ab653fbc0331f42a46943415fbfd20ba5cd618ce08601e24c437e1cf7a17374e

General

Target

0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe
Size

14KB
MD5

0a95f401af9f4eaf823cbf0900270245
SHA1

73b9cb3ef7459dc6a8fdd1eacb7225f2c336bfc2
SHA256

ab653fbc0331f42a46943415fbfd20ba5cd618ce08601e24c437e1cf7a17374e
SHA512

2fd1edf1b669b9d471446758d77649abe2fda05923e4af5a7f3d55d770875dcbdd3829a7397d71ac3c0dcc67a7f473991e45c9e5f579df44eef20081c0790a36
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhT6:hDXWipuE+K3/SSHgxN6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2672	DEMEDF.exe
2484	DEM647D.exe
2752	DEMB9DD.exe
1828	DEMF3D.exe
2216	DEM647E.exe
1924	DEMB9DE.exe

Loads dropped DLL 6 IoCs

pid	Process
2412	0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe
2672	DEMEDF.exe
2484	DEM647D.exe
2752	DEMB9DD.exe
1828	DEMF3D.exe
2216	DEM647E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2672	2412	0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2672	2412	0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2672	2412	0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2672	2412	0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe	29
PID 2672 wrote to memory of 2484	2672	DEMEDF.exe	31
PID 2672 wrote to memory of 2484	2672	DEMEDF.exe	31
PID 2672 wrote to memory of 2484	2672	DEMEDF.exe	31
PID 2672 wrote to memory of 2484	2672	DEMEDF.exe	31
PID 2484 wrote to memory of 2752	2484	DEM647D.exe	35
PID 2484 wrote to memory of 2752	2484	DEM647D.exe	35
PID 2484 wrote to memory of 2752	2484	DEM647D.exe	35
PID 2484 wrote to memory of 2752	2484	DEM647D.exe	35
PID 2752 wrote to memory of 1828	2752	DEMB9DD.exe	37
PID 2752 wrote to memory of 1828	2752	DEMB9DD.exe	37
PID 2752 wrote to memory of 1828	2752	DEMB9DD.exe	37
PID 2752 wrote to memory of 1828	2752	DEMB9DD.exe	37
PID 1828 wrote to memory of 2216	1828	DEMF3D.exe	39
PID 1828 wrote to memory of 2216	1828	DEMF3D.exe	39
PID 1828 wrote to memory of 2216	1828	DEMF3D.exe	39
PID 1828 wrote to memory of 2216	1828	DEMF3D.exe	39
PID 2216 wrote to memory of 1924	2216	DEM647E.exe	41
PID 2216 wrote to memory of 1924	2216	DEM647E.exe	41
PID 2216 wrote to memory of 1924	2216	DEM647E.exe	41
PID 2216 wrote to memory of 1924	2216	DEM647E.exe	41

C:\Users\Admin\AppData\Local\Temp\0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\DEMEDF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEDF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\DEM647D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM647D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\DEMB9DD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB9DD.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\DEMF3D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF3D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Users\Admin\AppData\Local\Temp\DEM647E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM647E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\DEMB9DE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB9DE.exe"
        7⤵
        Executes dropped EXE
        
        PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM647D.exe

Filesize
14KB

MD5
c3b6d20a9ad0ea5cc6aa45bb66eb0560

SHA1
3ea0a47e8f57615f1b8d5770aade60b365202088

SHA256
9cd4b55223bf0a1ca2545c4a3235abdfc399bc31a956dde6b112992fbba570fe

SHA512
f894dc075faf93c70c680fd66ec26bb38221daf36506c838dd7e25cba8e6c232f82a47d73c5b3614d58a531cd1e1d8bb01e2f74e01fa92a20a0d3d4969509b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEDF.exe

Filesize
14KB

MD5
c24e6fc5cdbaf95b74a20d0478b13fff

SHA1
25d4b2b31785166699a27a0f8a2f74e87f92f97b

SHA256
375b2c2d9a569a89bda4fe487bab44e7efd6251013c23ce169a43aabf421836f

SHA512
40d1539de3a0d7a4048980899dd1250893134315c93bdcff22d9dd86bc13c56d60ae7c9c7f60d27cef685c5ece16cd8f5ad97d103444e2e4d17728cdfac53056

Download Submit
\Users\Admin\AppData\Local\Temp\DEM647E.exe

Filesize
14KB

MD5
c49fe2c2e65843319f7552bf8af0dedf

SHA1
9c76d03e6c1c455475563064f32114497576ca3d

SHA256
6bb5ed61a336aa706259d110aa06dcb18657a790498fe6bd4cd4a12b2f8cee28

SHA512
846a90f6178a70e0c7b00851ccc06465be3b0d6875da870beb5d7f0b45de6788fe8894e4357402272f0a6536251847de2b1e57e089d056ac089186b33a43dd57

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB9DD.exe

Filesize
14KB

MD5
667c1a5cef4a9ddd19921f2dc3099470

SHA1
1f11d87f2c5f932b818fcecf1300a71f0da78431

SHA256
99c1d31e72ef8d92a1082e842aa194492bac797a4c46b91dd68f8a82a0319b83

SHA512
324172b1480a9b418217bf17ff88de4a30697f7f23fdd229f5a25127e226d7c67cfb912ca60d30acb9ed7557b03d8b4f6cb2e5ae715f35a8e4fcde43d555c2c8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB9DE.exe

Filesize
14KB

MD5
80eea0debbfd70ff0153c1477873e54e

SHA1
8ea7ff230c32432f7ac22014cde8cfae1e2a4985

SHA256
7e9795b0c77635bb6b1c98a4c8a3715f9d975c34ee0014e3c1be019b61806e00

SHA512
5cf17ea69b20531e05cff3eb3fa7a803306347388b688197543fb24ef807b7de2dfe1d2638d47b09b74fc4f60f600bbbf9f2922dbe00545b3b2f72ea2d503f2b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF3D.exe

Filesize
14KB

MD5
84dfab5e4c9270854dd4ace77217912b

SHA1
e397484b3d18e47bac58174ba48a58d1931af810

SHA256
07758e8c71a26691690fe3544f019e505f0b1b41c31f9be8ba7bf93dca0dc1bf

SHA512
30f49a226e1214ca952426e560e2a0005230ccdfc28f9a7bfac40bdfd43377ddc0e8da3968fe2161a4cc9fe7861c31788f5940cb3afd14f3b33380416abd834f

Download Submit

Analysis

Sharing