5ede7b284d02f82ee9bc88b2be465fec3241cb73b6e58533d285c8cf54f5bb9b

General

Target

4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe
Size

14KB
MD5

4b7ba561a9fd21ac1947cd1aa100a47c
SHA1

744da6b3357130c4c0f59de6fb8cf662e8e59245
SHA256

5ede7b284d02f82ee9bc88b2be465fec3241cb73b6e58533d285c8cf54f5bb9b
SHA512

365759e62ebcbf49517ba84fd9ae40535da0bd08ac41a3a4be966f7cf24453dbbdc23c7458a727e52c04b9c41d1a9f398766a3316e6f217dc87676ed39df424c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhm/:hDXWipuE+K3/SSHgx0/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2860	DEMC9E.exe
2724	DEM63A3.exe
1616	DEMBA79.exe
2316	DEM116E.exe
3044	DEM67E7.exe
2136	DEMBF0B.exe

Loads dropped DLL 6 IoCs

pid	Process
2240	4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe
2860	DEMC9E.exe
2724	DEM63A3.exe
1616	DEMBA79.exe
2316	DEM116E.exe
3044	DEM67E7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2860	2240	4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2860	2240	4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2860	2240	4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2860	2240	4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2724	2860	DEMC9E.exe	32
PID 2860 wrote to memory of 2724	2860	DEMC9E.exe	32
PID 2860 wrote to memory of 2724	2860	DEMC9E.exe	32
PID 2860 wrote to memory of 2724	2860	DEMC9E.exe	32
PID 2724 wrote to memory of 1616	2724	DEM63A3.exe	34
PID 2724 wrote to memory of 1616	2724	DEM63A3.exe	34
PID 2724 wrote to memory of 1616	2724	DEM63A3.exe	34
PID 2724 wrote to memory of 1616	2724	DEM63A3.exe	34
PID 1616 wrote to memory of 2316	1616	DEMBA79.exe	36
PID 1616 wrote to memory of 2316	1616	DEMBA79.exe	36
PID 1616 wrote to memory of 2316	1616	DEMBA79.exe	36
PID 1616 wrote to memory of 2316	1616	DEMBA79.exe	36
PID 2316 wrote to memory of 3044	2316	DEM116E.exe	38
PID 2316 wrote to memory of 3044	2316	DEM116E.exe	38
PID 2316 wrote to memory of 3044	2316	DEM116E.exe	38
PID 2316 wrote to memory of 3044	2316	DEM116E.exe	38
PID 3044 wrote to memory of 2136	3044	DEM67E7.exe	40
PID 3044 wrote to memory of 2136	3044	DEM67E7.exe	40
PID 3044 wrote to memory of 2136	3044	DEM67E7.exe	40
PID 3044 wrote to memory of 2136	3044	DEM67E7.exe	40

C:\Users\Admin\AppData\Local\Temp\4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\DEMC9E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC9E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\DEM63A3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM63A3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\DEMBA79.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBA79.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\DEM116E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM116E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Users\Admin\AppData\Local\Temp\DEM67E7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM67E7.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\DEMBF0B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBF0B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM63A3.exe

Filesize
14KB

MD5
b6bfc99cd2b98126b5d44071980409af

SHA1
d1983afa6607947f4790eb846c6db2fa60e068f7

SHA256
39fba4f476ec5626cebae32a73a2bc2aac942a4d5e4961d1913a98a24c2bfb19

SHA512
6ee9507dc5692d3fc17dc9162a63966229e17ef254705b18f7968d822bff7bfa9d925db9d311a3a19e6fa366954bd585cb6cbd951dede23543878d27c252c44e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM116E.exe

Filesize
14KB

MD5
3cb368e36a9e2f88f53577775293e1f7

SHA1
f6043605d28678a446da578280c5ccdc45cd840a

SHA256
ee9c1a9d07b251cfa94a3c1e54b55e3db8d6aff31793d46aa6992490865a2bb0

SHA512
e6fa5daaf2f1523f2c2616d7bb92bfb4eae7f42cf3d1fe90092b429dc35d4b5088fa6cd7580211c41e41af407caa4defdc1dab40869ac716ea0ad4907bcbbf39

Download Submit
\Users\Admin\AppData\Local\Temp\DEM67E7.exe

Filesize
14KB

MD5
c0f3a4b843675e1ddb9a8767a08e52d8

SHA1
0d1cb7ea6123df7fe1da4f4e9c3fa736d5c69b02

SHA256
70d0cd536f9b7aca03d1eed1c0d1420fa2d9cf5772e1a38b2c8530f85e820386

SHA512
835b1d5b7ea8136d184dac76d09e5f069fdf7f4267c4327bd6585a3ca32131142ebaa3bb535bed4d66bea7b019d7abb266dea9deacdadf8581e25f9fe4a68506

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBA79.exe

Filesize
14KB

MD5
07826a127a02ca9cc4a0e9ed81d1e015

SHA1
2c806bda75e56eb26d2c7b6023048f479ac889ec

SHA256
683eaab91d5ea1d206389d6f2b6472b80e5f22dc525a58043b7b0bfe73fe039e

SHA512
4ba0b81941e83b91f5f947bc3c64404364538b7f59cec036c56578a4a9f6ef92ff042ec0bcfce8dc8734dab0e670de26adad5683961ce5f1bcd8be3b35618db7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBF0B.exe

Filesize
14KB

MD5
41543535413679f32782a472bf2fdc89

SHA1
0dc998943951a62a94db494b2390131848fec174

SHA256
bca583e2f2a85ee1dc7daba81792b7fb17ffc984bad6539ad0743ff851f595d5

SHA512
e98bccc122376d22389b51c743ea760865c5140f9ab043fe4116a65ad9f3ddca5aba352fdfdade2d3cdf4f340374136b2151d3d3f1adec1a8ba67c01a0c882f9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC9E.exe

Filesize
14KB

MD5
81dff927cafcdb530ce9d97f7a9203b3

SHA1
82969aeffcc18c34f5f88b08ae5fd158479d068b

SHA256
8e5599f1f127ef8bf943038c9c22a3051a94f7186e7b83e325442547ff3da039

SHA512
c6fdd8be9eaf230799330d16b1c6ff06806f88debe262ff090a4a39057ef788b2093737be6767f18a8ecfa4f9578817dc0076aa39782525baac200fec04e9e42

Download Submit

Analysis

Sharing