289d64e49c2e169d3706b3628134e01649f8ff743b2c113b1c825e20510d4633

General

Target

4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe
Size

14KB
MD5

4839a8e06072f0db66d680a6e4c27c78
SHA1

7037f28bff97503f334969d0811b74a340ab97c9
SHA256

289d64e49c2e169d3706b3628134e01649f8ff743b2c113b1c825e20510d4633
SHA512

bf7359aa0d0fc1e92270e5bab22f5b1e90a653aeeae63721165b651de24b60f0be1afa2a4146c9c405afa9cb744911d80cc7b6320b1499ce6028fd3198eeb062
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJP:hDXWipuE+K3/SSHgxD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1864	DEMBCE9.exe
2784	DEM1249.exe
1952	DEM6835.exe
1996	DEMBD75.exe
2836	DEM1287.exe
2176	DEM67D7.exe

Loads dropped DLL 6 IoCs

pid	Process
1040	4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe
1864	DEMBCE9.exe
2784	DEM1249.exe
1952	DEM6835.exe
1996	DEMBD75.exe
2836	DEM1287.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 1864	1040	4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe	32
PID 1040 wrote to memory of 1864	1040	4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe	32
PID 1040 wrote to memory of 1864	1040	4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe	32
PID 1040 wrote to memory of 1864	1040	4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe	32
PID 1864 wrote to memory of 2784	1864	DEMBCE9.exe	34
PID 1864 wrote to memory of 2784	1864	DEMBCE9.exe	34
PID 1864 wrote to memory of 2784	1864	DEMBCE9.exe	34
PID 1864 wrote to memory of 2784	1864	DEMBCE9.exe	34
PID 2784 wrote to memory of 1952	2784	DEM1249.exe	36
PID 2784 wrote to memory of 1952	2784	DEM1249.exe	36
PID 2784 wrote to memory of 1952	2784	DEM1249.exe	36
PID 2784 wrote to memory of 1952	2784	DEM1249.exe	36
PID 1952 wrote to memory of 1996	1952	DEM6835.exe	38
PID 1952 wrote to memory of 1996	1952	DEM6835.exe	38
PID 1952 wrote to memory of 1996	1952	DEM6835.exe	38
PID 1952 wrote to memory of 1996	1952	DEM6835.exe	38
PID 1996 wrote to memory of 2836	1996	DEMBD75.exe	40
PID 1996 wrote to memory of 2836	1996	DEMBD75.exe	40
PID 1996 wrote to memory of 2836	1996	DEMBD75.exe	40
PID 1996 wrote to memory of 2836	1996	DEMBD75.exe	40
PID 2836 wrote to memory of 2176	2836	DEM1287.exe	42
PID 2836 wrote to memory of 2176	2836	DEM1287.exe	42
PID 2836 wrote to memory of 2176	2836	DEM1287.exe	42
PID 2836 wrote to memory of 2176	2836	DEM1287.exe	42

C:\Users\Admin\AppData\Local\Temp\4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Local\Temp\DEMBCE9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBCE9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\DEM1249.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1249.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\DEM6835.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6835.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\DEMBD75.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBD75.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\DEM1287.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1287.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\DEM67D7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM67D7.exe"
        7⤵
        Executes dropped EXE
        
        PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1249.exe

Filesize
14KB

MD5
efc5ec50d2b13deb2148c50475f3cb89

SHA1
73b9d968b3f584c3bb289bc14fdeafa9992ec015

SHA256
a232f39fe959ea511227c6ebf37b3902ca05825eea33dce0d7966d49012fd445

SHA512
7a704d79d6bf69267d521ecfd8943b41d0337ac6aead074b9cc3dffe306c08a2bef41989aa116a20d31c5117e16d0e62f0a2eec37ef48121fa4d0c72f3167bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1287.exe

Filesize
14KB

MD5
05230938c0b446795784b62b1b13be4b

SHA1
5f114c5fab0f09256f585fbc7b5672ddaf86010b

SHA256
b74caf72520b4b25555b6708655c43b5840f2f837f7a0fdc49a351bbbf1c671c

SHA512
988548fd413751b91c3ce85a71338be5f5e33a4252e273761a46fdfc648f27fe6519d0d6d0c7ab87141d8a8f44cf2c3c8f5a6854909fdde26af89e4ef5818251

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM67D7.exe

Filesize
14KB

MD5
29b04049bd8bf14b33a04bfab76dd8f4

SHA1
a2356f580b5095bfd9b5033ecc0ce9a22d1f3e1a

SHA256
0b9367563b602cf583ffee33ec666abe3fa55bfeecb35c955c6da6a1203f39a6

SHA512
838fa9d9773d0eaea997212b008da85e6d6f0a2a06f89c26e87a16f9b0a8cf951af3ea8e569c802db86a3c928986f7d98489aac2e7c7004e906265571b2f9f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD75.exe

Filesize
14KB

MD5
dd99fd2c66fd883705972e758bcbc8d5

SHA1
728d16e54477796c18d53e1b807c78b726b08361

SHA256
0fd4b753896b3214bd1bcd238b6dd1387f26129e90f81ce393a9911e81923af2

SHA512
eb61095bb03d6d592730c5561659606317e6a188240b82656d784e347344f23b2f5c7af202f6b2edb0ee31001d2a4e428ad107b14d489a80437da63e90648812

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6835.exe

Filesize
14KB

MD5
cc0e94e63750aa33fb77aedc74f0da1f

SHA1
9b9bc2477cf002a98a34ff0ca3b6a80126246d4d

SHA256
ea70be68ab61a40ab93f768d2608d8b9766bc380ec65ba53fd3780597ba477f1

SHA512
fb05e4c1227608f08e99008468d28347e071c8c2931b0bba76b7aee881bd128a7efb59e4213ae6bac4ee8ed6e4b87686327d4030af1dbe2750bede9c597fc468

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBCE9.exe

Filesize
14KB

MD5
d2b8fff63504143608193e74f24bca3c

SHA1
85786c963808d0b092a53616fe3c9ac554494d1d

SHA256
c29cdefb9b75f0e8a416de10e04b6860cfadae554d4426833053c56f55977404

SHA512
2a66f089332772d7c82ca98e9b29b333f05e6bac9c76bd196d9aa39068e3c787118805948ff0ffaf7e074f748fc261221f6faa4ba17ca5cc666be05c9d26f277

Download Submit

Analysis

Sharing