ee87c0206a3a229a610280d097f30597f79e93d1c74ede9a1b2b86e7afe0a164

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 05:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe
Size

317KB
MD5

fe914e545e6619379b586976da83ff8c
SHA1

593071e1859d8d3ead7c12618996eddfe4aa763b
SHA256

ee87c0206a3a229a610280d097f30597f79e93d1c74ede9a1b2b86e7afe0a164
SHA512

a6af73bc62daa09921de203a17277e8ffdd9155f3ff575feb09c23fe78e4056540672143979122297d8512a80604b9719da252b58c8a38addf343e1988bf3dc7
SSDEEP

6144:93+W3HxuuQagkTj9hBhf+q/R+eDDyVMKOKhWKO9POgVxiarcEqh9D1m:ceHx19g2jfBNWrVtOIWHPR+Eco

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4264	oOcLlDh07003.exe

Executes dropped EXE 1 IoCs

pid	Process
4264	oOcLlDh07003.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3016-2-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/3016-4-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/3016-5-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/3016-6-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4264-19-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4264-20-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/3016-23-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4264-24-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/3016-31-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4264-32-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4264-35-0x0000000000400000-0x00000000004B4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oOcLlDh07003 = "C:\\ProgramData\\oOcLlDh07003\\oOcLlDh07003.exe"	oOcLlDh07003.exe

Program crash 27 IoCs

pid	pid_target	Process	procid_target
116	3016	WerFault.exe	91
2940	4264	WerFault.exe	92
4424	3016	WerFault.exe	91
3112	4264	WerFault.exe	92
4792	3016	WerFault.exe	91
4828	4264	WerFault.exe	92
1384	3016	WerFault.exe	91
3784	4264	WerFault.exe	92
2656	3016	WerFault.exe	91
2976	4264	WerFault.exe	92
1148	3016	WerFault.exe	91
4992	4264	WerFault.exe	92
3484	3016	WerFault.exe	91
1728	4264	WerFault.exe	92
4868	3016	WerFault.exe	91
3980	3016	WerFault.exe	91
4792	4264	WerFault.exe	92
2804	4264	WerFault.exe	92
404	3016	WerFault.exe	91
2656	4264	WerFault.exe	92
1708	4264	WerFault.exe	92
1860	4264	WerFault.exe	92
4220	4264	WerFault.exe	92
1144	4264	WerFault.exe	92
2436	4264	WerFault.exe	92
232	4264	WerFault.exe	92
2800	4264	WerFault.exe	92

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe
Token: SeDebugPrivilege	4264	oOcLlDh07003.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4264	oOcLlDh07003.exe
4264	oOcLlDh07003.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4264	oOcLlDh07003.exe
4264	oOcLlDh07003.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4264	oOcLlDh07003.exe
4264	oOcLlDh07003.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4264	3016	fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe	92
PID 3016 wrote to memory of 4264	3016	fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe	92
PID 3016 wrote to memory of 4264	3016	fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\ProgramData\oOcLlDh07003\oOcLlDh07003.exe
  "C:\ProgramData\oOcLlDh07003\oOcLlDh07003.exe" "C:\Users\Admin\AppData\Local\Temp\fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 764
    3⤵
    - Program crash
    PID:2940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 772
    3⤵
    - Program crash
    PID:3112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 796
    3⤵
    - Program crash
    PID:4828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 804
    3⤵
    - Program crash
    PID:3784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 928
    3⤵
    - Program crash
    PID:2976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1000
    3⤵
    - Program crash
    PID:4992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1080
    3⤵
    - Program crash
    PID:1728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1224
    3⤵
    - Program crash
    PID:4792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1408
    3⤵
    - Program crash
    PID:2804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1620
    3⤵
    - Program crash
    PID:2656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1628
    3⤵
    - Program crash
    PID:1708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1656
    3⤵
    - Program crash
    PID:1860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1632
    3⤵
    - Program crash
    PID:4220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1692
    3⤵
    - Program crash
    PID:1144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1804
    3⤵
    - Program crash
    PID:2436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1824
    3⤵
    - Program crash
    PID:232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 788
    3⤵
    - Program crash
    PID:2800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 620
  2⤵
  - Program crash
  PID:116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 788
  2⤵
  - Program crash
  PID:4424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 796
  2⤵
  - Program crash
  PID:4792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 840
  2⤵
  - Program crash
  PID:1384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 848
  2⤵
  - Program crash
  PID:2656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1008
  2⤵
  - Program crash
  PID:1148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1048
  2⤵
  - Program crash
  PID:3484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1200
  2⤵
  - Program crash
  PID:4868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 640
  2⤵
  - Program crash
  PID:3980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 140
  2⤵
  - Program crash
  PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3016 -ip 3016
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4264 -ip 4264
1⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3016 -ip 3016
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4264 -ip 4264
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3016 -ip 3016
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4264 -ip 4264
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3016 -ip 3016
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4264 -ip 4264
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3016 -ip 3016
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4264 -ip 4264
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3016 -ip 3016
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4264 -ip 4264
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3016 -ip 3016
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4264 -ip 4264
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3016 -ip 3016
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3016 -ip 3016
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4264 -ip 4264
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4264 -ip 4264
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3016 -ip 3016
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4264 -ip 4264
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4264 -ip 4264
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4264 -ip 4264
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4264 -ip 4264
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4264 -ip 4264
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4264 -ip 4264
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4264 -ip 4264
1⤵
PID:728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4264 -ip 4264
1⤵
PID:2000

