675df4e95365007f3f3da8fd28b1e6687cfd513217718b01b8f0ea7562637a21

General

Target

089db6727582e6e158b513367b561a46_JaffaCakes118.exe
Size

14KB
MD5

089db6727582e6e158b513367b561a46
SHA1

d5b7e927cc79273771472132597b432a096797bd
SHA256

675df4e95365007f3f3da8fd28b1e6687cfd513217718b01b8f0ea7562637a21
SHA512

e914061db4383ca435323fbce02b923ba23b0f23cf1593c020331097fa73bd8d1a948971cdb29595a14be85f97848257902e721cc9a153d9b8c516d44d417298
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXd2:hDXWipuE+K3/SSHgx3N2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3004	DEM1287.exe
1208	DEM6825.exe
2580	DEMBD95.exe
316	DEM1314.exe
2456	DEM6893.exe
2464	DEMBE21.exe

Loads dropped DLL 6 IoCs

pid	Process
1304	089db6727582e6e158b513367b561a46_JaffaCakes118.exe
3004	DEM1287.exe
1208	DEM6825.exe
2580	DEMBD95.exe
316	DEM1314.exe
2456	DEM6893.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 3004	1304	089db6727582e6e158b513367b561a46_JaffaCakes118.exe	29
PID 1304 wrote to memory of 3004	1304	089db6727582e6e158b513367b561a46_JaffaCakes118.exe	29
PID 1304 wrote to memory of 3004	1304	089db6727582e6e158b513367b561a46_JaffaCakes118.exe	29
PID 1304 wrote to memory of 3004	1304	089db6727582e6e158b513367b561a46_JaffaCakes118.exe	29
PID 3004 wrote to memory of 1208	3004	DEM1287.exe	31
PID 3004 wrote to memory of 1208	3004	DEM1287.exe	31
PID 3004 wrote to memory of 1208	3004	DEM1287.exe	31
PID 3004 wrote to memory of 1208	3004	DEM1287.exe	31
PID 1208 wrote to memory of 2580	1208	DEM6825.exe	35
PID 1208 wrote to memory of 2580	1208	DEM6825.exe	35
PID 1208 wrote to memory of 2580	1208	DEM6825.exe	35
PID 1208 wrote to memory of 2580	1208	DEM6825.exe	35
PID 2580 wrote to memory of 316	2580	DEMBD95.exe	37
PID 2580 wrote to memory of 316	2580	DEMBD95.exe	37
PID 2580 wrote to memory of 316	2580	DEMBD95.exe	37
PID 2580 wrote to memory of 316	2580	DEMBD95.exe	37
PID 316 wrote to memory of 2456	316	DEM1314.exe	39
PID 316 wrote to memory of 2456	316	DEM1314.exe	39
PID 316 wrote to memory of 2456	316	DEM1314.exe	39
PID 316 wrote to memory of 2456	316	DEM1314.exe	39
PID 2456 wrote to memory of 2464	2456	DEM6893.exe	41
PID 2456 wrote to memory of 2464	2456	DEM6893.exe	41
PID 2456 wrote to memory of 2464	2456	DEM6893.exe	41
PID 2456 wrote to memory of 2464	2456	DEM6893.exe	41

C:\Users\Admin\AppData\Local\Temp\089db6727582e6e158b513367b561a46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\089db6727582e6e158b513367b561a46_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\DEM1287.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1287.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\DEM6825.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6825.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\DEMBD95.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBD95.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Users\Admin\AppData\Local\Temp\DEM1314.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1314.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\DEM6893.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6893.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\DEMBE21.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBE21.exe"
        7⤵
        Executes dropped EXE
        
        PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6825.exe

Filesize
14KB

MD5
188a30e87a30cde0637023c501adfa92

SHA1
d4bec1391379612b41eb116bd998d557681d024e

SHA256
0b44ae9b1b7d2bc8b170fec865fd3361836301bf3a3110a837c975e55efab490

SHA512
224c9c73106dad3cdb8a271b149744705d5a743c20af0dd15cbcd5b79e100fb2e632788128b06b622b2f1ee35733a4b81dc812ab081b7cf34e308f6cf807d609

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBE21.exe

Filesize
14KB

MD5
9bc9acc5d3298eda79f2696108c800a3

SHA1
f271533f8277d7f347b240ee9e42a695b76bfdcc

SHA256
4d3fdef9ff58c559be94ceb4e2a8b6b51f12a1e2a43f23ec5c019350c13f98d2

SHA512
cf1e738175b1027f3f2b2e84aa7467e722c5407a0d0885fc3df19335bbac159a4af07324c78fa6cd9eb1cc07424a7338cdfda421eabb53b62f02418ab8c227bf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1287.exe

Filesize
14KB

MD5
763a435a8cf49a449670df4cd12f05f5

SHA1
297d1709857173e98bcd509440ffcd811c026fd7

SHA256
8a4c75cc0424469ca5db31e6f2e6c5ccfb9bc6596c91258fb2e2abf32ec0f758

SHA512
8b0693e0100c3904ec0a22a6ebbd88545953cca5578536f9f32a9bb2966547faf9f885580cb6c33c7e348dfdb239949597594c98fb499c196d421481ba993f1a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1314.exe

Filesize
14KB

MD5
ed1c61816fa8f943debfe93880777d36

SHA1
1e967f378cac044ebff554d12518f850aad90512

SHA256
b432f0ad3f7003cbc653727d6d5cea349679963a2d789679689d9dee9e3ba921

SHA512
91e108d61c8db70744a997406161ca56eed2636d343a63f724fd98871319d637aaf6334ce178c1874dc007166addfdf8730b1e906f5e8dbc1df5c96369638003

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6893.exe

Filesize
14KB

MD5
38c36a84649760f0dd612c4358e6d2ce

SHA1
efe495e15458b4d1455a52cbf494d21025da67e7

SHA256
6fb6bf58e9edcf1875b92db937d56360657bb5d85500dacd5f3f5b9a74848913

SHA512
7c5f89d03d3baa0a7041d9a1d10f53c2c6b5e49246e8851f8e7610a2b361da0418308d1e2423ad87aca47faf3dca6c35f8732f334050f47e71e4ee0a4fc290bb

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBD95.exe

Filesize
14KB

MD5
f805359326ffdfe9d7f5085142ffd902

SHA1
48626c2317132ddcb8c3d24358f5bde0fcc7037a

SHA256
004536b44b56af65d6fa2c0d5cf8fc48e144077dfe1af619ab3c291a737af2c9

SHA512
681931653ab8a769ce7b2f9a6426b586aa5d01524069e42e6b975be3efbdcb9fae72d18335a0191853b95378342fdd122f53790ffe6e9e6fe6d7bbc7656ce6cf

Download Submit

Analysis

Sharing