f92e0f6057ea8b58848c0d2cf98ee3115605087ac0f87ec4dbca0bea5225fbc3

General

Target

478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe
Size

15KB
MD5

478addbe3c33f4064ac691e7310a9eff
SHA1

70535c06a0702aebac4fd43ea0c5b830e7115957
SHA256

f92e0f6057ea8b58848c0d2cf98ee3115605087ac0f87ec4dbca0bea5225fbc3
SHA512

7291b56b3fe0f51b071789a4a52343b56943b1700b162cd42921a1c0a78d4b0be446076e5d4fdae4f530a73cb414f06d09428a4b2686fc2081d97d6718b34467
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEHe:hDXWipuE+K3/SSHgxWe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3012	DEME88B.exe
2180	DEM3D8D.exe
2056	DEM932B.exe
2784	DEME86C.exe
1272	DEM3E58.exe
2396	DEM9389.exe

Loads dropped DLL 6 IoCs

pid	Process
2304	478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe
3012	DEME88B.exe
2180	DEM3D8D.exe
2056	DEM932B.exe
2784	DEME86C.exe
1272	DEM3E58.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 3012	2304	478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe	32
PID 2304 wrote to memory of 3012	2304	478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe	32
PID 2304 wrote to memory of 3012	2304	478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe	32
PID 2304 wrote to memory of 3012	2304	478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe	32
PID 3012 wrote to memory of 2180	3012	DEME88B.exe	34
PID 3012 wrote to memory of 2180	3012	DEME88B.exe	34
PID 3012 wrote to memory of 2180	3012	DEME88B.exe	34
PID 3012 wrote to memory of 2180	3012	DEME88B.exe	34
PID 2180 wrote to memory of 2056	2180	DEM3D8D.exe	36
PID 2180 wrote to memory of 2056	2180	DEM3D8D.exe	36
PID 2180 wrote to memory of 2056	2180	DEM3D8D.exe	36
PID 2180 wrote to memory of 2056	2180	DEM3D8D.exe	36
PID 2056 wrote to memory of 2784	2056	DEM932B.exe	38
PID 2056 wrote to memory of 2784	2056	DEM932B.exe	38
PID 2056 wrote to memory of 2784	2056	DEM932B.exe	38
PID 2056 wrote to memory of 2784	2056	DEM932B.exe	38
PID 2784 wrote to memory of 1272	2784	DEME86C.exe	40
PID 2784 wrote to memory of 1272	2784	DEME86C.exe	40
PID 2784 wrote to memory of 1272	2784	DEME86C.exe	40
PID 2784 wrote to memory of 1272	2784	DEME86C.exe	40
PID 1272 wrote to memory of 2396	1272	DEM3E58.exe	42
PID 1272 wrote to memory of 2396	1272	DEM3E58.exe	42
PID 1272 wrote to memory of 2396	1272	DEM3E58.exe	42
PID 1272 wrote to memory of 2396	1272	DEM3E58.exe	42

C:\Users\Admin\AppData\Local\Temp\478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\DEME88B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME88B.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\DEM3D8D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3D8D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\DEM932B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM932B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Users\Admin\AppData\Local\Temp\DEME86C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME86C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Users\Admin\AppData\Local\Temp\DEM3E58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3E58.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\DEM9389.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9389.exe"
        7⤵
        Executes dropped EXE
        
        PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3D8D.exe

Filesize
15KB

MD5
0e03e4c1b3f76860737743e43e513d56

SHA1
f261119ca183149de3760119b8b9522bc7e3c736

SHA256
23b72cc423da3dd26cf8f8321bd988ec89a3d9d5ef2b84696b93c3185ebbf763

SHA512
bd8c31d69e7c2babf704398e5ac10dd8c5d1478f02b6eb7f3ec210bd4e00fc24fa31eae1cef1f7bff690b78144ff3a3414166db60c4c656625290704a1641602

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME86C.exe

Filesize
15KB

MD5
583a1787d0a59a31b9f1c34d5ab11b6e

SHA1
55302fa93d24ac648f86f1369f70f05e7c2040ac

SHA256
04313217f0460529f7d4d607f3a8ca681432a28784f7fe4cb8d29e9a590347e5

SHA512
5ac5bc41346e5e51e35d6da66da906c97dca50f041c17c557f9cb0967136f20e0a7721453a55491bfe2d7879d86b58eac53f0d41fcc023cca745460b6413be0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME88B.exe

Filesize
15KB

MD5
6582fd18cc0b99854b628d0c0f2816ab

SHA1
b3f46ceac40fc809b5f4216590cc54eae2d878d0

SHA256
1d1a98aac7ba75f626a2167862b0fbd29a82e05f274f7709e81ae284bb691987

SHA512
9074115225279e5ba62ea38e0fb48ff6547cb6956570e41ff87f0cd5eb8a090468bd72a3af6c6b56c4c2a5648ce70ce0736cdadd3fa8f4a0a06b881f1da95d81

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3E58.exe

Filesize
15KB

MD5
5bba8c3721bfb2297e72f7e97c576095

SHA1
d538f236abb3b007b011690bcc403e975cdadfdd

SHA256
2141c95be4e857c8e31aca74a7842dcf7c69c4843c2e923802b4fd5aa6df991a

SHA512
29f61b38926c5b9ec9f615e268d5eb9e742489495c2d80c88f2decf0ec31f6f96fdfe9fb090b808a1138a861cb4ca3ca3f6662fa2b92c4e7947a126a4d5db302

Download Submit
\Users\Admin\AppData\Local\Temp\DEM932B.exe

Filesize
15KB

MD5
e43a5a85b6152d5e4b67f0d97e236090

SHA1
ec8ecbb2d8c5dde5faa13226e5afd066293f016a

SHA256
377d356304c0ad5d2aefc287bafbdf5407f547cd912f9eb1a2a3a813f577de67

SHA512
324c566e530422eebe81a06331405702f1236a784db5893e86a4c7db43927e935e0ad61ca9d2400b3c09cc2e4c1a5ad95d3c46e06fcfe33c3e43549c948480db

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9389.exe

Filesize
15KB

MD5
08b3ce46b3ebf353d44363a90fee025a

SHA1
3bdbc55c64992602914d674a6aedabcd437b42fc

SHA256
808a250a5315307d2f76b258b91aec174d04c94d652a4ee9628ccf8750a7f878

SHA512
24d13cea5ee131d11e589f3371894bd027bf5c154b9f938fe2affd7f9f53b40a14e0224642a669ffafd092562cf6b39169db32f908110bf20dcec69d26eac086

Download Submit

Analysis

Sharing