9f7e4ea5492dd376e55b15382ab65b5da329ec5e0d537354ae9f6cf0fb1107ba | Triage

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 12:59 UTC

Sharing

Report Analysis Logs

General

Target

12d7ec2696055b372624b76562eb5dc4_JaffaCakes118.exe
Size

671KB
MD5

12d7ec2696055b372624b76562eb5dc4
SHA1

c75dc6c1cdb6fb02bbc14374b4e53e90ca76f486
SHA256

9f7e4ea5492dd376e55b15382ab65b5da329ec5e0d537354ae9f6cf0fb1107ba
SHA512

f56ba64912c618814980c5580f9fb7ff948ce273f4a904a063fa052b818020515a89de66a8d132f8cb891c5d8e2a02ede206ecb0dc6aba6c4ac88d78a6b294ea
SSDEEP

12288:SZJ7G1zskWtP44444ItPZkTKpPwHb/dgusOlMLSTQNirbCfrL6/:qJ7Uzj4yUo7Fdle8WIbCL6/

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	12d7ec2696055b372624b76562eb5dc4_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	12d7ec2696055b372624b76562eb5dc4_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4352	s7969.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	s7969.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	s7969.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	s7969.exe
File opened for modification	C:\Windows\assembly	s7969.exe
File created	C:\Windows\assembly\Desktop.ini	s7969.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	12d7ec2696055b372624b76562eb5dc4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	12d7ec2696055b372624b76562eb5dc4_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s7969.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s7969.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s7969.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s7969.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	s7969.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5076	12d7ec2696055b372624b76562eb5dc4_JaffaCakes118.exe
5076	12d7ec2696055b372624b76562eb5dc4_JaffaCakes118.exe
4352	s7969.exe
4352	s7969.exe
4352	s7969.exe
4352	s7969.exe
4352	s7969.exe
4352	s7969.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	s7969.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4352	s7969.exe
4352	s7969.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4352	5076	12d7ec2696055b372624b76562eb5dc4_JaffaCakes118.exe	91
PID 5076 wrote to memory of 4352	5076	12d7ec2696055b372624b76562eb5dc4_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\12d7ec2696055b372624b76562eb5dc4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12d7ec2696055b372624b76562eb5dc4_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\n7969\s7969.exe
  "C:\Users\Admin\AppData\Local\Temp\n7969\s7969.exe" 3bcd294908a2f3d57a8e766ddk9mHzyY5IaqG7O9+EcNQBFZftzA+3MYWN11XBdc06U2+6lFl0mQlLYPh09YG+nLTzgRpjEvlgYNaS8Vofo2e4iEjJrsP7OOh6Y9EScv/tNGtYR795glBtJDDyD3Q223PbjUKfo+EJ9uDKuJexuNnf/pShb7AtDTnte5rJs= /v "C:\Users\Admin\AppData\Local\Temp\12d7ec2696055b372624b76562eb5dc4_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:800

Network

DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

ocsp.thawte.com

s7969.exe

Remote address:

8.8.8.8:53

Request

ocsp.thawte.com

IN A

Response

ocsp.thawte.com

IN CNAME

mpki-ocsp.digicert.com

mpki-ocsp.digicert.com

IN CNAME

fp3011.wpc.2be4.phicdn.net

fp3011.wpc.2be4.phicdn.net

IN CNAME

fp3011.wpc.phicdn.net

fp3011.wpc.phicdn.net

IN A

152.199.19.74
GET

http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

s7969.exe

Remote address:

152.199.19.74:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.thawte.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 398
Cache-Control: public, max-age=300
Content-Type: application/ocsp-response
Date: Sat, 04 May 2024 12:59:39 GMT
Last-Modified: Sat, 04 May 2024 12:53:01 GMT
Server: ECAcc (lhc/789F)
X-Cache: HIT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 5
GET

http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

s7969.exe

Remote address:

152.199.19.74:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.thawte.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 398
Cache-Control: public, max-age=300
Content-Type: application/ocsp-response
Date: Sat, 04 May 2024 12:59:39 GMT
Last-Modified: Sat, 04 May 2024 12:53:01 GMT
Server: ECAcc (lhc/789F)
X-Cache: HIT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 5
DNS

crl.thawte.com

s7969.exe

Remote address:

8.8.8.8:53

Request

crl.thawte.com

IN A

Response

crl.thawte.com

IN CNAME

crl-symcprod.digicert.com

crl-symcprod.digicert.com

IN CNAME

crl.edge.digicert.com

crl.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
GET

http://crl.thawte.com/ThawtePCA.crl

s7969.exe

Remote address:

