be393e789497efdf46b874a5f4fd239b3cb9782819a0d60a866966b396dcf4c2

General

Target

0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe
Size

14KB
MD5

0ed40792dc8e2de61899d4283bde5287
SHA1

14441d782b1e9a310d608e2683249a9fbe1b0273
SHA256

be393e789497efdf46b874a5f4fd239b3cb9782819a0d60a866966b396dcf4c2
SHA512

bc5c8e44b57459f0902c892a8d52f21dc9b85a484e495dd12138aa59297513436de877d6b0645b39a309035827c38b3a14387fbf2b234d940f8cb9692d12e26c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRs:hDXWipuE+K3/SSHgxo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2668	DEM4B2.exe
2748	DEM5ABD.exe
2864	DEMB04C.exe
788	DEM57D.exe
756	DEM5ACD.exe
2896	DEMAFCF.exe

Loads dropped DLL 6 IoCs

pid	Process
2976	0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe
2668	DEM4B2.exe
2748	DEM5ABD.exe
2864	DEMB04C.exe
788	DEM57D.exe
756	DEM5ACD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2668	2976	0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe	29
PID 2976 wrote to memory of 2668	2976	0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe	29
PID 2976 wrote to memory of 2668	2976	0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe	29
PID 2976 wrote to memory of 2668	2976	0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe	29
PID 2668 wrote to memory of 2748	2668	DEM4B2.exe	31
PID 2668 wrote to memory of 2748	2668	DEM4B2.exe	31
PID 2668 wrote to memory of 2748	2668	DEM4B2.exe	31
PID 2668 wrote to memory of 2748	2668	DEM4B2.exe	31
PID 2748 wrote to memory of 2864	2748	DEM5ABD.exe	35
PID 2748 wrote to memory of 2864	2748	DEM5ABD.exe	35
PID 2748 wrote to memory of 2864	2748	DEM5ABD.exe	35
PID 2748 wrote to memory of 2864	2748	DEM5ABD.exe	35
PID 2864 wrote to memory of 788	2864	DEMB04C.exe	37
PID 2864 wrote to memory of 788	2864	DEMB04C.exe	37
PID 2864 wrote to memory of 788	2864	DEMB04C.exe	37
PID 2864 wrote to memory of 788	2864	DEMB04C.exe	37
PID 788 wrote to memory of 756	788	DEM57D.exe	39
PID 788 wrote to memory of 756	788	DEM57D.exe	39
PID 788 wrote to memory of 756	788	DEM57D.exe	39
PID 788 wrote to memory of 756	788	DEM57D.exe	39
PID 756 wrote to memory of 2896	756	DEM5ACD.exe	41
PID 756 wrote to memory of 2896	756	DEM5ACD.exe	41
PID 756 wrote to memory of 2896	756	DEM5ACD.exe	41
PID 756 wrote to memory of 2896	756	DEM5ACD.exe	41

C:\Users\Admin\AppData\Local\Temp\0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\DEM4B2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4B2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\DEM5ABD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5ABD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\DEMB04C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB04C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\DEM57D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM57D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:788
      - C:\Users\Admin\AppData\Local\Temp\DEM5ACD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5ACD.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\DEMAFCF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAFCF.exe"
        7⤵
        Executes dropped EXE
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5ABD.exe

Filesize
14KB

MD5
29bbff2442e9721be93ae6915213e1f6

SHA1
77de263bc41990b0fdaa05307bd7765576704059

SHA256
3e008dccdfcdc2937e58e0e771d87d990a8f5e79807f504714f901847228dd6f

SHA512
1a7f7d4368667099739745a9534e6b400173aec31daea932e4ec50b75bbc2a58f0175324136cf375670694b89c30deb0943c51b4e89a217be5c97bf60b23797d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4B2.exe

Filesize
14KB

MD5
afdef098eb0a9af5f3c743de3634ce4c

SHA1
749b233d08609dd788bd7b4aa180aa65284788e8

SHA256
d1a18c20283135ba257bf17713134b1c34451cab35e2ed8726f66f324c4e8eab

SHA512
f689dee87ed7e797113afd3888ad03a6941911652c6fb36101e8b7ac57b2309640149cad40d46c3e39faa6440946427337aaae898552ca9e263ce8955d0266f5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM57D.exe

Filesize
14KB

MD5
f71306e3fdaca67db5e172b09512bc69

SHA1
91babdaa502576dbe9dc472ae62777b312fbd685

SHA256
96d471e6584062a211a976d831a7a9a97ea7275a0109105d171665e3260f998b

SHA512
aac79ba34b5620a97d36d07ef0dd0f7e229c77498d8a8a8f89e953c94140f5c440fbb109dd818c565ad68d39697013baf48959ee8919c59ead46b4d7e227a687

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5ACD.exe

Filesize
14KB

MD5
7311a0cc5537aa07ef6cd88f93d15c86

SHA1
8d8aff041426520e3b97aa86ea1b60a0e3ef6b6f

SHA256
bb1d59fd1ace3ba62084b5e92ad66e18d606b811f5119719cc5bbb0fef6011ce

SHA512
e227e34901970e6ea5d442cb7ced873b694b4b574858e7e572bcf6983f12fde15e271b96fe6e8368b4477613732a21421297ff2eaef6fea8a2d586ca79e50061

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAFCF.exe

Filesize
14KB

MD5
e85b7fe82bf846c95e4f410c001bf62c

SHA1
2e52f20756bf700594fd4f72c6593a299f49e641

SHA256
9c4adcdd910d76ddcad748d9a93f9523874dca26145a795b216a68d3ca66896f

SHA512
2c35a937814542add242afc6158e0d2a7cf4d8c6adde319a5e3c0b37117170252bdf5d005571aac602de0b89e9095c7b35ad6cc61ac0bda7a5ad153b8797f96c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB04C.exe

Filesize
14KB

MD5
5f61f10621ec854374cc86b04be6628b

SHA1
447aa563ffd676c33e723b41526a68cd2faa8e52

SHA256
217e943520d65c124506d1918c5213a889c0232a4c1c0b9f4ee2ad476a238b09

SHA512
76195b6b167123ee101be6966aa37260e191e22e50c06c2830ff68029860c228efdb9b06ac994c75fdc669713641b31d047300e194559ef02fcf79041d90d426

Download Submit

Analysis

Sharing