f0b7d095bf2e268684871a203d4f637db9e49514ad225bcd5a9f9c1fe335fa17

General

Target

59a7c352be88b626667d833b2706818c_JaffaCakes118.exe
Size

13KB
MD5

59a7c352be88b626667d833b2706818c
SHA1

b3b193722627937e867c78e0eb392228c6e9b71d
SHA256

f0b7d095bf2e268684871a203d4f637db9e49514ad225bcd5a9f9c1fe335fa17
SHA512

882f21e370507ad5a83493dc7df4b4ee4b38fcf400e906c835efdf44eb3b6fa03cba9e513e490cb8f5246e6ab6d4098adbf073cce6445ab5dc8d0b78ba6ff98a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhBW:hDXWipuE+K3/SSHgxfW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2116	DEMF354.exe
2876	DEM48D3.exe
3004	DEM9DE5.exe
2032	DEMF306.exe
1708	DEM4808.exe
2052	DEM9DD5.exe

Loads dropped DLL 6 IoCs

pid	Process
2324	59a7c352be88b626667d833b2706818c_JaffaCakes118.exe
2116	DEMF354.exe
2876	DEM48D3.exe
3004	DEM9DE5.exe
2032	DEMF306.exe
1708	DEM4808.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2116	2324	59a7c352be88b626667d833b2706818c_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2116	2324	59a7c352be88b626667d833b2706818c_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2116	2324	59a7c352be88b626667d833b2706818c_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2116	2324	59a7c352be88b626667d833b2706818c_JaffaCakes118.exe	32
PID 2116 wrote to memory of 2876	2116	DEMF354.exe	34
PID 2116 wrote to memory of 2876	2116	DEMF354.exe	34
PID 2116 wrote to memory of 2876	2116	DEMF354.exe	34
PID 2116 wrote to memory of 2876	2116	DEMF354.exe	34
PID 2876 wrote to memory of 3004	2876	DEM48D3.exe	36
PID 2876 wrote to memory of 3004	2876	DEM48D3.exe	36
PID 2876 wrote to memory of 3004	2876	DEM48D3.exe	36
PID 2876 wrote to memory of 3004	2876	DEM48D3.exe	36
PID 3004 wrote to memory of 2032	3004	DEM9DE5.exe	38
PID 3004 wrote to memory of 2032	3004	DEM9DE5.exe	38
PID 3004 wrote to memory of 2032	3004	DEM9DE5.exe	38
PID 3004 wrote to memory of 2032	3004	DEM9DE5.exe	38
PID 2032 wrote to memory of 1708	2032	DEMF306.exe	40
PID 2032 wrote to memory of 1708	2032	DEMF306.exe	40
PID 2032 wrote to memory of 1708	2032	DEMF306.exe	40
PID 2032 wrote to memory of 1708	2032	DEMF306.exe	40
PID 1708 wrote to memory of 2052	1708	DEM4808.exe	42
PID 1708 wrote to memory of 2052	1708	DEM4808.exe	42
PID 1708 wrote to memory of 2052	1708	DEM4808.exe	42
PID 1708 wrote to memory of 2052	1708	DEM4808.exe	42

C:\Users\Admin\AppData\Local\Temp\59a7c352be88b626667d833b2706818c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59a7c352be88b626667d833b2706818c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\DEMF354.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF354.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\DEM48D3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM48D3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\DEM9DE5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9DE5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Users\Admin\AppData\Local\Temp\DEMF306.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF306.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2032
      - C:\Users\Admin\AppData\Local\Temp\DEM4808.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4808.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\DEM9DD5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9DD5.exe"
        7⤵
        Executes dropped EXE
        
        PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM48D3.exe

Filesize
13KB

MD5
da7a56fd1e3525048ade13e898f0b35c

SHA1
78faae2304251b35492f12e220b68d5a3dae68e4

SHA256
b605e39e13bb160992e109fd940245d1e06239c03422f31c8b10c4c30e559fe7

SHA512
beb6de43031f9c8d31cc68c24e320f3b3475b3498805f470aa9bdb668b453632e8f3df221bd21361dbfb3d583e9877ca86c4c74fc68b12ebdce1aa57a53d6cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9DD5.exe

Filesize
14KB

MD5
35fc21932cec8f53a81c1333f0bbb197

SHA1
e315a09098c11d7f4adc04f1a436127539b5d979

SHA256
d0c9657cde241af4d32ed8ba62b649527d40b12756fa9437e6c7c9dcb9e8761d

SHA512
9b95b7710decb87f7c8ecd0f05f7e63ee471dd8b2aee7e14def3864532081f84f00356ed0f1ed32c96226fc28d28920573f02a347e7b7ce2869b0645aa46f114

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF354.exe

Filesize
13KB

MD5
76d8437fb2ce1eb58c92a258b040a97c

SHA1
5847e86bb258e82f2e0aabcf5c9f35491af43b63

SHA256
834613ef8bbb1ca5bc0f254ff4b62d6cec3dc909bc02c26c6bc152d970f3263d

SHA512
9444e9e9a04341280fe95b7f7d0c69c4bd0016e9bba7c7da216c98c4fa9e3de5a822e61b2707965ec37ae76dbebd8572355ea440ba280657bf8e5b15b06df832

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4808.exe

Filesize
14KB

MD5
10133c778c4c74541cbd3a4999d67f4c

SHA1
bb54d393d6004d95f82e56a0b01604b277632377

SHA256
84a701ec02cab86a163a873667abba39a6424827d7eb279662e8a4428dfec69f

SHA512
b1a7024170cd92a1ab92e7d507e89278895b0222de52cebf2c14f05033b0f6ab958a8e29cd1381980bbc00a415c158fca81d65676f87d15c67ea87480cbef658

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9DE5.exe

Filesize
13KB

MD5
170c725e3f284378b472db3c9a48d0cf

SHA1
423a2410156c6286c490876b99682d5a3f8e4e3e

SHA256
592e16d0b546fe0909c2c223494ef3341a4e56012106cd4cadb0cd896eb25f84

SHA512
2ade8703a2bc9d7cfc467200cbbbb22d8764ff7ef0e28b877a0b32ab8a47d82f266b264d75e46c640c00d4017eacf9178fe8d2604fa098e063663be9d32f062a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF306.exe

Filesize
14KB

MD5
ad0f9d085d72d06983f239b1dfe99e7e

SHA1
8242ee20ff5ad0615c9a12149bb4c6a344a22d10

SHA256
bb8a53bacb1a81e0677a58adada773fd0068d26472a219bdd3d4bd97104b23d7

SHA512
9a4eb19255e2702267e6a0cb13c89b61db0fc64e8b16ce2687f0a5a8991e6128a35e84b039440f7a78952f95cc3ef38f06a9fb441ffea5f55e7765938af9edb9

Download Submit

Analysis

Sharing