07cba4942c05fc9362f7bc54e8cc45a744238967e353c385f0cf2fd3c91e05c8

General

Target

39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe
Size

14KB
MD5

39fbc835735faed7d9ec207e38116c7a
SHA1

eba077abcc661cc033720a7fbace4add7f3e036e
SHA256

07cba4942c05fc9362f7bc54e8cc45a744238967e353c385f0cf2fd3c91e05c8
SHA512

febf30d977276ff6e86aae62f178cb0e35f2d548be5d93bbecf306e19b5e259247158c88186abef2538d119cdb03c7a47f59eb4680173a4545835de65c375b6b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY53:hDXWipuE+K3/SSHgxmh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2644	DEM1890.exe
2784	DEM6E2E.exe
2364	DEMC4E5.exe
1092	DEM1B00.exe
344	DEM7169.exe
2340	DEMC89C.exe

Loads dropped DLL 6 IoCs

pid	Process
2460	39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe
2644	DEM1890.exe
2784	DEM6E2E.exe
2364	DEMC4E5.exe
1092	DEM1B00.exe
344	DEM7169.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2644	2460	39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2644	2460	39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2644	2460	39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2644	2460	39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2784	2644	DEM1890.exe	33
PID 2644 wrote to memory of 2784	2644	DEM1890.exe	33
PID 2644 wrote to memory of 2784	2644	DEM1890.exe	33
PID 2644 wrote to memory of 2784	2644	DEM1890.exe	33
PID 2784 wrote to memory of 2364	2784	DEM6E2E.exe	35
PID 2784 wrote to memory of 2364	2784	DEM6E2E.exe	35
PID 2784 wrote to memory of 2364	2784	DEM6E2E.exe	35
PID 2784 wrote to memory of 2364	2784	DEM6E2E.exe	35
PID 2364 wrote to memory of 1092	2364	DEMC4E5.exe	37
PID 2364 wrote to memory of 1092	2364	DEMC4E5.exe	37
PID 2364 wrote to memory of 1092	2364	DEMC4E5.exe	37
PID 2364 wrote to memory of 1092	2364	DEMC4E5.exe	37
PID 1092 wrote to memory of 344	1092	DEM1B00.exe	39
PID 1092 wrote to memory of 344	1092	DEM1B00.exe	39
PID 1092 wrote to memory of 344	1092	DEM1B00.exe	39
PID 1092 wrote to memory of 344	1092	DEM1B00.exe	39
PID 344 wrote to memory of 2340	344	DEM7169.exe	41
PID 344 wrote to memory of 2340	344	DEM7169.exe	41
PID 344 wrote to memory of 2340	344	DEM7169.exe	41
PID 344 wrote to memory of 2340	344	DEM7169.exe	41

C:\Users\Admin\AppData\Local\Temp\39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\DEM1890.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1890.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\DEM6E2E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6E2E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\DEMC4E5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC4E5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Users\Admin\AppData\Local\Temp\DEM1B00.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1B00.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\Users\Admin\AppData\Local\Temp\DEM7169.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7169.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe"
        7⤵
        Executes dropped EXE
        
        PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1890.exe

Filesize
14KB

MD5
702540ac129f5b041cd835f5aa20594b

SHA1
e65bc6a0627c7647dff49f034f4769060b8fd267

SHA256
4d9cf5f32f131a40fe43444f6ab83d74d326367eef42115392129bd715cc0795

SHA512
4fc341b9a51b2708ffc8ab5d8e9a7921d80e6e07c40983eba045df828095cd8009df046091141815699baabe9a21aa3e495bcf68dfdb4c3103fa78c10dc93ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6E2E.exe

Filesize
14KB

MD5
42a42e0d61c39615d20fab7f49dd8777

SHA1
55eba59238d9641dec519466dd1f349607757784

SHA256
acf39bfb8fe7a636a7f9a0e22ea3999589c2800429a3e967834dc66a5d744c3d

SHA512
cc73ae1a99598f2a7be0accac0dc08154a29123b128f42d6cdb6520ffb0fa751aff2f5aee67fe00ffdfcf6c946250b97b2b60068f82183ab0571eea2383472a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7169.exe

Filesize
14KB

MD5
a567d337099e49a2a0a6e64ad92b334d

SHA1
00bb874cf215253fb0cfc6bb7bfdb07d8dbc9485

SHA256
c51997bd35bd8cb8bfaf4b7594447d7343516501959fe68eda1b7f762b3ffe8e

SHA512
4a43ff679e83680e14b0461eb63b8805a2d2cf593c879fdb8ec617d299653da0b7c771d2e8221d4f3acbf7205903511b9b62c0ee0f794265e3d428a4832587df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe

Filesize
14KB

MD5
7d0c0b7fae328e50fd03086fbde4f71a

SHA1
b19b74ed661ee19bd48c58e67c6f09112ed4af79

SHA256
8484e52d65dac4c16f2f48aa9176422e38885cbfaae1cf2852d3987251186e30

SHA512
99a21465294e787f2c1efa5bcbed4327ecc666e365c4b75903800ae3514add93bda42ed82a2367a3d162b355fcff57c229bbac3cd7ff034498e26e2d2d1e83ec

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1B00.exe

Filesize
14KB

MD5
3c891f052a0cb02637362c25329b6ef8

SHA1
14473b8750f718df1e45efe95f180dcf4978ec0e

SHA256
a04f25eca2ce43b653d9ace735429eebfd0aa05afbef3ef7bc17e597f429af35

SHA512
8b5c1a0d3d644bcc7c931f18677637ebd063fc82ffe6290b4f0d9f262c3cefde21184f48044116211f89cea3080dcfc1c6c0be9ac6839259bd4ea0f9e83ae663

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC4E5.exe

Filesize
14KB

MD5
684742a41cd90fe046c8685702fbd1b0

SHA1
3ecdc7ed04f637935823f4d446846f56291c87fc

SHA256
dbd5ea635ad39ae3a584484aa15e761402de0c8d9282921feec912dc688fb925

SHA512
f84770f0eafe511abd5e2980e1cf6c994137607b7d1c74d87e471062866c8ca6c280d6c6e0ac565bb48141bc4d0fa91b4d52b3f55bace7e7abfa69b3254a6d30

Download Submit

Analysis

Sharing