Overview

overview

10

Static

static

3

JaffaCakes...3a.exe

windows7-x64

10

JaffaCakes...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2025, 03:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_0b8890e56e80bbdd1502cf079ce7583a.exe

  • Size

    1.4MB

  • MD5

    0b8890e56e80bbdd1502cf079ce7583a

  • SHA1

    dd2898e0e29e621e61f94b09b208daa77d3a916a

  • SHA256

    c7f975e39d71c09f26329414e6e790b2df26808e88529845996c889726af65ff

  • SHA512

    bd35e0ecddfc7f132f7eccd33d5abe40ff92ab129723110a1c5d11decc291af30857d05786beb16cf03401ae824ca6f5b4be6820fa1291b42cc956e6ef21b793

  • SSDEEP

    24576:x2G/nvxW3WQN2mfFT+LCT7c7gapLtf5UjGgBLEA2NGAQ04tgYXltpcCK5sjmRSPu:xbA39/YL87cZ9tf5UjGgBAA2NTcDlD56

Score
10/10
vjw0rmdiscoveryevasionexecutionpersistencetrojanupxworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Vjw0rm family
    vjw0rm
  • Blocklisted process makes network request 6 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 4 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 38 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b8890e56e80bbdd1502cf079ce7583a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b8890e56e80bbdd1502cf079ce7583a.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\info.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn anydesk /tr "C:\Users\Admin\AppData\Roaming\info.js
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2540
    • C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe"
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Modifies system certificate store
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\info.js
    Filesize

    36KB

    MD5

    9fabf10537549747efbbb6281dce1a91

    SHA1

    4590a323576f86471b3d6b8b841762fc33c6e4b2

    SHA256

    a8e7fa03686c4354002c14b61047318fc4e7b654ffab72cf2bb814d13c2d2205

    SHA512

    01d41222e055e98841415d4aaa55ef16323e2c443273e9ca8b3e5f02ecdf2b3fd583b0b4e8fa7760404a1a154ca2b55f22441d667e41783a131786d22d995e6f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rufus.ini
    Filesize

    41B

    MD5

    6a31c51caaf3cee2f2311da6e28a5243

    SHA1

    194327e34003e8403860eb7fdee88230597a97b3

    SHA256

    cccc06458b80740283818ca27a5f225795c85adbf0cae3b4fcfd200da64a0952

    SHA512

    fd5b54f0f8be68abfdec00a02e717d89bf13ab0c31a075e1a839a49ac25e522362b741a5ee453c96b18f11aa6c2ed8589ca4b20d3e29424c78610e4fba7c9faa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rufus.ini
    Filesize

    70B

    MD5

    76e0c538f286b0ec44e6142894181b12

    SHA1

    e299a701eea23fcba9d2271ef10085b1c1fc2725

    SHA256

    87d182b4d879521625c5ea2fedf23cb1970b0d9c26e954b25f3b325958cef45a

    SHA512

    31fa2dc5e5cb03d4f509b18017327b053dfdb5adb379375438a610696f03975e71c2a5409b8236224e479a339e2980351bd7a8c6fcb84c9c651e28e1af9505b4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\setup.exe
    Filesize

    1.1MB

    MD5

    c1df434cf15aeb31783e1144b8a30059

    SHA1

    1c385ec41d5f20ab411bd20e792ad8e7da7feaf9

    SHA256

    c0ccf4f480545b50169cc1f5bf92b357ce588520cb8534128200ca48fc6ae588

    SHA512

    7dcdd37b831c3e6d54ea5cb74e5308ead0ac3a344a94f40d70b1ad72746a830d0109ed3ddebd4fa6dc8a3cd8352545dd81164a1cff6fdbbcc9ed3312ecbe76f4

    Download Submit

  • memory/2464-90-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-86-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-100-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-99-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-65-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-66-0x0000000005DF0000-0x0000000005DF2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2464-68-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-69-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-84-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-97-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-87-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-23-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-91-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-93-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-94-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2464-96-0x0000000001080000-0x00000000013D2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2612-18-0x0000000004330000-0x0000000004682000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2612-20-0x0000000004330000-0x0000000004682000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2612-19-0x0000000004330000-0x0000000004682000-memory.dmp

    Filesize

    3.3MB

    Download