46a1e923e3f4033bff23e1890fd4f62421cb6fd3f1b6458c1b34a73504be051e

General

Target

0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe
Size

14KB
MD5

0c483e8dd777bd13dd7c6e22c14121fd
SHA1

49cd9981dab51336135247a5175f5dd1ddfe252d
SHA256

46a1e923e3f4033bff23e1890fd4f62421cb6fd3f1b6458c1b34a73504be051e
SHA512

b06ad50355d1c51b0a31cff1fce53b9c7312f6ac5928109311ae0b07910fdcac378ba00c90a9dc0f764945fe98d2d9bb2543f572ac2d7c6882390519681674f0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJrJ:hDXWipuE+K3/SSHgxnJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2736	DEM17D4.exe
2624	DEM6E5D.exe
1936	DEMC4B6.exe
2380	DEM1A64.exe
868	DEM6FF2.exe
2360	DEMC542.exe

Loads dropped DLL 6 IoCs

pid	Process
1988	0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe
2736	DEM17D4.exe
2624	DEM6E5D.exe
1936	DEMC4B6.exe
2380	DEM1A64.exe
868	DEM6FF2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2736	1988	0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe	29
PID 1988 wrote to memory of 2736	1988	0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe	29
PID 1988 wrote to memory of 2736	1988	0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe	29
PID 1988 wrote to memory of 2736	1988	0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2624	2736	DEM17D4.exe	31
PID 2736 wrote to memory of 2624	2736	DEM17D4.exe	31
PID 2736 wrote to memory of 2624	2736	DEM17D4.exe	31
PID 2736 wrote to memory of 2624	2736	DEM17D4.exe	31
PID 2624 wrote to memory of 1936	2624	DEM6E5D.exe	35
PID 2624 wrote to memory of 1936	2624	DEM6E5D.exe	35
PID 2624 wrote to memory of 1936	2624	DEM6E5D.exe	35
PID 2624 wrote to memory of 1936	2624	DEM6E5D.exe	35
PID 1936 wrote to memory of 2380	1936	DEMC4B6.exe	37
PID 1936 wrote to memory of 2380	1936	DEMC4B6.exe	37
PID 1936 wrote to memory of 2380	1936	DEMC4B6.exe	37
PID 1936 wrote to memory of 2380	1936	DEMC4B6.exe	37
PID 2380 wrote to memory of 868	2380	DEM1A64.exe	39
PID 2380 wrote to memory of 868	2380	DEM1A64.exe	39
PID 2380 wrote to memory of 868	2380	DEM1A64.exe	39
PID 2380 wrote to memory of 868	2380	DEM1A64.exe	39
PID 868 wrote to memory of 2360	868	DEM6FF2.exe	41
PID 868 wrote to memory of 2360	868	DEM6FF2.exe	41
PID 868 wrote to memory of 2360	868	DEM6FF2.exe	41
PID 868 wrote to memory of 2360	868	DEM6FF2.exe	41

C:\Users\Admin\AppData\Local\Temp\0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\DEM17D4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM17D4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\DEM6E5D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6E5D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\DEMC4B6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC4B6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Users\Admin\AppData\Local\Temp\DEM1A64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1A64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Users\Admin\AppData\Local\Temp\DEM6FF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6FF2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\DEMC542.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC542.exe"
        7⤵
        Executes dropped EXE
        
        PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6E5D.exe

Filesize
14KB

MD5
befe3ec9ba39ab6b3a2d7c25f13de86c

SHA1
3b59acb504cf6d6489a769a16b22073442f5eb2d

SHA256
bce2b8ac6786b15325b8bea8fe57e4bbeb74e4c6160396b1c00e26f92c783727

SHA512
683835fb93bb8bc4b93c412126c5f2dd330db4945db478c45a82cb0df2546755959c2163af4482d190426f50b46fec4434c5f27e11301fdbc30ae89e64f31c73

Download Submit
\Users\Admin\AppData\Local\Temp\DEM17D4.exe

Filesize
14KB

MD5
8af97547a1001933d2af11e9fc7cd1db

SHA1
039b44ffd62b6c62eb6b287e130d8e4d20b854c3

SHA256
185b9c3c74962c9c515de73465ac19d3043a45602950eb8461d0ee8aa03e84d4

SHA512
d970556f5fe6a8175803cf0c8aee4d6cd97a502a60d3eab69ee9d2df4c34d8928f62bb4bb1d29d3c62f0b6923f8afb38cff8a756dada47d48d52d5e615593cb1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1A64.exe

Filesize
14KB

MD5
6bf7cfb3c5fc0d3f1cc80ad376e6bb7c

SHA1
80df3351e1998b356a6b98f3f0b8cba5d84cc30a

SHA256
083ad5c6db2e0d2d5fd37f740916cd3ae1377b2c15327a3dde0ddb79e069c531

SHA512
b33e7fb0f37b1225abf0411b535d43045f33270d6b0db3bea603e6ecd1fc600e747d2fe5c68889ef345c88fe9acc67cee2acb7c4e607f3fb2312aee0196c3e68

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6FF2.exe

Filesize
14KB

MD5
f4a5a49e7e60544b89fed154c9a4db20

SHA1
0959318f6a75be30e724947bb06dd770bcc1efb4

SHA256
e33ddd8438a52d93049d2ed20eee6b0163343f2bfa4e0a514de16673188657fc

SHA512
2788a028f29661833401e5c0e56a60f8718dc64b8bf9caa8c255c24017e637626af35c9c1ceb1af5637b3cecd5be5bddddf861a6b4ab4e4862f72dda31c46acd

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC4B6.exe

Filesize
14KB

MD5
adecc47784b21b257078f5715bf67c8a

SHA1
1ebaf7bdf1abf75d0380926fd3919c7b1ee3b5e4

SHA256
a747a115adf61017e02888a54902b593d793e1cf32009fae8c71c2c59e9f2afd

SHA512
ec287ee51ff9663eaf91b362b8d3b09d9ca2e9ad254b5e11ee4bfe43c41f1ed2e5ba0221c486944789d2a733c9780ef0efdc6bae12e93d3bb546e601c0627473

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC542.exe

Filesize
14KB

MD5
f7f649e92c57513dedb5f7b69b4dd182

SHA1
8f0261cd59702113aee11b0bb61afa15b8359704

SHA256
13837afcc7da761f414476049709ddb9528e1cc1a38b90ec0dfb373d2e9b8f0e

SHA512
21af17df1d24a08ed09910f122d89ceb164eeca6012cfb36195d275c60f260b59a3688f3e441cd0f5f664458358e771462c3631dc73950e7b397a99f92f2e3bb

Download Submit

Analysis

Sharing