148ed2da8b43bc06740e22ce1851aaf2d0859780d3c452fee4ef5807857c2bf1

General

Target

6205a064396c8a7d39f3386d8868495a_JaffaCakes118.exe
Size

15KB
MD5

6205a064396c8a7d39f3386d8868495a
SHA1

5be8fee97e7217d2b9ba0205da9414f8077f509a
SHA256

148ed2da8b43bc06740e22ce1851aaf2d0859780d3c452fee4ef5807857c2bf1
SHA512

2d011e4efd00992e45c0a308d146a0b1687f9fbca97f631b8a24e9ab825b00ffd3a3eb584cabd09b7f6c88223d622f603398afca5edc86cd38cb73d1c3049961
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY84/p:hDXWipuE+K3/SSHgxm84/p

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2308	DEM9740.exe
2896	DEMECBF.exe
2664	DEM422E.exe
2796	DEM977F.exe
1448	DEMECDE.exe
552	DEM428C.exe

Loads dropped DLL 6 IoCs

pid	Process
1960	6205a064396c8a7d39f3386d8868495a_JaffaCakes118.exe
2308	DEM9740.exe
2896	DEMECBF.exe
2664	DEM422E.exe
2796	DEM977F.exe
1448	DEMECDE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2308	1960	6205a064396c8a7d39f3386d8868495a_JaffaCakes118.exe	32
PID 1960 wrote to memory of 2308	1960	6205a064396c8a7d39f3386d8868495a_JaffaCakes118.exe	32
PID 1960 wrote to memory of 2308	1960	6205a064396c8a7d39f3386d8868495a_JaffaCakes118.exe	32
PID 1960 wrote to memory of 2308	1960	6205a064396c8a7d39f3386d8868495a_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2896	2308	DEM9740.exe	34
PID 2308 wrote to memory of 2896	2308	DEM9740.exe	34
PID 2308 wrote to memory of 2896	2308	DEM9740.exe	34
PID 2308 wrote to memory of 2896	2308	DEM9740.exe	34
PID 2896 wrote to memory of 2664	2896	DEMECBF.exe	36
PID 2896 wrote to memory of 2664	2896	DEMECBF.exe	36
PID 2896 wrote to memory of 2664	2896	DEMECBF.exe	36
PID 2896 wrote to memory of 2664	2896	DEMECBF.exe	36
PID 2664 wrote to memory of 2796	2664	DEM422E.exe	38
PID 2664 wrote to memory of 2796	2664	DEM422E.exe	38
PID 2664 wrote to memory of 2796	2664	DEM422E.exe	38
PID 2664 wrote to memory of 2796	2664	DEM422E.exe	38
PID 2796 wrote to memory of 1448	2796	DEM977F.exe	40
PID 2796 wrote to memory of 1448	2796	DEM977F.exe	40
PID 2796 wrote to memory of 1448	2796	DEM977F.exe	40
PID 2796 wrote to memory of 1448	2796	DEM977F.exe	40
PID 1448 wrote to memory of 552	1448	DEMECDE.exe	42
PID 1448 wrote to memory of 552	1448	DEMECDE.exe	42
PID 1448 wrote to memory of 552	1448	DEMECDE.exe	42
PID 1448 wrote to memory of 552	1448	DEMECDE.exe	42

C:\Users\Admin\AppData\Local\Temp\6205a064396c8a7d39f3386d8868495a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6205a064396c8a7d39f3386d8868495a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\DEM9740.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9740.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\DEMECBF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMECBF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\DEM422E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM422E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\DEM977F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM977F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Users\Admin\AppData\Local\Temp\DEMECDE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMECDE.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\DEM428C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM428C.exe"
        7⤵
        Executes dropped EXE
        
        PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM977F.exe

Filesize
15KB

MD5
69eba6bd29a874285c57dce8dc9eee0b

SHA1
ce05191de0976ff888b16407df010f6ba2d2937d

SHA256
6f31e3136c4890c24515676e88979f031e023c2d9005c56739dbe9a3dd9068ff

SHA512
09af57a90af30232c68c84683fcc2dd8060c617a2ae537c401ecbbac4de121402752d5959b5572cacd5e4dc373e364d4da4f1cfc1a6f990ddee26af149cfc519

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMECBF.exe

Filesize
15KB

MD5
ecdf02100713ba178f841e988beaf138

SHA1
e0733d62a92560fbcf7febc27829a689cdfd3cac

SHA256
43bfdb3c79b6e4510c670ed7c6b19feb3861ccedfca60d3715f1d514a110c58e

SHA512
451e9e7ea3a39403ce3608614dd5dede2a515a48f05af03e9a9924a3de5f4039e71c91f76d0d9b393cbbb5aca4603857a727dc4ca2221ecdff60fe39b9ff18bb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM422E.exe

Filesize
15KB

MD5
40fe327851424a1024de5fac4f3e49ae

SHA1
b81c66d55d136ff309fd8b4c53bb61b666149cb0

SHA256
fd751428a06c9dfced68e9c6db7d681b7de3395a0cee353f9f76281349a16666

SHA512
c947f427bbbdf5babd3c1353923622d87849139f9ab1bc22d43c301383e1d6d774da5ef2d1c24cb4169fc02b9984b66bce94a48d5f82342b68228fecd229ceed

Download Submit
\Users\Admin\AppData\Local\Temp\DEM428C.exe

Filesize
15KB

MD5
4261ad60517106479cebfdc3a69a56ad

SHA1
9ccb845ee8b1dbee8682e71fe27e3c85d4970073

SHA256
7514315924e76da60ea874df284d70240282b33674da7fd57dd12e801222dea7

SHA512
0df288513dbd6a0464627852431400d744c9cf6d21d1ea72df3f7d926ec8c0c5d69a139c03534610ecceef6abddff1bccb8bca3ca0266edf8c578ab5d3f1e25e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9740.exe

Filesize
15KB

MD5
e4889921e730bf64951d3108a9ed98f2

SHA1
d4b9d181ec5a3762cc5b086f76100b447a0d0c3a

SHA256
40b516707c9d8a9b5fe33e44b56d3aaf74cdf98ccefa95e71f60e2bd29780899

SHA512
5e4b67605cfd88f3a40feeb8f444e874980ad569632488cbbc52440f7aa290c2baa3b2e3903e0b9f0ff8f38d49d6205634747ef548755d3bcf5595a80af80cf2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMECDE.exe

Filesize
15KB

MD5
44c5a4eb6718c0817aa86e59afb503f3

SHA1
de88034867b1b0534eca89342dc0cf6df586e798

SHA256
1c7fa3998545ebc0163d41e0e6b097aae8411597f8aa94ec95a375f918b1026b

SHA512
74dfeb1d764c1885e3e875adb628d913b67084b36bc781b4942c9dfbad20d594a4262e4f5fbd64a63607a7f843feb230845dcbf7f0224d8a09dec98d3ea5eb29

Download Submit

Analysis

Sharing