1d07e755bd3d332526e6d172018ac3e887ced44753bb6fe209a0634b974989d0

General

Target

471f65487a818945830a75387a9e8d12_JaffaCakes118.exe
Size

14KB
MD5

471f65487a818945830a75387a9e8d12
SHA1

bf7bd83d25fe095c19c6baa588c484523fdaf719
SHA256

1d07e755bd3d332526e6d172018ac3e887ced44753bb6fe209a0634b974989d0
SHA512

2b47f1f74ac41410d0cff8c7b8849d86a6df51b79354e132e9552d313e9d0ef83b8769320a5f8ff5b7be96c9ab3a9feed53e64d111dada15b31c6e377e0881e3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY41b:hDXWipuE+K3/SSHgxmM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2716	DEMBDD3.exe
2072	DEM1323.exe
2672	DEM6873.exe
2932	DEMBD95.exe
900	DEM12C6.exe
2944	DEM67E7.exe

Loads dropped DLL 6 IoCs

pid	Process
3032	471f65487a818945830a75387a9e8d12_JaffaCakes118.exe
2716	DEMBDD3.exe
2072	DEM1323.exe
2672	DEM6873.exe
2932	DEMBD95.exe
900	DEM12C6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2716	3032	471f65487a818945830a75387a9e8d12_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2716	3032	471f65487a818945830a75387a9e8d12_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2716	3032	471f65487a818945830a75387a9e8d12_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2716	3032	471f65487a818945830a75387a9e8d12_JaffaCakes118.exe	32
PID 2716 wrote to memory of 2072	2716	DEMBDD3.exe	34
PID 2716 wrote to memory of 2072	2716	DEMBDD3.exe	34
PID 2716 wrote to memory of 2072	2716	DEMBDD3.exe	34
PID 2716 wrote to memory of 2072	2716	DEMBDD3.exe	34
PID 2072 wrote to memory of 2672	2072	DEM1323.exe	36
PID 2072 wrote to memory of 2672	2072	DEM1323.exe	36
PID 2072 wrote to memory of 2672	2072	DEM1323.exe	36
PID 2072 wrote to memory of 2672	2072	DEM1323.exe	36
PID 2672 wrote to memory of 2932	2672	DEM6873.exe	38
PID 2672 wrote to memory of 2932	2672	DEM6873.exe	38
PID 2672 wrote to memory of 2932	2672	DEM6873.exe	38
PID 2672 wrote to memory of 2932	2672	DEM6873.exe	38
PID 2932 wrote to memory of 900	2932	DEMBD95.exe	40
PID 2932 wrote to memory of 900	2932	DEMBD95.exe	40
PID 2932 wrote to memory of 900	2932	DEMBD95.exe	40
PID 2932 wrote to memory of 900	2932	DEMBD95.exe	40
PID 900 wrote to memory of 2944	900	DEM12C6.exe	42
PID 900 wrote to memory of 2944	900	DEM12C6.exe	42
PID 900 wrote to memory of 2944	900	DEM12C6.exe	42
PID 900 wrote to memory of 2944	900	DEM12C6.exe	42

C:\Users\Admin\AppData\Local\Temp\471f65487a818945830a75387a9e8d12_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\471f65487a818945830a75387a9e8d12_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\DEMBDD3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBDD3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\DEM1323.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1323.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\DEM6873.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6873.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Users\Admin\AppData\Local\Temp\DEMBD95.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBD95.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Users\Admin\AppData\Local\Temp\DEM12C6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM12C6.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\DEM67E7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM67E7.exe"
        7⤵
        Executes dropped EXE
        
        PID:2944

Network

No results found

10.180.0.115:1337

471f65487a818945830a75387a9e8d12_JaffaCakes118.exe

152 B
3
10.180.0.115:1337

DEMBDD3.exe

152 B
3
10.180.0.115:1337

DEM1323.exe

152 B
3
10.180.0.115:1337

DEM6873.exe

152 B
3
10.180.0.115:1337

DEMBD95.exe

152 B
3
10.180.0.115:1337

DEM12C6.exe

152 B
3
10.180.0.115:1337

DEM67E7.exe

152 B
3

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM12C6.exe

Filesize
14KB

MD5
1f90b3b2cd7a8fef3a8814f9fff6b793

SHA1
068a447ed4e62b14c2b25d6967da1b4ae8db4af3

SHA256
7220e6206c6d71b9919e444cdff090cfe72a41f4a505663cbace6b8675924f9e

SHA512
eaeda1e286ba357bcc4993c5ccb5ead0b1828765b02d8d61fcfced4fa467a0369ff0fe7d52acf34f395e5f2b557f8d24a8b0fdf67ae0d9c5c3e257145c4c22d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1323.exe

Filesize
14KB

MD5
3864913dbf6beb9fa98217cd52850dcc

SHA1
9a48d7696043ca36aa95bf5f850af7ccc1e5410a

SHA256
c234b3a0589f50b01a80cfb01bf3d9c4487b02967fb3d9b71d7d625de5ecef0a

SHA512
a3520852658e08d105f887c38fcadea16035c38463be5d4352a7732f57571d0bf03c02450ebad47ebb35811f3f35ecf9b7ccdb47b33b169dd95fb786f4f47761

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM67E7.exe

Filesize
14KB

MD5
95f03e74f184f0e6cdb1d7907b742a5f

SHA1
e7aa3d0578213e670bc72545b5366821c4143bc8

SHA256
9320b47f6b6662ac0b636bd76d0a85267bc6902323c4ac99b946e569a8c77cb1

SHA512
aaee8111541f44ed7b58a5d953a0e066355cf899fc05dadb1ac9b74e960bd562f05959c020e486e88a0abd4cd45d10794f406b828ed2c91378e1c9850a12f1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD95.exe

Filesize
14KB

MD5
d3e6004022849e822ffde9afee3a9355

SHA1
8f8f5a737a615b7b30ba1eeb4aac8aaaa1c6d3b4

SHA256
dcc3e57d6fc0afa42c4f99168ce14fb8fb29bd1ad9f33bc66b6873215e817d8c

SHA512
74b7dfa1bde9af27a01cb75d3b00ca84d78b4b3f62b84d450a4017b649fae76dd1c358f5a15da701b11802bc3b4b31333cfcc3c767211decef461f19f1b406b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBDD3.exe

Filesize
14KB

MD5
d99d791e3b89fed02d40bb5f80925240

SHA1
8796954619b764250a271b9343e76260320db759

SHA256
28871dde233a3dfc4d04b47977a646ebbfeee95ff60e05142c4da0da9f1b0963

SHA512
dda4c9cbde0d7ca1b7644c569a848a92e95cf2c75c1562f9a96c2d62951c7220722bead4daa946ffc4d7acebb2858f991aa2dbb5ad58aaeb38437b7dfd47b012

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6873.exe

Filesize
14KB

MD5
deb40e63b95a070f8ce1ecae89ad7b9b

SHA1
5c2abf7ffb6160f81488a66f58d936faeb866045

SHA256
51844c0756f3242b36875cc00a926fa9764e3cbd225616d5f8ebc5a782fb8e33

SHA512
53cf8b4adb09bc42f6e14c4fb4390505df760e6df9ddea8fded636a50b373a4c7ada8a837e0d70d97da421f7029633fdcf39d98f31efa86552c945f42674da45

Download Submit

Analysis

Sharing