aaa1b4cfce550d7577decfcb606ba716def5f84ee71cb69892dacdd0d15506bc

General

Target

43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe
Size

14KB
MD5

43b57993374f3f56d7031e11a5c30b5f
SHA1

b8486e21e636259f959f269c766acbe17fb670ab
SHA256

aaa1b4cfce550d7577decfcb606ba716def5f84ee71cb69892dacdd0d15506bc
SHA512

2666df51cec2b5e299f710417f465de9288471c833ee9d6bc03674ca018718c22a9266efe189ffbc7eb75e553265ac0039d5386baacb36642361ae4b73d19c7e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJL:hDXWipuE+K3/SSHgxmB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2320	DEMB107.exe
2800	DEM628.exe
2388	DEM5B79.exe
1744	DEMB155.exe
1892	DEM686.exe
2140	DEM5BC7.exe

Loads dropped DLL 6 IoCs

pid	Process
264	43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe
2320	DEMB107.exe
2800	DEM628.exe
2388	DEM5B79.exe
1744	DEMB155.exe
1892	DEM686.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2320	264	43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe	32
PID 264 wrote to memory of 2320	264	43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe	32
PID 264 wrote to memory of 2320	264	43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe	32
PID 264 wrote to memory of 2320	264	43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe	32
PID 2320 wrote to memory of 2800	2320	DEMB107.exe	34
PID 2320 wrote to memory of 2800	2320	DEMB107.exe	34
PID 2320 wrote to memory of 2800	2320	DEMB107.exe	34
PID 2320 wrote to memory of 2800	2320	DEMB107.exe	34
PID 2800 wrote to memory of 2388	2800	DEM628.exe	36
PID 2800 wrote to memory of 2388	2800	DEM628.exe	36
PID 2800 wrote to memory of 2388	2800	DEM628.exe	36
PID 2800 wrote to memory of 2388	2800	DEM628.exe	36
PID 2388 wrote to memory of 1744	2388	DEM5B79.exe	38
PID 2388 wrote to memory of 1744	2388	DEM5B79.exe	38
PID 2388 wrote to memory of 1744	2388	DEM5B79.exe	38
PID 2388 wrote to memory of 1744	2388	DEM5B79.exe	38
PID 1744 wrote to memory of 1892	1744	DEMB155.exe	40
PID 1744 wrote to memory of 1892	1744	DEMB155.exe	40
PID 1744 wrote to memory of 1892	1744	DEMB155.exe	40
PID 1744 wrote to memory of 1892	1744	DEMB155.exe	40
PID 1892 wrote to memory of 2140	1892	DEM686.exe	42
PID 1892 wrote to memory of 2140	1892	DEM686.exe	42
PID 1892 wrote to memory of 2140	1892	DEM686.exe	42
PID 1892 wrote to memory of 2140	1892	DEM686.exe	42

C:\Users\Admin\AppData\Local\Temp\43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264
- C:\Users\Admin\AppData\Local\Temp\DEMB107.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB107.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\DEM628.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM628.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\DEM5B79.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5B79.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\DEMB155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB155.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Users\Admin\AppData\Local\Temp\DEM686.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM686.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\DEM5BC7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5BC7.exe"
        7⤵
        Executes dropped EXE
        
        PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM628.exe

Filesize
14KB

MD5
d5c305671e3c996e3a89926c51d6fcec

SHA1
47abed4d4a62c598f08a777e2c4f6e10ab9e5e6b

SHA256
17813737e6ac050494aba2b7fc7f8aa6159b9310444121d79decb22a13f1d660

SHA512
1e4c0c188c83d8f4db9442861a72d22c875d31c3a5aa37f4610a05506968d50dcff18825155ab06aed17ad507d8734072fa6e7c60be4efadb0a2328303ba8c28

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5B79.exe

Filesize
14KB

MD5
4d9e03bf66881aa89f6d26765dc912ea

SHA1
f4f6bc13fa572bcf5509bb5f9cfbcfe1613956e9

SHA256
d0c7a3c13c717cbe79e1d14af193bd366347718558025d6ab91b806ff2f3b905

SHA512
3cb6d2cd11161213e59a5068320c58a332db9bfb1de5d9d2022b80828b178cb552b7f0b7b4c884dd3d2ab8f8813291868f8cfdcb44e7542f68b2516cc70ba288

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5BC7.exe

Filesize
14KB

MD5
7fe102575c0ab56a120a12b978ac0be0

SHA1
ecd275b5cacbee233e29536bb3f998b6ab0e345a

SHA256
f35d1b4fcd955f297aad6535f44a5a173611f2ad4a951be8096d268cd325cef7

SHA512
74eff488803f91c8eff6dd7e6ec709561fa280b08ddf0b755fba02d5a0456cdbc7c3b95879da3115e85470cd779485b6e55fe2f9a9c80f25473e9876bd18f4d4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM686.exe

Filesize
14KB

MD5
4dd515e2d11cdf98bf45011b27500021

SHA1
a846c73f04804c70d229569c8bfcc99209be4a5e

SHA256
00126fb5898559250163bed0213c423655339f681f8e9e5ebc35f0e9560ebdc3

SHA512
982aa7d5d6ddb685f8cc79007f41fea8fb7448b68df2b0a31ae34ac6149fca93b8a518ffbbf3566e202ce7f625b063f2f5c75901b8bcad3864b1fb30f4aada08

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB107.exe

Filesize
14KB

MD5
1975bebdf44041b4350feba477ba49cd

SHA1
0672aa5a283323fcc03e492c8504406257322bfb

SHA256
43a2228dd91324c512962e7249af878d5da691b2f6304e72b3f8d19d68c9d327

SHA512
a2846b592ba492c931214571c8a9e6a581d85e989b4561a5d1c57c18da83ea289dad80d00ba2d2ed45c5fdf30911078e9630f36608d445e1621ff9c064986b39

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB155.exe

Filesize
14KB

MD5
f0a4b669cf705637cd49bc5c7a1f08c2

SHA1
31c0ff50fb783fddf159998aeda1187225a1e7c6

SHA256
7a4dfda9fa87e5b2f5f33603d71d2a99feda98623670884fec26beb4f697a280

SHA512
16ee17a3b8d5837524f51cc7fe06e186b19f81e062db5834495114ea3a54ce7d83e98c6fa3abcc296015f8460e4503acbeed3c5be48275ecb4383e3bfbae2077

Download Submit

Analysis

Sharing