eb27d1687bb5a5ff2f6a33fee9afbd1cca5864152c36baaec046e8b1870ab006

General

Target

18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe
Size

15KB
MD5

18e89d4d859a4b25523ded273b70dfd8
SHA1

6ece8775a2efe99c7cbf6801de747d198b983cc5
SHA256

eb27d1687bb5a5ff2f6a33fee9afbd1cca5864152c36baaec046e8b1870ab006
SHA512

bd2b95f150ec8b38a53f5c9c9c023ca5512788d452ddd61691cb91346887b218f1d7ecedfe4021cedde5ce976ec75ba51cda591ed097aaf0f518d3112c62d0cf
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxw:hDXWipuE+K3/SSHgxmHi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1208	DEM2118.exe
2824	DEM7697.exe
2084	DEMCBB8.exe
2524	DEM20E9.exe
832	DEM760A.exe
1924	DEMCB1C.exe

Loads dropped DLL 6 IoCs

pid	Process
2336	18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe
1208	DEM2118.exe
2824	DEM7697.exe
2084	DEMCBB8.exe
2524	DEM20E9.exe
832	DEM760A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1208	2336	18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe	29
PID 2336 wrote to memory of 1208	2336	18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe	29
PID 2336 wrote to memory of 1208	2336	18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe	29
PID 2336 wrote to memory of 1208	2336	18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe	29
PID 1208 wrote to memory of 2824	1208	DEM2118.exe	31
PID 1208 wrote to memory of 2824	1208	DEM2118.exe	31
PID 1208 wrote to memory of 2824	1208	DEM2118.exe	31
PID 1208 wrote to memory of 2824	1208	DEM2118.exe	31
PID 2824 wrote to memory of 2084	2824	DEM7697.exe	35
PID 2824 wrote to memory of 2084	2824	DEM7697.exe	35
PID 2824 wrote to memory of 2084	2824	DEM7697.exe	35
PID 2824 wrote to memory of 2084	2824	DEM7697.exe	35
PID 2084 wrote to memory of 2524	2084	DEMCBB8.exe	37
PID 2084 wrote to memory of 2524	2084	DEMCBB8.exe	37
PID 2084 wrote to memory of 2524	2084	DEMCBB8.exe	37
PID 2084 wrote to memory of 2524	2084	DEMCBB8.exe	37
PID 2524 wrote to memory of 832	2524	DEM20E9.exe	39
PID 2524 wrote to memory of 832	2524	DEM20E9.exe	39
PID 2524 wrote to memory of 832	2524	DEM20E9.exe	39
PID 2524 wrote to memory of 832	2524	DEM20E9.exe	39
PID 832 wrote to memory of 1924	832	DEM760A.exe	41
PID 832 wrote to memory of 1924	832	DEM760A.exe	41
PID 832 wrote to memory of 1924	832	DEM760A.exe	41
PID 832 wrote to memory of 1924	832	DEM760A.exe	41

C:\Users\Admin\AppData\Local\Temp\18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\DEM2118.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\DEM7697.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7697.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\DEMCBB8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCBB8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Users\Admin\AppData\Local\Temp\DEM20E9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM20E9.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Users\Admin\AppData\Local\Temp\DEM760A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM760A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\DEMCB1C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCB1C.exe"
        7⤵
        Executes dropped EXE
        
        PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM20E9.exe

Filesize
15KB

MD5
e7be6a8a104d6842ab6487b34b00c902

SHA1
00e1aa15e0b782f7de07acaf89a51fe0d5c6400b

SHA256
df6e4867ce8855d60e20ce516368f0e3e24d68a0a71ee1acabf0707648b46f0f

SHA512
a2f67d13a5c7f5d331252d8a6e535685ba3fa83ec07ebe7563ba93fbf63a1ff7801fbe2cea0325ef2870f6ca5854d17dd7ee5a32ad67ca8eafe44b6e0f5aa955

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM760A.exe

Filesize
15KB

MD5
704ae3e7c9c201833cc552daf172c6a1

SHA1
77eafd391b82871caeaa1f809a759f75e27bfb92

SHA256
3e455b80d77b3354179016b464fbbc0c3e24dfa7d5439951cd73aaf62221857b

SHA512
619e6a76562ac92da2d213cd2af4944be44251510e2ece4b152c54564577623e8bebcf164d28e75e009fa9d20d21ab563c37c9e474649d42cafdc360fd1de4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7697.exe

Filesize
15KB

MD5
d83dc4aefe08c6d801f0e0ab06bbe932

SHA1
393fe3d5f59e379a2a54b1ee4a3f0418b5d2b2bf

SHA256
15d1483faa6a52f5024d522f52ea0e8452266b84557c3f4d9b79d0f5496c4496

SHA512
30e560aea26e122bc3388a274275216b9d36511f5adba5abfad3dd2a86fe489109af96eebcfab011bc9c2ab85c99de748de53a09db9aec9d00dd008f68a3bc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCBB8.exe

Filesize
15KB

MD5
acd068f8b30c884a5576fe6cb96711aa

SHA1
66d02082f28ad12ebfb6dbb125c44ad90840ff30

SHA256
aa93d2a13c8e296aaca0fbee077f87fa8ef0d5fcf94fc6e08877026471a4b275

SHA512
8a9f70aafa54195c6a38e807ce9d2478c4de0a214d48fda147a6d1d2fb4bbbba7a66b1d2d9c9ef083514e550e130fdb45f5b489b04fc2d550303b4cf621f1e92

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2118.exe

Filesize
15KB

MD5
8a40f86d6da3ad170c9fcbd44a5cbe84

SHA1
5c1e4a6181fbc404af1bf1ba0253d7f49c41ef66

SHA256
eea5880c404a2b759a82ef92a4a062c8ba43f1a3b8b195f6a74f98fbc3176595

SHA512
23ef4049777195ef1c006e5180024f032ef6efa76705768d11e7a38e7062b4f412c32ec2a133c1ebdba9406d372564de9f54fde82c8f6e706cf2fa0b18b3fece

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCB1C.exe

Filesize
15KB

MD5
1c994157dd1f6fbcd8ebabf656b8be4b

SHA1
36fe9310ca621e6dedcc167087e6fb6611f46e04

SHA256
f285c085f9e3e81f585b668553cd088b6a73f6ba2fc116d34a9a1eab854a0769

SHA512
060197d915237d38a939fab8c1c6e8a94cfdf775f67fabc6111bf9846f42936dc0fabe8e14f4ce831f788bc13fae12962173c4613e24c050efbd12fe60741f1f

Download Submit

Analysis

Sharing