31b1874586b5e4b5cd3d3a55daf1466cbeff53bd49703f040bdb27bc22c62d5d

General

Target

467d8d6ed97ffe6ea27f4768e0f2cd0c_JaffaCakes118.exe
Size

15KB
MD5

467d8d6ed97ffe6ea27f4768e0f2cd0c
SHA1

b5c7f9311a667cc962e84a68506f02a9082e1eba
SHA256

31b1874586b5e4b5cd3d3a55daf1466cbeff53bd49703f040bdb27bc22c62d5d
SHA512

8979ef4530e5e8fe7785d30e62e0d74d881bdb28d4fb05e670e7095c39bd53b6d8f8c47c8298c20ecd76874ea00ee99fd3d23725840ca789c9861a30ee18dbef
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY41p:hDXWipuE+K3/SSHgxmyp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2736	DEM8E7A.exe
2964	DEME3BA.exe
2888	DEM390A.exe
2864	DEM8EB8.exe
1548	DEME3F9.exe
700	DEM391A.exe

Loads dropped DLL 6 IoCs

pid	Process
1848	467d8d6ed97ffe6ea27f4768e0f2cd0c_JaffaCakes118.exe
2736	DEM8E7A.exe
2964	DEME3BA.exe
2888	DEM390A.exe
2864	DEM8EB8.exe
1548	DEME3F9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2736	1848	467d8d6ed97ffe6ea27f4768e0f2cd0c_JaffaCakes118.exe	32
PID 1848 wrote to memory of 2736	1848	467d8d6ed97ffe6ea27f4768e0f2cd0c_JaffaCakes118.exe	32
PID 1848 wrote to memory of 2736	1848	467d8d6ed97ffe6ea27f4768e0f2cd0c_JaffaCakes118.exe	32
PID 1848 wrote to memory of 2736	1848	467d8d6ed97ffe6ea27f4768e0f2cd0c_JaffaCakes118.exe	32
PID 2736 wrote to memory of 2964	2736	DEM8E7A.exe	34
PID 2736 wrote to memory of 2964	2736	DEM8E7A.exe	34
PID 2736 wrote to memory of 2964	2736	DEM8E7A.exe	34
PID 2736 wrote to memory of 2964	2736	DEM8E7A.exe	34
PID 2964 wrote to memory of 2888	2964	DEME3BA.exe	36
PID 2964 wrote to memory of 2888	2964	DEME3BA.exe	36
PID 2964 wrote to memory of 2888	2964	DEME3BA.exe	36
PID 2964 wrote to memory of 2888	2964	DEME3BA.exe	36
PID 2888 wrote to memory of 2864	2888	DEM390A.exe	38
PID 2888 wrote to memory of 2864	2888	DEM390A.exe	38
PID 2888 wrote to memory of 2864	2888	DEM390A.exe	38
PID 2888 wrote to memory of 2864	2888	DEM390A.exe	38
PID 2864 wrote to memory of 1548	2864	DEM8EB8.exe	40
PID 2864 wrote to memory of 1548	2864	DEM8EB8.exe	40
PID 2864 wrote to memory of 1548	2864	DEM8EB8.exe	40
PID 2864 wrote to memory of 1548	2864	DEM8EB8.exe	40
PID 1548 wrote to memory of 700	1548	DEME3F9.exe	42
PID 1548 wrote to memory of 700	1548	DEME3F9.exe	42
PID 1548 wrote to memory of 700	1548	DEME3F9.exe	42
PID 1548 wrote to memory of 700	1548	DEME3F9.exe	42

C:\Users\Admin\AppData\Local\Temp\467d8d6ed97ffe6ea27f4768e0f2cd0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\467d8d6ed97ffe6ea27f4768e0f2cd0c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\DEM8E7A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8E7A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\DEME3BA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME3BA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\DEM390A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM390A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Users\Admin\AppData\Local\Temp\DEM8EB8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8EB8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Users\Admin\AppData\Local\Temp\DEME3F9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME3F9.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\DEM391A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM391A.exe"
        7⤵
        Executes dropped EXE
        
        PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM391A.exe

Filesize
15KB

MD5
739ddb3660790ba34522d71239156f27

SHA1
a66276d23ee283c88d9341d121dc0f1c783f4e39

SHA256
9c69999e402277551a2d31e3f9e07efddb2c085694bce6fa2fd5383993585083

SHA512
282f2baadfeab0fb0f9fd123be960f7a65a770452c0c02260d59c3bf5955e1e9aeac9069afb4df09c8f4874cc18c04aa5f7894326195b6a0a353d16334f8052c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME3BA.exe

Filesize
15KB

MD5
d83dcc6b52397daf572c2708974cb7b3

SHA1
bfe43c0d1e644ba22db3ba58ec9ad8b977c7db93

SHA256
3e26a97cd67808ce43f5e35de78c99ac10cc121e95f8210f74cc4170852522d6

SHA512
e53809bd337fbd239247266bf2faa0dc93c67237d08ebe04067237d286c9c24942d782f1fe1ea3828827e32c5ac976291474b83da2625c41eafe118c8677010d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM390A.exe

Filesize
15KB

MD5
7ff7475adaa31b1aeff4ae2aff39f9c9

SHA1
5f0d1bee91ea2eb79b892722142f5b28f21e9495

SHA256
d9b3f31b0a030fdd5a69db95d5750b9d5c622ab0648831d56ae507d96169ecd1

SHA512
a43303326fd92d9e0c8ccd18991db257a00b31fa0966992892c2ee8110878210ea64d3cdb163f9381b61d036497b89dc1809d7613f23e04d456478515bbe552b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8E7A.exe

Filesize
15KB

MD5
68b5959122739031d01b63b5d3002603

SHA1
939aa0ef37b32dbd40c1cc822e8ab38de3ee5d63

SHA256
baf2fd73ca54dbc4b10d3188325c3eece422b82b47e8ad9156680bff06fcb932

SHA512
8c96166921bcd7b1dcfe8d43e6c1e3222ac9029b0acedb4a0194eec7ae4d2c4bf78a67ac1dac25f1632abbfa5ab78f9dda425cf3c2a8bf5879074a98659fe279

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8EB8.exe

Filesize
15KB

MD5
9ecd3216b44f82986c6f0bf7fd684f5d

SHA1
75c82cabbd9adb278c3f4cae87e9126b36993d41

SHA256
f5d63969042833676504231c9629c1fe25a5648fb90e1257c3bf723cae96cc51

SHA512
67696bb45f6e2cf84575e6d2e24f4ee442693260dae07b2a151d7f342a3a31d7fad95714b558940b59b773fb2326c5d3adb8fd0ff11427cce04583e8b59ed987

Download Submit
\Users\Admin\AppData\Local\Temp\DEME3F9.exe

Filesize
15KB

MD5
97049cfe18a77320570624f06ae75473

SHA1
befcd3e95af2bdd43482a7324658aeb4258b2f56

SHA256
2e0ec184ff02920867092be17e144328e0f21580bb6cf5dafc647a7539e91ec6

SHA512
636e240f0805b4ac94ae7a51e1afd21bdb6e3ce21ad17d5faa7a8fabf0ace5d3bc5f596f437376777453e3629fc2a583744bd720848895afd4163583adc2ed5a

Download Submit

Analysis

Sharing