0705971b9f7b9ec5d13be59d4d4466b2eadfba2f2efd14ab588b52bafa5b0f00

General

Target

2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe
Size

15KB
MD5

2cce3155a1fcc4b4dd9e828ec97a3417
SHA1

602700cb11eda9fec307c27ffe48ad2a5606d06f
SHA256

0705971b9f7b9ec5d13be59d4d4466b2eadfba2f2efd14ab588b52bafa5b0f00
SHA512

e60a0eb780c47278c69ce82ee8ee0947c9685ec3e6a0c430fb93b15c47b2ce9c03d545b66e32e455af66b102375389783a18edcf1340436e0384a308464d1481
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl5:hDXWipuE+K3/SSHgxml5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2296	DEM392A.exe
2692	DEM8F16.exe
2980	DEME4A4.exe
1700	DEM3B1D.exe
3032	DEM9176.exe
2280	DEME7C0.exe

Loads dropped DLL 6 IoCs

pid	Process
2388	2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe
2296	DEM392A.exe
2692	DEM8F16.exe
2980	DEME4A4.exe
1700	DEM3B1D.exe
3032	DEM9176.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2296	2388	2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2296	2388	2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2296	2388	2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2296	2388	2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe	30
PID 2296 wrote to memory of 2692	2296	DEM392A.exe	32
PID 2296 wrote to memory of 2692	2296	DEM392A.exe	32
PID 2296 wrote to memory of 2692	2296	DEM392A.exe	32
PID 2296 wrote to memory of 2692	2296	DEM392A.exe	32
PID 2692 wrote to memory of 2980	2692	DEM8F16.exe	34
PID 2692 wrote to memory of 2980	2692	DEM8F16.exe	34
PID 2692 wrote to memory of 2980	2692	DEM8F16.exe	34
PID 2692 wrote to memory of 2980	2692	DEM8F16.exe	34
PID 2980 wrote to memory of 1700	2980	DEME4A4.exe	36
PID 2980 wrote to memory of 1700	2980	DEME4A4.exe	36
PID 2980 wrote to memory of 1700	2980	DEME4A4.exe	36
PID 2980 wrote to memory of 1700	2980	DEME4A4.exe	36
PID 1700 wrote to memory of 3032	1700	DEM3B1D.exe	38
PID 1700 wrote to memory of 3032	1700	DEM3B1D.exe	38
PID 1700 wrote to memory of 3032	1700	DEM3B1D.exe	38
PID 1700 wrote to memory of 3032	1700	DEM3B1D.exe	38
PID 3032 wrote to memory of 2280	3032	DEM9176.exe	40
PID 3032 wrote to memory of 2280	3032	DEM9176.exe	40
PID 3032 wrote to memory of 2280	3032	DEM9176.exe	40
PID 3032 wrote to memory of 2280	3032	DEM9176.exe	40

C:\Users\Admin\AppData\Local\Temp\2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\DEM392A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM392A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\DEM8F16.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8F16.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\DEME4A4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME4A4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Users\Admin\AppData\Local\Temp\DEM3B1D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3B1D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Users\Admin\AppData\Local\Temp\DEM9176.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9176.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\DEME7C0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME7C0.exe"
        7⤵
        Executes dropped EXE
        
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8F16.exe

Filesize
15KB

MD5
21a4d9ca117d63b46b4b589ed8cd435c

SHA1
c5e831ee8457ec9f2612842e97077f5ebbff0730

SHA256
3db575e599f21f5f50ce60648afae3bf7f4a4b8f329336cee18798131b219c52

SHA512
0ef6cd91192ba596695d0e2f5c3f0fb5ff098b56a5c9ed784f097e0ab5e8573a76caa72104f8df4d5742648339c6b75249cd1cd3ab2df66cf3d451fb1fc069b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9176.exe

Filesize
15KB

MD5
1c9fcfd30f3d76fe241cef43bbf6cfc1

SHA1
4b6561f0006501b671f40b183240c5fe292a034c

SHA256
c93a2fd2f6b8e21a3b59df2347091fe689342d418c5f581e2504a55737d86a8d

SHA512
b302cf8be82e11d2a845fb2b372a4f0b5e81eaed79c6f4af721685f9ce3df42dae40179eb59c2392bf72272c404e96747fac65f20e12c7d6d8f4ca79a4682d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME4A4.exe

Filesize
15KB

MD5
a46c3a639d8e5276900d3acbaaaa1c50

SHA1
09743aacd1f563873810a0f8a4b1855debc4b1de

SHA256
d9418aca5f169cdc8bfa671598294d2b0f61517ee4204ad5265ad64b764bd482

SHA512
0231d4fd1e5124b5b1d123b11b5f36b741ea339e850751b445b54f4e105cd5afda16e7c7f9f7afea1e63d2caf384f3d31ea52b41dee5d7c6133ac5a89f895f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME7C0.exe

Filesize
15KB

MD5
f9ca4f1f1bdef372c2b87b36b697c6fa

SHA1
fc898ddde655218d45607ca0d6cede7156ab2ffa

SHA256
14721e7cd945006278be717bf13b391a90391c689ccf7a95dfa004793b682f91

SHA512
3cc68d3350a4d3329489eb4f1d786ea2cf41e391aa14ca6e7a12467b765130b2e5a8edca010c0acda0d1c27a200792a990de4befa485518f0c453db66ba8e2e4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM392A.exe

Filesize
15KB

MD5
5367e16aed82d7cb50706f9dd0fd5abf

SHA1
3e1f3b6d57d5f703a7cb8f453565592e999b95f9

SHA256
60a98206f8e89568e2a8c9f62c3d4c50430337f7c3282f61a03c2fbea9cf8bc5

SHA512
011adb2ea5499cca8bba79271ae1d0139706d7c84d01d3f2fa8ab400d513e1fc5fd05f7a92608a369c6f7275786aa42c2805386b1d8e901226237207f5ae8327

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3B1D.exe

Filesize
15KB

MD5
f542c7825a13c9e1a648b098ab6dc748

SHA1
59643c249fd3d5e2d875559a79cebee5d54f5b32

SHA256
a8a1a107a7ea9014269a62eb17b066b41610afaa0cd12b5f193e661dbdbe4bd9

SHA512
6c58cefb20385876fa449536e4d9122f4548781ed7e44cc8485ed47bf88b86f542fa40bb8c867d21570ab0df6a5443e2cdb41d594a1d283da9bfb5bb67f97fef

Download Submit

Analysis

Sharing