192.229.221.95:80

Request

GET /ThawtePCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: crl.thawte.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 2030
Cache-Control: public, max-age=3600
Content-Type: application/pkix-crl
Date: Sat, 04 May 2024 12:59:39 GMT
Last-Modified: Sat, 04 May 2024 12:25:49 GMT
Server: ECAcc (lhd/35A2)
X-Cache: HIT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 604
DNS

th.symcd.com

s7969.exe

Remote address:

8.8.8.8:53

Request

th.symcd.com

IN A

Response

th.symcd.com

IN CNAME

mpki-ocsp.digicert.com

mpki-ocsp.digicert.com

IN CNAME

fp3011.wpc.2be4.phicdn.net

fp3011.wpc.2be4.phicdn.net

IN CNAME

fp3011.wpc.phicdn.net

fp3011.wpc.phicdn.net

IN A

152.199.19.74
GET

http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEECqNOVbG8buVFmKDIPIEwQ%3D

s7969.exe

Remote address:

152.199.19.74:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEECqNOVbG8buVFmKDIPIEwQ%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: th.symcd.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 298
Cache-Control: public, max-age=86400
Content-Type: application/ocsp-response
Date: Sat, 04 May 2024 12:59:39 GMT
Last-Modified: Sat, 04 May 2024 12:54:41 GMT
Server: ECAcc (lhc/793B)
X-Cache: HIT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 1441
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

74.19.199.152.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.19.199.152.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
DNS

db028.northstar.api.socdn.com

s7969.exe

Remote address:

8.8.8.8:53

Request

db028.northstar.api.socdn.com

IN A

Response

db028.northstar.api.socdn.com

IN CNAME

615321.parkingcrew.net

615321.parkingcrew.net

IN A

13.248.148.254

615321.parkingcrew.net

IN A

76.223.26.96
GET

http://db028.northstar.api.socdn.com/installer/546080c1-1184-4854-a6e2-3aad0a000013/50038692/config

s7969.exe

Remote address:

13.248.148.254:80

Request

GET /installer/546080c1-1184-4854-a6e2-3aad0a000013/50038692/config HTTP/1.1
User-Agent: DownloadMR/3.1.40 (MSIE 9.11;Windows NT 6.3.9600.0;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;m=B660M GAMING X DDR4;u=Admin;northstar;ecc5fae7-eb08-a5f1-c1c2-79939fdf6c7f)
Accept-Language: en-US
Host: db028.northstar.api.socdn.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 04 May 2024 12:59:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Redirect: skenzo
X-Buckets: bucket102
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_SB3C38iMKngPKIVjRCp0UMfWyULvxhUUwgrOLxVfNxHKL3Qf2sOOYirkGwjG07hg8nqv2XePdv8kQMlqZPmsfg==
X-Template: tpl_CleanPeppermintBlack_twoclick
X-Language: english
Accept-CH: viewport-width
Accept-CH: dpr
Accept-CH: device-memory
Accept-CH: rtt
Accept-CH: downlink
Accept-CH: ect
Accept-CH: ua
Accept-CH: ua-full-version
Accept-CH: ua-platform
Accept-CH: ua-platform-version
Accept-CH: ua-arch
Accept-CH: ua-model
Accept-CH: ua-mobile
Accept-CH-Lifetime: 30
X-Domain: socdn.com
X-Subdomain: db028.northstar.api
POST

http://db028.northstar.api.socdn.com/installer/546080c1-1184-4854-a6e2-3aad0a000013/50038692/event

s7969.exe

Remote address:

13.248.148.254:80

Request

POST /installer/546080c1-1184-4854-a6e2-3aad0a000013/50038692/event HTTP/1.1
User-Agent: DownloadMR/3.1.40 (MSIE 9.11;Windows NT 6.3.9600.0;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;m=B660M GAMING X DDR4;u=Admin;northstar;ecc5fae7-eb08-a5f1-c1c2-79939fdf6c7f)
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
Host: db028.northstar.api.socdn.com
Content-Length: 4128
Expect: 100-continue

Response

HTTP/1.1 403 Forbidden

Server: awselb/2.0
Date: Sat, 04 May 2024 12:59:55 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 138
Connection: keep-alive
DNS

254.148.248.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.148.248.13.in-addr.arpa

IN PTR

Response

254.148.248.13.in-addr.arpa

IN PTR

aba1c1ff9d2ec5376awsglobalacceleratorcom
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

