azorult | 3b56a17871edc0bbeaa64277877d4adeb1b3872e9e5e506e888244b13b3c374b

Analysis

max time kernel
132s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 23:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
Size

798KB
MD5

14ee6b16a392da9de8bbd6b0c029fbb1
SHA1

6a0a3d9f8ac115f025e06b7088450361c91aa28f
SHA256

3b56a17871edc0bbeaa64277877d4adeb1b3872e9e5e506e888244b13b3c374b
SHA512

d2008e3ab5c563cff6addd368da684a922b27227ac97f2e5491030d2217fc78bbc3ff1137b2540dbcd9ca0f9cfd2852bb390349f82e502ad0914ea261d586316
SSDEEP

12288:tavJZvPbM49HVaddrTFpivY5luc4a8RDk73W/kCHFpgZE9ev6vD1BWN:tavzvJ9HV8sY5ocz8RDf/7HFpgZE9hg

Score

10^/10

azorult infostealer persistence trojan

Malware Config

Extracted

Family

azorult

http://avebx.gq/ff1/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Macromedia\\StikyNot.exe"	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 4312	2540	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	99

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 4312	2540	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	99
PID 2540 wrote to memory of 4312	2540	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	99
PID 2540 wrote to memory of 4312	2540	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	99
PID 2540 wrote to memory of 4312	2540	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	99
PID 2540 wrote to memory of 4312	2540	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	99
PID 2540 wrote to memory of 4312	2540	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	99
PID 2540 wrote to memory of 4312	2540	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	99
PID 2540 wrote to memory of 4312	2540	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	99
PID 2540 wrote to memory of 4312	2540	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe"
  2⤵
  PID:4312

Network

DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fae2b171ccd34cc98de23ee26157fa72&localId=w:46E47B74-24CC-2EFE-1CD6-2420DE88614A&deviceId=6896200266776642&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fae2b171ccd34cc98de23ee26157fa72&localId=w:46E47B74-24CC-2EFE-1CD6-2420DE88614A&deviceId=6896200266776642&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=354C341D329B61AC15B62068332060A0; domain=.bing.com; expires=Thu, 29-May-2025 23:18:56 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 25893B2B058D472DAEF1A4863F18DE96 Ref B: LON04EDGE0922 Ref C: 2024-05-04T23:18:56Z
date: Sat, 04 May 2024 23:18:56 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fae2b171ccd34cc98de23ee26157fa72&localId=w:46E47B74-24CC-2EFE-1CD6-2420DE88614A&deviceId=6896200266776642&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fae2b171ccd34cc98de23ee26157fa72&localId=w:46E47B74-24CC-2EFE-1CD6-2420DE88614A&deviceId=6896200266776642&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=354C341D329B61AC15B62068332060A0

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=GwK330BNW6i5k9rKaVTd1DEQN25_OTmP1DPdfPmVQ3E; domain=.bing.com; expires=Thu, 29-May-2025 23:18:56 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2732A3E8CCED425682BDEBDA1CABF415 Ref B: LON04EDGE0922 Ref C: 2024-05-04T23:18:56Z
date: Sat, 04 May 2024 23:18:56 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fae2b171ccd34cc98de23ee26157fa72&localId=w:46E47B74-24CC-2EFE-1CD6-2420DE88614A&deviceId=6896200266776642&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fae2b171ccd34cc98de23ee26157fa72&localId=w:46E47B74-24CC-2EFE-1CD6-2420DE88614A&deviceId=6896200266776642&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=354C341D329B61AC15B62068332060A0; MSPTC=GwK330BNW6i5k9rKaVTd1DEQN25_OTmP1DPdfPmVQ3E

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BBBD7B4119E04219A45BA4637808BC40 Ref B: LON04EDGE0922 Ref C: 2024-05-04T23:18:56Z
date: Sat, 04 May 2024 23:18:56 GMT
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.97:443

Request

GET /th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=354C341D329B61AC15B62068332060A0; MSPTC=GwK330BNW6i5k9rKaVTd1DEQN25_OTmP1DPdfPmVQ3E
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1463
date: Sat, 04 May 2024 23:18:57 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5d3d3e17.1714864737.a364e6a
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

97.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.61.62.23.in-addr.arpa

IN PTR

Response

97.61.62.23.in-addr.arpa

IN PTR

a23-62-61-97deploystaticakamaitechnologiescom
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

avebx.gq

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

avebx.gq

IN A

Response
DNS

avebx.gq

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

avebx.gq

IN A

Response
DNS

49.15.97.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

49.15.97.104.in-addr.arpa

IN PTR

Response

49.15.97.104.in-addr.arpa

IN PTR

a104-97-15-49deploystaticakamaitechnologiescom
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 468637
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F9BD6CC655DA408CBEF5B4A7F2D22531 Ref B: LON04EDGE1014 Ref C: 2024-05-04T23:20:35Z
date: Sat, 04 May 2024 23:20:34 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 449656
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EFA39D1BBA704F4EA1DE8E100E21D543 Ref B: LON04EDGE1014 Ref C: 2024-05-04T23:20:35Z
date: Sat, 04 May 2024 23:20:34 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 555746
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AEA5FE65609D41559DCC18B4D40E6D16 Ref B: LON04EDGE1014 Ref C: 2024-05-04T23:20:35Z
date: Sat, 04 May 2024 23:20:34 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 638730
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3CF63C9CA001445F89B10129EA636154 Ref B: LON04EDGE1014 Ref C: 2024-05-04T23:20:35Z
date: Sat, 04 May 2024 23:20:34 GMT
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fae2b171ccd34cc98de23ee26157fa72&localId=w:46E47B74-24CC-2EFE-1CD6-2420DE88614A&deviceId=6896200266776642&anid=

tls, http2

2.0kB
9.2kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fae2b171ccd34cc98de23ee26157fa72&localId=w:46E47B74-24CC-2EFE-1CD6-2420DE88614A&deviceId=6896200266776642&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fae2b171ccd34cc98de23ee26157fa72&localId=w:46E47B74-24CC-2EFE-1CD6-2420DE88614A&deviceId=6896200266776642&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fae2b171ccd34cc98de23ee26157fa72&localId=w:46E47B74-24CC-2EFE-1CD6-2420DE88614A&deviceId=6896200266776642&anid=

HTTP Response

204
23.62.61.97:443

https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.7kB
18
13

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

77.7kB
2.2MB
1598
1594

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14

8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

97.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

97.61.62.23.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

avebx.gq

dns

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

54 B
127 B
1
1

DNS Request

avebx.gq
8.8.8.8:53

avebx.gq

dns

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

54 B
127 B
1
1

DNS Request

avebx.gq
8.8.8.8:53

49.15.97.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

49.15.97.104.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2540-0-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2540-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2540-3-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2540-10-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4312-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4312-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4312-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4312-12-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/4312-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.