4cff8e84b27be4f94de4c31cd415b471b2c7899ff1a43f99660f58031f2376c1

General

Target

65ac347a569569137202e917d832ea65_JaffaCakes118.exe
Size

14KB
MD5

65ac347a569569137202e917d832ea65
SHA1

508b80982331abc857d0c0199c0cce862d989135
SHA256

4cff8e84b27be4f94de4c31cd415b471b2c7899ff1a43f99660f58031f2376c1
SHA512

900a987d1e7fcff73f3d7b7dccde4336e3a1fa9e92218afb9a3c93014538ea1db196370d336a443a5a73cfdb941892ab09fe0fbf8d67ee8b3ed3797ba9797dbd
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY41v:hDXWipuE+K3/SSHgxmc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2696	DEM1851.exe
2536	DEM6DC1.exe
2468	DEMC2E2.exe
2628	DEM1822.exe
1316	DEM6D34.exe
1464	DEMC255.exe

Loads dropped DLL 6 IoCs

pid	Process
2624	65ac347a569569137202e917d832ea65_JaffaCakes118.exe
2696	DEM1851.exe
2536	DEM6DC1.exe
2468	DEMC2E2.exe
2628	DEM1822.exe
1316	DEM6D34.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2696	2624	65ac347a569569137202e917d832ea65_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2696	2624	65ac347a569569137202e917d832ea65_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2696	2624	65ac347a569569137202e917d832ea65_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2696	2624	65ac347a569569137202e917d832ea65_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2536	2696	DEM1851.exe	33
PID 2696 wrote to memory of 2536	2696	DEM1851.exe	33
PID 2696 wrote to memory of 2536	2696	DEM1851.exe	33
PID 2696 wrote to memory of 2536	2696	DEM1851.exe	33
PID 2536 wrote to memory of 2468	2536	DEM6DC1.exe	35
PID 2536 wrote to memory of 2468	2536	DEM6DC1.exe	35
PID 2536 wrote to memory of 2468	2536	DEM6DC1.exe	35
PID 2536 wrote to memory of 2468	2536	DEM6DC1.exe	35
PID 2468 wrote to memory of 2628	2468	DEMC2E2.exe	37
PID 2468 wrote to memory of 2628	2468	DEMC2E2.exe	37
PID 2468 wrote to memory of 2628	2468	DEMC2E2.exe	37
PID 2468 wrote to memory of 2628	2468	DEMC2E2.exe	37
PID 2628 wrote to memory of 1316	2628	DEM1822.exe	39
PID 2628 wrote to memory of 1316	2628	DEM1822.exe	39
PID 2628 wrote to memory of 1316	2628	DEM1822.exe	39
PID 2628 wrote to memory of 1316	2628	DEM1822.exe	39
PID 1316 wrote to memory of 1464	1316	DEM6D34.exe	41
PID 1316 wrote to memory of 1464	1316	DEM6D34.exe	41
PID 1316 wrote to memory of 1464	1316	DEM6D34.exe	41
PID 1316 wrote to memory of 1464	1316	DEM6D34.exe	41

C:\Users\Admin\AppData\Local\Temp\65ac347a569569137202e917d832ea65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65ac347a569569137202e917d832ea65_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\DEM1851.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1851.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\DEM6DC1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6DC1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\DEMC2E2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC2E2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Users\Admin\AppData\Local\Temp\DEM1822.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1822.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Users\Admin\AppData\Local\Temp\DEM6D34.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6D34.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\DEMC255.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC255.exe"
        7⤵
        Executes dropped EXE
        
        PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1822.exe

Filesize
14KB

MD5
59b474f06dcbd1746b47f831201663a0

SHA1
07d632af4b0a628dbef9c351bd02c05e9136e05b

SHA256
8102186503b8b4a7bf9d8384958be89042baab5761ea32f0733938bbdde269d5

SHA512
8e8dbd1ca68d6407ee1a6db443a074af8d298adec708a1eec34d3bf9ce4690f52a360a9578032a0ab57a6a443647a4eba904adef464b7eed7c0b37820d8f22ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1851.exe

Filesize
14KB

MD5
02cf58d6ea7bc2b8ad86deac16c54d18

SHA1
9c2854ce1cb8291246de5390d34d8f9c5283a04f

SHA256
946317d9ff5d62108a5c413321235dbd735d78564df913d96938c921bf32890b

SHA512
9f7dc2c232d428c893a9d26f0d41692465c7b3c86a9de2091ecf5a1643c734877c602e150d602fef6ca38c321610acb56e882a54009cb8b13a114517277b440e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6D34.exe

Filesize
14KB

MD5
cf7fd65ade3d70c86f2101357a99d727

SHA1
916bae15d2e150aa4ae284da21a10336e563ed5f

SHA256
50c9640bb34753dc6e63ea12497246cf2bc54c84c417e8e79e582ea8e47e65da

SHA512
55c776f885cd1257b3b0f196e5c9c2ac652b5a5fbef76b893f1a8903d41c665ae11daef8f62014d875eb759c45c50cf31bdc1b6b3ce39f86019efd3714c51474

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6DC1.exe

Filesize
14KB

MD5
c239d97816db0a13fd08dfc534902932

SHA1
209e9362ddea9b2996c030883549ffee5742e9af

SHA256
9562713e4966ec210621298353ffc975a356102f6ec0af22bad04074cde7c84f

SHA512
e79482de0b524a3c7f50077bf7c031bb07711dbb68ba27405677e81e888e7f4febee666084d0d7acefca4def2077f2443fd451a1cb97fc464e0078c33ca28cea

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC255.exe

Filesize
14KB

MD5
b9fff0b4059ff7f5884cca84d4793bef

SHA1
a82a9c4ccb9908f6bae35c5aff9e220bd910f629

SHA256
b9b70945ba6ab8a57aac0c59086aedca0480192e128f6c6e214ec3e0eb8a51b9

SHA512
e7f7181ef90e96a4c0d176a415df630bb27f458261c6b37d51d963e26ca6d23bedd870a65e53b41a9ea9343d21c3377c5e5a51bd87537d27a81b97b1de10f77d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC2E2.exe

Filesize
14KB

MD5
e519993181efd77bee646f69a9cf5945

SHA1
75fd95450e7a7f031dfb2a41c42849d33c83b4f5

SHA256
049bd5be5bec6886309afb3e555c78f6d98ed90cea1a5bf5767aa7b3d6deed43

SHA512
a9c8aced6a5065849bb32ab3b28fc6b29e8f12355840cd0e7de666adee783d6aca250cf7e8dd0b3f5d82ad4d151986673d693a9fc757ad307bd99d8e95d5d077

Download Submit

Analysis

Sharing