142.53.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.53.16.96.in-addr.arpa

IN PTR

Response

142.53.16.96.in-addr.arpa

IN PTR

a96-16-53-142deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

78.239.69.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

78.239.69.13.in-addr.arpa

IN PTR

Response

152.199.19.74:80

http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

http

s7969.exe

785 B
912 B
6
4

HTTP Request

GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

HTTP Response

200

HTTP Request

GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

HTTP Response

200
192.229.221.95:80

http://crl.thawte.com/ThawtePCA.crl

http

s7969.exe

358 B
1.1kB
5
3

HTTP Request

GET http://crl.thawte.com/ThawtePCA.crl

HTTP Response

200
152.199.19.74:80

http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEECqNOVbG8buVFmKDIPIEwQ%3D

http

s7969.exe

463 B
2.0kB
5
4

HTTP Request

GET http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEECqNOVbG8buVFmKDIPIEwQ%3D

HTTP Response

200
13.248.148.254:80

http://db028.northstar.api.socdn.com/installer/546080c1-1184-4854-a6e2-3aad0a000013/50038692/event

http

s7969.exe

5.6kB
4.8kB
14
13

HTTP Request

GET http://db028.northstar.api.socdn.com/installer/546080c1-1184-4854-a6e2-3aad0a000013/50038692/config

HTTP Response

200

HTTP Request

POST http://db028.northstar.api.socdn.com/installer/546080c1-1184-4854-a6e2-3aad0a000013/50038692/event

HTTP Response

403

8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

ocsp.thawte.com

dns

s7969.exe

61 B
175 B
1
1

DNS Request

ocsp.thawte.com

DNS Response

152.199.19.74
8.8.8.8:53

crl.thawte.com

dns

s7969.exe

60 B
200 B
1
1

DNS Request

crl.thawte.com

DNS Response

192.229.221.95
8.8.8.8:53

th.symcd.com

dns

s7969.exe

58 B
172 B
1
1

DNS Request

th.symcd.com

DNS Response

152.199.19.74
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

74.19.199.152.in-addr.arpa

dns

72 B
143 B
1
1

DNS Request

74.19.199.152.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

db028.northstar.api.socdn.com

dns

s7969.exe

75 B
143 B
1
1

DNS Request

db028.northstar.api.socdn.com

DNS Response

13.248.148.254

76.223.26.96
8.8.8.8:53

254.148.248.13.in-addr.arpa

dns

73 B
129 B
1
1

DNS Request

254.148.248.13.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

142.53.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

142.53.16.96.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

78.239.69.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

78.239.69.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n7969\s7969.exe

Filesize
350KB

MD5
fa6ed0f7848455d3f0929a2954f39c47

SHA1
41d67fd1285246b71a7ffb7b3b7debc0f71d3bbf

SHA256
f9cdc17ae98b92e4dd757e07dc7966d845cef242d549fdc0587e8e548062df46

SHA512
463ef43ec36dd5c65fab50312df35a647840db4b8aab779fdfebdb3988a36effedd6b6a91e4b8eb7f9b38f9989bd793a8b0ca64f292310caa1b71747ca1b0d92

Download Submit
memory/4352-12-0x00007FFAE95E5000-0x00007FFAE95E6000-memory.dmp

Filesize
4KB

Download
memory/4352-13-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-14-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-28-0x000000001B2D0000-0x000000001B2E0000-memory.dmp

Filesize
64KB

Download
memory/4352-31-0x000000001C2A0000-0x000000001C76E000-memory.dmp

Filesize
4.8MB

Download
memory/4352-32-0x000000001BCD0000-0x000000001BD6C000-memory.dmp

Filesize
624KB

Download
memory/4352-33-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-34-0x000000001C870000-0x000000001C8D2000-memory.dmp

Filesize
392KB

Download
memory/4352-35-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-36-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-37-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

Filesize
32KB

Download
memory/4352-38-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-39-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-40-0x00007FFAE95E5000-0x00007FFAE95E6000-memory.dmp

Filesize
4KB

Download
memory/4352-41-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-42-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-43-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-44-0x00000000200F0000-0x000000002022C000-memory.dmp

Filesize
1.2MB

Download
memory/4352-45-0x0000000020740000-0x0000000020C4E000-memory.dmp

Filesize
5.1MB

Download
memory/4352-46-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-47-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-48-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-49-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-50-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4352-52-0x00007FFAE9330000-0x00007FFAE9CD1000-memory.dmp

Filesize
9.6MB

Download