Network

DNS

81.171.91.138.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.171.91.138.in-addr.arpa

IN PTR

Response
DNS

81.171.91.138.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.171.91.138.in-addr.arpa

IN PTR
DNS

18.24.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.24.18.2.in-addr.arpa

IN PTR

Response

18.24.18.2.in-addr.arpa

IN PTR

a2-18-24-18deploystaticakamaitechnologiescom
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

14.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.160.190.20.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

chromewebstore.googleapis.com

Remote address:

8.8.8.8:53

Request

chromewebstore.googleapis.com

IN A

Response

chromewebstore.googleapis.com

IN A

142.250.187.234

chromewebstore.googleapis.com

IN A

142.250.178.10

chromewebstore.googleapis.com

IN A

172.217.16.234

chromewebstore.googleapis.com

IN A

142.250.200.10

chromewebstore.googleapis.com

IN A

142.250.200.42

chromewebstore.googleapis.com

IN A

216.58.201.106

chromewebstore.googleapis.com

IN A

216.58.204.74

chromewebstore.googleapis.com

IN A

216.58.213.10

chromewebstore.googleapis.com

IN A

216.58.212.234

chromewebstore.googleapis.com

IN A

172.217.169.74

chromewebstore.googleapis.com

IN A

142.250.179.234

chromewebstore.googleapis.com

IN A

142.250.180.10

chromewebstore.googleapis.com

IN A

142.250.187.202
DNS

chromewebstore.googleapis.com

Remote address:

8.8.8.8:53

Request

chromewebstore.googleapis.com

IN Unknown

Response
DNS

pki.goog

Remote address:

8.8.8.8:53

Request

pki.goog

IN A

Response

pki.goog

IN A

216.239.32.29
DNS

pki.goog

Remote address:

8.8.8.8:53

Request

pki.goog

IN Unknown

Response
GET

http://pki.goog/gsr1/gsr1.crt

Remote address:

216.239.32.29:80

Request

GET /gsr1/gsr1.crt HTTP/1.1
Host: pki.goog
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Encoding: gzip
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 797
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sun, 21 Apr 2024 05:30:02 GMT
Expires: Sun, 21 Apr 2024 06:20:02 GMT
Cache-Control: public, max-age=3000
Age: 791
Last-Modified: Wed, 20 May 2020 16:45:00 GMT
Content-Type: application/pkix-cert
Vary: Accept-Encoding
GET

http://pki.goog/repo/certs/gtsr1.der

Remote address:

216.239.32.29:80

Request

GET /repo/certs/gtsr1.der HTTP/1.1
Host: pki.goog
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1371
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sun, 21 Apr 2024 05:38:34 GMT
Expires: Sun, 21 Apr 2024 06:28:34 GMT
Cache-Control: public, max-age=3000
Age: 279
Last-Modified: Sun, 25 Jun 2023 02:58:00 GMT
Content-Type: application/pkix-cert
Vary: Accept-Encoding
GET

http://pki.goog/repo/certs/gts1c3.der

Remote address:

216.239.32.29:80

Request

GET /repo/certs/gts1c3.der HTTP/1.1
Host: pki.goog
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Encoding: gzip
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1304
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sun, 21 Apr 2024 04:55:54 GMT
Expires: Sun, 21 Apr 2024 05:45:54 GMT
Cache-Control: public, max-age=3000
Age: 2839
Last-Modified: Mon, 17 Aug 2020 09:45:00 GMT
Content-Type: application/pkix-cert
Vary: Accept-Encoding
DNS

