Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 18:08
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b302998fc5e3ff4a61d22f5c35ea5e168e040d10bc8437cf8c190bfc27e63dd0.js
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b302998fc5e3ff4a61d22f5c35ea5e168e040d10bc8437cf8c190bfc27e63dd0.js
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b302998fc5e3ff4a61d22f5c35ea5e168e040d10bc8437cf8c190bfc27e63dd0.js
-
Size
18KB
-
MD5
1d9327d69fd263ac645b6a4eef31cb24
-
SHA1
3cff6c8d464e8c254048635dd68e31225ffcb6e4
-
SHA256
b302998fc5e3ff4a61d22f5c35ea5e168e040d10bc8437cf8c190bfc27e63dd0
-
SHA512
50cf6ff55a3f73803b4b1313c029e08e66e62ff6de1fd839fec21aecc09d30254616a3b8aab271828a7a69f4835d155ee4af53bb3c4daaa3b4a1cb2305409e2f
-
SSDEEP
192:XppRDuksQVaQ3bBcaJQYkobtD07DX5sRqvex8aIxjPyeUuKGwSfb+U0Sl2c2fgYS:XvvpaQ3bC9voUDXYHyjPw//9gRL
Malware Config
Signatures
-
Vjw0rm family
-
Blocklisted process makes network request 16 IoCs
flow pid Process 3 1868 wscript.exe 19 1868 wscript.exe 26 1868 wscript.exe 29 1868 wscript.exe 45 1868 wscript.exe 47 1868 wscript.exe 49 1868 wscript.exe 55 1868 wscript.exe 57 1868 wscript.exe 59 1868 wscript.exe 68 1868 wscript.exe 70 1868 wscript.exe 72 1868 wscript.exe 75 1868 wscript.exe 77 1868 wscript.exe 79 1868 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amqolYPJMq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amqolYPJMq.js wscript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\amqolYPJMq.js\"" wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1868 wrote to memory of 2720 1868 wscript.exe 84 PID 1868 wrote to memory of 2720 1868 wscript.exe 84
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b302998fc5e3ff4a61d22f5c35ea5e168e040d10bc8437cf8c190bfc27e63dd0.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\amqolYPJMq.js"2⤵
- Drops startup file
- Adds Run key to start application
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD53f7b92769fc59d8adc125b4d4e8adee4
SHA1b3ea6913dcf3681572a1db1f429cc5e1e49b060e
SHA256e1fccde6528046c2c1e41096085c199efaddc1393d42f6696165aeec43c9a209
SHA512659caad97e885af9d5f2dece465873b517fc34a5c67f5f0aba08b9ef868cca57fe025ed9979bd0933e46ee45792d5b424bd99a24c4449c5b739f17e0b6bdf01f