEM6B12.exe	35
PID 2840 wrote to memory of 1944	2840	DEMC043.exe	37
PID 2840 wrote to memory of 1944	2840	DEMC043.exe	37
PID 2840 wrote to memory of 1944	2840	DEMC043.exe	37
PID 2840 wrote to memory of 1944	2840	DEMC043.exe	37
PID 1944 wrote to memory of 2712	1944	DEM1593.exe	39
PID 1944 wrote to memory of 2712	1944	DEM1593.exe	39
PID 1944 wrote to memory of 2712	1944	DEM1593.exe	39
PID 1944 wrote to memory of 2712	1944	DEM1593.exe	39
PID 2712 wrote to memory of 2140	2712	DEM6AE3.exe	41
PID 2712 wrote to memory of 2140	2712	DEM6AE3.exe	41
PID 2712 wrote to memory of 2140	2712	DEM6AE3.exe	41
PID 2712 wrote to memory of 2140	2712	DEM6AE3.exe	41

C:\Users\Admin\AppData\Local\Temp\0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\DEM1584.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1584.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\DEM6B12.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6B12.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\DEMC043.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC043.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\DEM1593.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1593.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Users\Admin\AppData\Local\Temp\DEM6AE3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6AE3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\DEMC024.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC024.exe"
        7⤵
        Executes dropped EXE
        
        PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6AE3.exe

Filesize
14KB

MD5
3cc79431ce0f237513f4c5485a651e01

SHA1
45b178cf00ddfce4fcfb473bd794c9ab8d873545

SHA256
dbb41d8aaf12cf97ddd1b97d59179caf7033d29f9e14578140e3897fa0296da0

SHA512
da3a1ff9a49e2c4445597d32841ab619ee91f5f4c9e1f5a3a68e7e20c156d2a070c8c81ad63c371cdefcdde930178c85e86ba94e5f4818db82a192cd548b13cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6B12.exe

Filesize
14KB

MD5
5937927ea2c8ec1e111652cd531b6254

SHA1
8ad393ae9fe570580611687a54febd2258e22253

SHA256
cdafc65e736eff3691bd63b76751d2740300aefa980291544b95355af977697f

SHA512
cd90fb04fef5d25b64d1cb4d3ab727d1924c97ddfe8ccc5b488a8fd4d9a0c1c70a7edf3448b16af4aeb5fa5d1457f07af9d0e67af3041f2529292cc68be37d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC024.exe

Filesize
14KB

MD5
08f63d234b235d8ea20f24b92bafcc56

SHA1
75e2f04f8a4726b01f08f8e807822d9dc7acc114

SHA256
42e33659c84c510b6faadff02dc989ab11f703b84c4e6f6852a5b99554c12563

SHA512
aab0da6a7f7e4f720bd206a52570ef82489086a6c7d0699638f9e8ea5d731ff92911ad1b38c5de34df332327b7b8c42ce24a0331df787ff6323487dcdc99f201

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1584.exe

Filesize
14KB

MD5
5339d154a908ec83a153777fe0a0ee5f

SHA1
e218831f1a79bce1fbf479042c94b222641f628a

SHA256
0fd245aa8e0804151f36a025b4453c6a682c5746b5513bba0fb6fed58bb9b4d3

SHA512
92bdcaa947903344f8de0c9d527077f350813a8a98975ab9a2582be5689814dc907fc8d7e3baa66a2d2c5c0e6a3351b37a2e514532b7582c30b4b453dcd4c2e2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1593.exe

Filesize
14KB

MD5
7e84aca22eb3d9482b7c1955f0dd3098

SHA1
2957f17dd3b5c6fb81a8aca440ad2a7a21ce6716

SHA256
3b828dabe9afe97b33e9d9a75753add7caf4be1b28fb925e738757cb83a77866

SHA512
d4f069bad51644a8ab05683443ca4b578b92aa5a01295e32a81be7f2c138cd42852a4908a636e773b1ee9af7a9d553e763cedadc86518bc3814e1bbf29756802

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC043.exe

Filesize
14KB

MD5
4872974ec2dd09373df0075ff8edf578

SHA1
e26d87a20f74348effae14d0d7033700f9e3f75e

SHA256
d507b7400787941805deb2722932350b359222518ff72846b5dce0ac8258760b

SHA512
e53321555b80826cb6adc186fed52199558dac19f94ec8e4ef4719cece0467f8836f803a790c9c5a8d3b5475907d6a2d5eaafb6229a7681e85613f47bceb1092

Download Submit

Analysis

Sharing