59b0aeacca07cd300955e9010b6aee69724ab36ad306fedf50359928feb2720b

General

Target

5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe
Size

15KB
MD5

5aa9384054baf008b3e9c7b6e460151a
SHA1

f43a6e7221b12c7b40fe65bb8aa3ffa092ea6f06
SHA256

59b0aeacca07cd300955e9010b6aee69724ab36ad306fedf50359928feb2720b
SHA512

59000d070c97f2410dfb923d01f3088005664cfaee04b75629775c5a004a5b94965b8d919f324938d5a5caec3475f8e08072cf99df6117b560bea67c518cbfca
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY52+p:hDXWipuE+K3/SSHgxmz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2760	DEME16A.exe
2084	DEM36AA.exe
2692	DEM8C96.exe
680	DEME1C7.exe
2976	DEM3746.exe
1376	DEM8CA6.exe

Loads dropped DLL 6 IoCs

pid	Process
1212	5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe
2760	DEME16A.exe
2084	DEM36AA.exe
2692	DEM8C96.exe
680	DEME1C7.exe
2976	DEM3746.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2760	1212	5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe	31
PID 1212 wrote to memory of 2760	1212	5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe	31
PID 1212 wrote to memory of 2760	1212	5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe	31
PID 1212 wrote to memory of 2760	1212	5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2084	2760	DEME16A.exe	33
PID 2760 wrote to memory of 2084	2760	DEME16A.exe	33
PID 2760 wrote to memory of 2084	2760	DEME16A.exe	33
PID 2760 wrote to memory of 2084	2760	DEME16A.exe	33
PID 2084 wrote to memory of 2692	2084	DEM36AA.exe	35
PID 2084 wrote to memory of 2692	2084	DEM36AA.exe	35
PID 2084 wrote to memory of 2692	2084	DEM36AA.exe	35
PID 2084 wrote to memory of 2692	2084	DEM36AA.exe	35
PID 2692 wrote to memory of 680	2692	DEM8C96.exe	37
PID 2692 wrote to memory of 680	2692	DEM8C96.exe	37
PID 2692 wrote to memory of 680	2692	DEM8C96.exe	37
PID 2692 wrote to memory of 680	2692	DEM8C96.exe	37
PID 680 wrote to memory of 2976	680	DEME1C7.exe	39
PID 680 wrote to memory of 2976	680	DEME1C7.exe	39
PID 680 wrote to memory of 2976	680	DEME1C7.exe	39
PID 680 wrote to memory of 2976	680	DEME1C7.exe	39
PID 2976 wrote to memory of 1376	2976	DEM3746.exe	41
PID 2976 wrote to memory of 1376	2976	DEM3746.exe	41
PID 2976 wrote to memory of 1376	2976	DEM3746.exe	41
PID 2976 wrote to memory of 1376	2976	DEM3746.exe	41

C:\Users\Admin\AppData\Local\Temp\5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\DEME16A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME16A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\DEM36AA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM36AA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\DEM8C96.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8C96.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\DEME1C7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME1C7.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:680
      - C:\Users\Admin\AppData\Local\Temp\DEM3746.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3746.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\DEM8CA6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8CA6.exe"
        7⤵
        Executes dropped EXE
        
        PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM36AA.exe

Filesize
15KB

MD5
65675dbb01673bd19f4cefc374b8211e

SHA1
cc896d6ebc2d81c6c0d5e2b95e8f5fbf72656835

SHA256
0adfdb4ef27b6fcaf3043ac22ef0fb4554f9627ebbe04554153f29e5d7c41c25

SHA512
fc5bebff31446ba6c1ea00b6132a7bc48772687f6c189b368aaffeacc831ac1405e0677aacb3adba5a64e4ccaffba5194dd19bd7c8e77cb4520d241e9be3d780

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8C96.exe

Filesize
15KB

MD5
24102ad4c55dc46cd95b097a1a215882

SHA1
de219879495d89c56332d6df6f44cc63ca4291e7

SHA256
1f86efae02064eb1c10adfe9ef0df0d7b30b2a861221adb64f3f9e113855c280

SHA512
d473754d316623b4cb7d90c8047ab39cecf0aac952d6fb312ef806d9f3cdfa1e2ef95cc7587c271ad2e4714a8783e103d5ee36a23b833a902abef085beb1432c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME16A.exe

Filesize
15KB

MD5
5be14b474ee8d8c795818154c4f1e5a2

SHA1
b9c392b37dcfc26c27c1df912197d63178b92d35

SHA256
476554b06d8c235720857c6920c863475f61cf966d922159922bd1aa6863dea0

SHA512
3ef70a5cafde2f56064d17a22a0fcccf4d5fe4dcf0c8749ef0e0e92e5be284fab518b0cc98ff5010fd05ecd51a02fe7a8c3ca4cb03fcc9aab981b290beb1e3bc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3746.exe

Filesize
15KB

MD5
87880b981c0e6185b0928195020b658b

SHA1
95a417b13002858fa290e6bddaa160b12a7e6fa6

SHA256
ec12aef38ec9c65457c3e1f90aa828336bc4f38c6c9fc3c5b1f691adb58a3aab

SHA512
c801243848d261e19d94e91a9b1e3f57b9d5575e4b6ad1ff0a20c558ce3ee629a38f1bf0daac5397190ece2a0dd59d0eb38c7bce117e8238b9bf9299b096add4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8CA6.exe

Filesize
15KB

MD5
63632b96f934eba25c822b5171b336bd

SHA1
0fc88075d8cc2c78af29d3df6859d8602cde10e9

SHA256
61c1e9f06d99c57e073ec03701a5b2eccda4e95d4e97d901c9048eee54ab1f1f

SHA512
deb56203e7d3cfcdd8d8817fa1067b0b224ffb67d2439b07c22a3d3b847214693108eb2615b56dd0cd630fcceeb8bdb74a1542277dbeaa6ea8d7cc3f3a768236

Download Submit
\Users\Admin\AppData\Local\Temp\DEME1C7.exe

Filesize
15KB

MD5
0142fd5902e91e10e2c43236a181cad2

SHA1
6996a55b3d34879dcfdb7c1418253dbafd5d0664

SHA256
8c05459da351987f94b059eae0c6e1d2cdb9f835a0df820ba5ae268a03580008

SHA512
d5b380e581f9a896a52b7f3334bf8d64da05575ebd98c0dae4c11211360121b9fe24ac165383e7c482217df1e68ec3fa96b05bd661fe32701f3437ace2123a65

Download Submit

Analysis

Sharing