234.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.187.250.142.in-addr.arpa

IN PTR

Response

234.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f101e100net
DNS

29.32.239.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.32.239.216.in-addr.arpa

IN PTR

Response

29.32.239.216.in-addr.arpa

IN PTR

any-in-201d1e100net
DNS

29.32.239.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.32.239.216.in-addr.arpa

IN PTR
DNS

25.24.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.24.18.2.in-addr.arpa

IN PTR

Response

25.24.18.2.in-addr.arpa

IN PTR

a2-18-24-25deploystaticakamaitechnologiescom
DNS

25.24.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.24.18.2.in-addr.arpa

IN PTR
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR
DNS

211.143.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.143.182.52.in-addr.arpa

IN PTR

Response

91.193.194.40:80

oOcLlDh07003.exe

260 B
200 B
5
5
91.193.194.40:80

fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe

260 B
200 B
5
5
91.193.194.40:80

fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe

260 B
200 B
5
5
91.193.194.40:80

fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe

260 B
200 B
5
5
13.107.253.64:443

46 B
40 B
1
1
142.250.187.234:443

chromewebstore.googleapis.com

tls

909 B
5.2kB
8
8
216.239.32.29:80

http://pki.goog/repo/certs/gts1c3.der

http

1.3kB
6.1kB
10
9

HTTP Request

GET http://pki.goog/gsr1/gsr1.crt

HTTP Response

200

HTTP Request

GET http://pki.goog/repo/certs/gtsr1.der

HTTP Response

200

HTTP Request

GET http://pki.goog/repo/certs/gts1c3.der

HTTP Response

200

8.8.8.8:53

81.171.91.138.in-addr.arpa

dns

144 B
146 B
2
1

DNS Request

81.171.91.138.in-addr.arpa

DNS Request

81.171.91.138.in-addr.arpa
8.8.8.8:53

18.24.18.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

18.24.18.2.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

209.205.72.20.in-addr.arpa

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

14.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.160.190.20.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

56.126.166.20.in-addr.arpa

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

chromewebstore.googleapis.com

dns

75 B
283 B
1
1

DNS Request

chromewebstore.googleapis.com

DNS Response

142.250.187.234

142.250.178.10

172.217.16.234

142.250.200.10

142.250.200.42

216.58.201.106

216.58.204.74

216.58.213.10

216.58.212.234

172.217.169.74

142.250.179.234

142.250.180.10

142.250.187.202
8.8.8.8:53

chromewebstore.googleapis.com

dns

75 B
132 B
1
1

DNS Request

chromewebstore.googleapis.com
8.8.8.8:53

pki.goog

dns

54 B
70 B
1
1

DNS Request

pki.goog

DNS Response

216.239.32.29
8.8.8.8:53

pki.goog

dns

54 B
128 B
1
1

DNS Request

pki.goog
8.8.8.8:53

234.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

234.187.250.142.in-addr.arpa
8.8.8.8:53

29.32.239.216.in-addr.arpa

dns

144 B
107 B
2
1

DNS Request

29.32.239.216.in-addr.arpa

DNS Request

29.32.239.216.in-addr.arpa
8.8.8.8:53

25.24.18.2.in-addr.arpa

dns

138 B
131 B
2
1

DNS Request

25.24.18.2.in-addr.arpa

DNS Request

25.24.18.2.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

222 B
128 B
3
1

DNS Request

172.210.232.199.in-addr.arpa

DNS Request

172.210.232.199.in-addr.arpa

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

211.143.182.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

211.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oOcLlDh07003\oOcLlDh07003.exe

Filesize
317KB

MD5
ee7a40cd1e4e0aa949c6d633e08b9f7c

SHA1
f207188eaaf42442f62b5dd451fb461288918935

SHA256
9950dcab6b2cc7083296a467a171416917e6dbcc9b85ef892cd07c1866e6990e

SHA512
20cf86e3b0dfb06d85f1cd9e661bdc0ef0967e45398498a52515abad2101eddd4794df306173ae774f33e75b24c23d28afa88c71e000e99bf5e6020f93e6fd5a

Download Submit
memory/3016-4-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3016-23-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3016-0-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3016-5-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3016-6-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3016-1-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3016-31-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3016-2-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4264-19-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4264-20-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4264-24-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4264-15-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4264-32-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4264-35-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.