Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 13:31 UTC
Behavioral task
behavioral1
Sample
eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
eb2dc97b86abd7f3d293b293af6318b8
-
SHA1
4363a1620081f7d9746c06249da8c905256e0e8b
-
SHA256
359b7aac21c1fadee0fe85c96d85eecb3d3d95e30efb03ba3595cc428ff942b5
-
SHA512
d91862af96f783d6e8f793aa13266920e90916f24720a9bffc374a312363ac174f5efe195f804849784609a07fd7ec240aca37a7f740d8ec593459875568ac9f
-
SSDEEP
49152:Br+4IMlzSsk7acakLz0ibq6yqhhubDY0CgOnQvEn0bcakLz0ibq6yqh:Br+4IMlzo7acakcibiqhMbMgOn7n0bcH
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2816 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2816 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3236-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral2/files/0x0009000000023212-12.dat upx behavioral2/memory/2816-14-0x0000000000400000-0x000000000065C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 13 pastebin.com -
Program crash 18 IoCs
pid pid_target Process procid_target 3328 2816 WerFault.exe 86 4192 2816 WerFault.exe 86 1988 2816 WerFault.exe 86 4560 2816 WerFault.exe 86 3848 2816 WerFault.exe 86 4836 2816 WerFault.exe 86 4196 2816 WerFault.exe 86 4184 2816 WerFault.exe 86 2468 2816 WerFault.exe 86 4292 2816 WerFault.exe 86 2252 2816 WerFault.exe 86 4676 2816 WerFault.exe 86 3364 2816 WerFault.exe 86 1972 2816 WerFault.exe 86 4164 2816 WerFault.exe 86 2436 2816 WerFault.exe 86 3124 2816 WerFault.exe 86 5004 2816 WerFault.exe 86 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4212 schtasks.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3236 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3236 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe 2816 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3236 wrote to memory of 2816 3236 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe 86 PID 3236 wrote to memory of 2816 3236 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe 86 PID 3236 wrote to memory of 2816 3236 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe 86 PID 2816 wrote to memory of 4212 2816 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe 87 PID 2816 wrote to memory of 4212 2816 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe 87 PID 2816 wrote to memory of 4212 2816 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe 87 PID 2816 wrote to memory of 2056 2816 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe 89 PID 2816 wrote to memory of 2056 2816 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe 89 PID 2816 wrote to memory of 2056 2816 eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe 89 PID 2056 wrote to memory of 4592 2056 cmd.exe 91 PID 2056 wrote to memory of 4592 2056 cmd.exe 91 PID 2056 wrote to memory of 4592 2056 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\eb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe" /TN qPTTkyZ9c33c /F3⤵
- Creates scheduled task(s)
PID:4212
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN qPTTkyZ9c33c > C:\Users\Admin\AppData\Local\Temp\WwoNe3D.xml3⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN qPTTkyZ9c33c4⤵PID:4592
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 6163⤵
- Program crash
PID:3328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 6363⤵
- Program crash
PID:4192
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 6443⤵
- Program crash
PID:1988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 6443⤵
- Program crash
PID:4560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 7283⤵
- Program crash
PID:3848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 8203⤵
- Program crash
PID:4836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 14843⤵
- Program crash
PID:4196
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 19243⤵
- Program crash
PID:4184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 21483⤵
- Program crash
PID:2468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 21083⤵
- Program crash
PID:4292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 19403⤵
- Program crash
PID:2252
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 21723⤵
- Program crash
PID:4676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 19243⤵
- Program crash
PID:3364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 19323⤵
- Program crash
PID:1972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 19283⤵
- Program crash
PID:4164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 21363⤵
- Program crash
PID:2436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 19883⤵
- Program crash
PID:3124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 7123⤵
- Program crash
PID:5004
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2816 -ip 28161⤵PID:4364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2816 -ip 28161⤵PID:732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2816 -ip 28161⤵PID:3936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2816 -ip 28161⤵PID:924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2816 -ip 28161⤵PID:4276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2816 -ip 28161⤵PID:4088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2816 -ip 28161⤵PID:1868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2816 -ip 28161⤵PID:684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2816 -ip 28161⤵PID:3096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2816 -ip 28161⤵PID:1184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2816 -ip 28161⤵PID:376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2816 -ip 28161⤵PID:4008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2816 -ip 28161⤵PID:3912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2816 -ip 28161⤵PID:4632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2816 -ip 28161⤵PID:3836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2816 -ip 28161⤵PID:2932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2816 -ip 28161⤵PID:2124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2816 -ip 28161⤵PID:5016
Network
-
Remote address:8.8.8.8:53Request79.121.231.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestpastebin.comIN AResponsepastebin.comIN A104.20.68.143pastebin.comIN A104.20.67.143pastebin.comIN A172.67.34.170
-
Remote address:8.8.8.8:53Requestcutit.orgIN AResponsecutit.orgIN A64.91.240.248
-
Remote address:64.91.240.248:443RequestGET /oxgBR HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: cutit.org
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
X-Powered-By: PHP/5.4.16
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 1924
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Request140.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request143.68.20.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request248.240.91.64.in-addr.arpaIN PTRResponse248.240.91.64.in-addr.arpaIN PTRcrocodile parklogiccom
-
Remote address:8.8.8.8:53Request11.97.55.23.in-addr.arpaIN PTRResponse11.97.55.23.in-addr.arpaIN PTRa23-55-97-11deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request171.101.63.23.in-addr.arpaIN PTRResponse171.101.63.23.in-addr.arpaIN PTRa23-63-101-171deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request150.1.37.23.in-addr.arpaIN PTRResponse150.1.37.23.in-addr.arpaIN PTRa23-37-1-150deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTR
-
190 B 132 B 4 3
-
64.91.240.248:443https://cutit.org/oxgBRtls, httpeb2dc97b86abd7f3d293b293af6318b8_JaffaCakes118.exe1.2kB 5.7kB 15 10
HTTP Request
GET https://cutit.org/oxgBRHTTP Response
200
-
72 B 158 B 1 1
DNS Request
79.121.231.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
58 B 106 B 1 1
DNS Request
pastebin.com
DNS Response
104.20.68.143104.20.67.143172.67.34.170
-
55 B 71 B 1 1
DNS Request
cutit.org
DNS Response
64.91.240.248
-
72 B 158 B 1 1
DNS Request
140.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
143.68.20.104.in-addr.arpa
-
72 B 109 B 1 1
DNS Request
248.240.91.64.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
11.97.55.23.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
171.101.63.23.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
150.1.37.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
144 B 158 B 2 1
DNS Request
30.243.111.52.in-addr.arpa
DNS Request
30.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5690d15dea1ad9d200f66870111a543eb
SHA13e35604df5b7d553fb4e0144a5afaa96ce902136
SHA256e721d8dea366fe01a4ba3652acbd525d2f9a23a327aa8bc716a74f3ff0624251
SHA512469ffa7dd8f12ad8d996dc7a6b2026540532634b6a40d2df9aab833bea33b7f4eac08f59655670f039b3a8ab955ba1ecb374df55481cea159668e076d951fc7c
-
Filesize
2.0MB
MD5bb2742e2c87e65afc4675b0f054f2b02
SHA15045ef96cc3eae32ee3d53a55bcbef957f3b731e
SHA2561f91b1280d3e7ef258615274210205c136a52ae2eed8f1d4cb605f6e15636139
SHA5125659ab1330d41ac9dbc162e433d11aa2b01e112274bbad343ad60ded068f0cf366720b61504e9b0552bc090bc7dc868245d5e11a1a8c4d682c773a6a091bdfb3