4065e7444fd522a970abdc6a763f4227515219cb1d0246564d2fe80e603f56f6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d51fdbe012f6f34d9abddce7ccf81afa_JaffaCakes118.js
Size

16KB
MD5

d51fdbe012f6f34d9abddce7ccf81afa
SHA1

9db0fbd0626a1b38e899a671b32948e27df22b74
SHA256

4065e7444fd522a970abdc6a763f4227515219cb1d0246564d2fe80e603f56f6
SHA512

97c28519554131ffa37fc8295f14daa56b3cf125035c62329fe0e489a93105055cb7007a2d328857da22724ccf51ffc28ac779cbb88c4e2bd8085eb0efe0b762
SSDEEP

384:oSS9dHVLzKtkLtp1zCXay1zczYcIrNthcccLzytOXLVIpfe49ecToQXVttPXFV13:oSSzHR2t+tH2Ky1zczYcSNthcccLzyt9

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
15	2928	wscript.exe
24	2928	wscript.exe
25	2928	wscript.exe
28	2928	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wscript.exe

Deletes itself 1 IoCs

pid	Process
2928	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\ms-settings\shell\open\command	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\ms-settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\ms-settings\shell	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\ms-settings\shell\open	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\ms-settings\shell\open\command\ = "\"C:\\Windows\\system32\\wscript.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d51fdbe012f6f34d9abddce7ccf81afa_JaffaCakes118.js\" rpsuki"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\ms-settings\shell\open\command\DelegateExecute	wscript.exe
Key deleted	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\ms-settings\shell\open\command	wscript.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 3204	4900	wscript.exe	87
PID 4900 wrote to memory of 3204	4900	wscript.exe	87
PID 3204 wrote to memory of 2928	3204	fodhelper.exe	88
PID 3204 wrote to memory of 2928	3204	fodhelper.exe	88

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\d51fdbe012f6f34d9abddce7ccf81afa_JaffaCakes118.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\system32\fodhelper.exe
  "C:\Windows\system32\fodhelper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\d51fdbe012f6f34d9abddce7ccf81afa_JaffaCakes118.js" rpsuki
    3⤵
    - Blocklisted process makes network request
    - Deletes itself
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...