a1c84cf4f33d8626e2395c81868fe38907742686efe30a8192c5c9fea194eb1b

General

Target

07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe
Size

15KB
MD5

07a179275272eaedd0bc8de4db091ab6
SHA1

b54b8e361edb7961bb91b819b77c8d5eb4063833
SHA256

a1c84cf4f33d8626e2395c81868fe38907742686efe30a8192c5c9fea194eb1b
SHA512

21b0c9e6db0c3523ea4b207c0ae307fe7d9dc91b6eafeb603ec7941e41a09b13881464b243f1e7fff8c4d25c8bbc293f87269208564cd03510b74412cab675aa
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8x:hDXWipuE+K3/SSHgxm8x

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3012	DEM52F.exe
2864	DEM5A9E.exe
2960	DEMB00D.exe
2684	DEM609.exe
1512	DEM5B79.exe
1960	DEMB136.exe

Loads dropped DLL 6 IoCs

pid	Process
2360	07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe
3012	DEM52F.exe
2864	DEM5A9E.exe
2960	DEMB00D.exe
2684	DEM609.exe
1512	DEM5B79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3012	2360	07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe	29
PID 2360 wrote to memory of 3012	2360	07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe	29
PID 2360 wrote to memory of 3012	2360	07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe	29
PID 2360 wrote to memory of 3012	2360	07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe	29
PID 3012 wrote to memory of 2864	3012	DEM52F.exe	31
PID 3012 wrote to memory of 2864	3012	DEM52F.exe	31
PID 3012 wrote to memory of 2864	3012	DEM52F.exe	31
PID 3012 wrote to memory of 2864	3012	DEM52F.exe	31
PID 2864 wrote to memory of 2960	2864	DEM5A9E.exe	35
PID 2864 wrote to memory of 2960	2864	DEM5A9E.exe	35
PID 2864 wrote to memory of 2960	2864	DEM5A9E.exe	35
PID 2864 wrote to memory of 2960	2864	DEM5A9E.exe	35
PID 2960 wrote to memory of 2684	2960	DEMB00D.exe	37
PID 2960 wrote to memory of 2684	2960	DEMB00D.exe	37
PID 2960 wrote to memory of 2684	2960	DEMB00D.exe	37
PID 2960 wrote to memory of 2684	2960	DEMB00D.exe	37
PID 2684 wrote to memory of 1512	2684	DEM609.exe	39
PID 2684 wrote to memory of 1512	2684	DEM609.exe	39
PID 2684 wrote to memory of 1512	2684	DEM609.exe	39
PID 2684 wrote to memory of 1512	2684	DEM609.exe	39
PID 1512 wrote to memory of 1960	1512	DEM5B79.exe	41
PID 1512 wrote to memory of 1960	1512	DEM5B79.exe	41
PID 1512 wrote to memory of 1960	1512	DEM5B79.exe	41
PID 1512 wrote to memory of 1960	1512	DEM5B79.exe	41

C:\Users\Admin\AppData\Local\Temp\07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\DEM52F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM52F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\DEM5A9E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5A9E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\DEMB00D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB00D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Users\Admin\AppData\Local\Temp\DEM609.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM609.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Users\Admin\AppData\Local\Temp\DEM5B79.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5B79.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\DEMB136.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB136.exe"
        7⤵
        Executes dropped EXE
        
        PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5A9E.exe

Filesize
15KB

MD5
274ac892af3817d0db8db03e3f3da711

SHA1
18233dbde94467687d1bff4634ffc0096fdc4855

SHA256
2dc996c758c9515bf0029603b29f5bd01622ccdc4b2cf4cd2c302db933ba528a

SHA512
710795e8fc304171c639180a91d4f73a98ac6a83a8342dba027d967c992842a5a76dd2c27839b35e5d9c6057e9a41a1ba11bd76557b5c2c6f9ea3eaff6f787aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB00D.exe

Filesize
15KB

MD5
06aca79fadc35250408a623b578bfacc

SHA1
0dadf080fd421c5b1424b47769f9618fd7774684

SHA256
f4db5fc4c89a5ad40361ba739928140578995811daba519d491735cebe28ce95

SHA512
166e8065ba50e48158974c7873a6a7cf3130edf2d5f162dface0e8bfc838fdb3bc7cfc004e6396ecff3a0e542a54c7c0abfa3875298623ef71e8d44209951845

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB136.exe

Filesize
15KB

MD5
a52a74fb789b9af22a105731fd041068

SHA1
cf790e758bda069abec5966356955754a70d0228

SHA256
dde0a73e2e79f2bc13948a448020467aa44413e32ef2ba3fa9b94954b2a36efe

SHA512
4356d6d96751aa3751d4fcaa84cddb6f2db66bccbdd4a77788e57c996449a5311bddf5c17f0f1f85140ed69bcde5e6837338690a3f553de6d9f8f7faebb343bb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM52F.exe

Filesize
15KB

MD5
9af49989d9f72481b55378367276f667

SHA1
7155d8cbb33aca07f047db535144d74a4e1a0eef

SHA256
2d0520b1d4dbafbe80d98b8da38409b5dd91cb402d8e7ee73165ea718cca67eb

SHA512
b7578969e54961888d8f96d66d2da2f08f43aa854ca5312a9294aa26f56894c1f9d97fe066b077933546ae2bc2835df5efc1e0e9f3b7336890b0720f92f47f85

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5B79.exe

Filesize
15KB

MD5
b0ff1aff3574a42529f3d09340d9ae6c

SHA1
6ab3e36f41e0d0daf4361bae94dae20dffc1ab1d

SHA256
4a2b8b1670a2d85828c1bdaafa360460b347b326dabf47d3f8346ba4f98d8546

SHA512
a6a47248f4485b6b09e0327cde6baf77258acee9b0cc5520280724942dc7fac846d50ab06180f1db7d4221b769caaed7fe2605c13bb8706a2ce1621efe0c3c24

Download Submit
\Users\Admin\AppData\Local\Temp\DEM609.exe

Filesize
15KB

MD5
0b06573230f800b608ef1d90c7dddd90

SHA1
b9019cdac3f40e476f5c390307ce520085b79566

SHA256
8bf9570a681d16d47b5c42ee964f6cadb5d5dac827a7686512eabbb971be3f4e

SHA512
8fe9c1f1e2e8898da63fe4dddc8d8f0f4bcd02bc9a007f6a8562e42fffc3a7a59ac16e0a85a52377cebcec590564c28544cfeed78bf70a85389cd778313a3a11

Download Submit

Analysis

Sharing