Analysis Overview
SHA256
d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13
Threat Level: Known bad
The file JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Vjw0rm family
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Adds Run key to start application
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-08 04:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-08 04:56
Reported
2025-01-08 04:58
Platform
win7-20240903-en
Max time kernel
146s
Max time network
146s
Command Line
Signatures
Vjw0rm
Vjw0rm family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\"" | C:\Windows\System32\wscript.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2680 wrote to memory of 2428 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2680 wrote to memory of 2428 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2680 wrote to memory of 2428 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2680 wrote to memory of 2496 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2680 wrote to memory of 2496 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2680 wrote to memory of 2496 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2496 wrote to memory of 2876 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2496 wrote to memory of 2876 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2496 wrote to memory of 2876 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | faxjohn01.dyn.ddnss.de | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| DE | 85.114.136.161:1251 | faxjohn01.dyn.ddnss.de | tcp |
| DE | 85.114.136.161:1251 | faxjohn01.dyn.ddnss.de | tcp |
| DE | 85.114.136.161:1251 | faxjohn01.dyn.ddnss.de | tcp |
| DE | 85.114.136.161:1251 | faxjohn01.dyn.ddnss.de | tcp |
| DE | 85.114.136.161:1251 | faxjohn01.dyn.ddnss.de | tcp |
| DE | 85.114.136.161:1251 | faxjohn01.dyn.ddnss.de | tcp |
Files
C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js
| MD5 | b1723af127d01881617d42e94db1a187 |
| SHA1 | 02e312b6a5a1c47baa9dda51a2d887bda2a41d34 |
| SHA256 | 1b004dc8d63c6e9d0084e8fcfe952fad9a0b2355593dfdb8aab585ef3d74e9f3 |
| SHA512 | 5fb793b239795ffee051cade8464c0c98881c3ac4206dd671e8ea41f2ca9e4c06d0b368dcf5eeaaee62d23510a5e81a251dc282e49a025b9682e40cac0b9ed4d |
C:\Users\Admin\AppData\Roaming\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js
| MD5 | 8c7d90878061ce94f70b41a3d2678379 |
| SHA1 | 7d08d5be9c64a49ccfeeb14aee806cb017d941db |
| SHA256 | d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13 |
| SHA512 | e510040078a0dc4b305abaf1a6d33d44f871f77f91c90c721c810fbb629b3c633e44654193bebd9b4bf537b9d124696432f808bdfbc60daf7c49e206eadb0792 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-08 04:56
Reported
2025-01-08 04:58
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Vjw0rm
Vjw0rm family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\"" | C:\Windows\System32\wscript.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2444 wrote to memory of 956 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2444 wrote to memory of 956 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2444 wrote to memory of 2680 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2444 wrote to memory of 2680 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2680 wrote to memory of 2980 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2680 wrote to memory of 2980 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | faxjohn01.dyn.ddnss.de | udp |
| DE | 85.114.136.161:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| DE | 85.114.136.161:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| DE | 85.114.136.161:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| DE | 85.114.136.161:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| DE | 85.114.136.161:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| DE | 85.114.136.161:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js
| MD5 | b1723af127d01881617d42e94db1a187 |
| SHA1 | 02e312b6a5a1c47baa9dda51a2d887bda2a41d34 |
| SHA256 | 1b004dc8d63c6e9d0084e8fcfe952fad9a0b2355593dfdb8aab585ef3d74e9f3 |
| SHA512 | 5fb793b239795ffee051cade8464c0c98881c3ac4206dd671e8ea41f2ca9e4c06d0b368dcf5eeaaee62d23510a5e81a251dc282e49a025b9682e40cac0b9ed4d |
C:\Users\Admin\AppData\Roaming\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js
| MD5 | 8c7d90878061ce94f70b41a3d2678379 |
| SHA1 | 7d08d5be9c64a49ccfeeb14aee806cb017d941db |
| SHA256 | d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13 |
| SHA512 | e510040078a0dc4b305abaf1a6d33d44f871f77f91c90c721c810fbb629b3c633e44654193bebd9b4bf537b9d124696432f808bdfbc60daf7c49e206eadb0792 |