Analysis
-
max time kernel
134s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 00:04
Static task
static1
Behavioral task
behavioral1
Sample
31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
31b9bfaea5d5497f00a7c0ab00d0e47f
-
SHA1
e1862fc7f0643badedc40332254325fdb4f6f78e
-
SHA256
91f4ead9870c82ed4bb9b4759ec52c0a083c149ca027337de8680cb0a3363a05
-
SHA512
166bf4cd09e846b59db7c27a79cc9c7e202cb9ed65788c02cd024072218bb9d7e8775dbdc03b424b2abe8f5776eca980c2e629192dd06992969c17a37fa3e339
-
SSDEEP
49152:lpVtsGrf3UcISmuAM5MnM5WaibBrRqxhgqGJ+w8+Tn+rYTgF:lJRJ5XRibsy+wPnGn
Malware Config
Extracted
azorult
http://b-cointrade.com/sti/gate.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk lsssa.exe -
Executes dropped EXE 3 IoCs
pid Process 3944 lsssa.exe 2660 winIogon.exe 1560 lsssa.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum lsssa.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 lsssa.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2808 set thread context of 4212 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 85 PID 3944 set thread context of 1560 3944 lsssa.exe 89 PID 2660 set thread context of 688 2660 winIogon.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2968 1560 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 3944 lsssa.exe 3944 lsssa.exe 3944 lsssa.exe 2660 winIogon.exe 2660 winIogon.exe 2660 winIogon.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe Token: SeDebugPrivilege 3944 lsssa.exe Token: SeDebugPrivilege 2660 winIogon.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2600 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 83 PID 2808 wrote to memory of 2600 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 83 PID 2808 wrote to memory of 2600 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 83 PID 2808 wrote to memory of 3124 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 84 PID 2808 wrote to memory of 3124 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 84 PID 2808 wrote to memory of 3124 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 84 PID 2808 wrote to memory of 4212 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 85 PID 2808 wrote to memory of 4212 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 85 PID 2808 wrote to memory of 4212 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 85 PID 2808 wrote to memory of 4212 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 85 PID 2808 wrote to memory of 4212 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 85 PID 2808 wrote to memory of 4212 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 85 PID 2808 wrote to memory of 4212 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 85 PID 2808 wrote to memory of 4212 2808 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 85 PID 4212 wrote to memory of 3944 4212 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 87 PID 4212 wrote to memory of 3944 4212 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 87 PID 4212 wrote to memory of 3944 4212 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 87 PID 4212 wrote to memory of 2660 4212 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 88 PID 4212 wrote to memory of 2660 4212 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 88 PID 4212 wrote to memory of 2660 4212 31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe 88 PID 3944 wrote to memory of 1560 3944 lsssa.exe 89 PID 3944 wrote to memory of 1560 3944 lsssa.exe 89 PID 3944 wrote to memory of 1560 3944 lsssa.exe 89 PID 3944 wrote to memory of 1560 3944 lsssa.exe 89 PID 3944 wrote to memory of 1560 3944 lsssa.exe 89 PID 3944 wrote to memory of 1560 3944 lsssa.exe 89 PID 3944 wrote to memory of 1560 3944 lsssa.exe 89 PID 3944 wrote to memory of 1560 3944 lsssa.exe 89 PID 3944 wrote to memory of 1560 3944 lsssa.exe 89 PID 3944 wrote to memory of 1560 3944 lsssa.exe 89 PID 2660 wrote to memory of 688 2660 winIogon.exe 90 PID 2660 wrote to memory of 688 2660 winIogon.exe 90 PID 2660 wrote to memory of 688 2660 winIogon.exe 90 PID 2660 wrote to memory of 688 2660 winIogon.exe 90 PID 2660 wrote to memory of 688 2660 winIogon.exe 90 PID 2660 wrote to memory of 688 2660 winIogon.exe 90 PID 2660 wrote to memory of 688 2660 winIogon.exe 90 PID 2660 wrote to memory of 688 2660 winIogon.exe 90 PID 2660 wrote to memory of 688 2660 winIogon.exe 90 PID 2660 wrote to memory of 688 2660 winIogon.exe 90 PID 2660 wrote to memory of 688 2660 winIogon.exe 90 PID 1560 wrote to memory of 1156 1560 lsssa.exe 92 PID 1560 wrote to memory of 1156 1560 lsssa.exe 92 PID 1560 wrote to memory of 1156 1560 lsssa.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe"2⤵PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe"2⤵PID:3124
-
-
C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\lsssa.exe"C:\Users\Admin\AppData\Local\Temp\lsssa.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\lsssa.exe"C:\Users\Admin\AppData\Local\Temp\lsssa.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k5⤵PID:1156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 10205⤵
- Program crash
PID:2968
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\winIogon.exe"C:\Users\Admin\AppData\Local\Temp\winIogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"4⤵PID:688
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1560 -ip 15601⤵PID:4708
Network
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestb-cointrade.comIN AResponse
-
Remote address:8.8.8.8:53Request68.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949Remote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2278401A70146C5F2E41546671AF6D8A; domain=.bing.com; expires=Thu, 05-Jun-2025 00:07:12 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3D9378CE8D6A4460B5BB13EDC33262DC Ref B: LON04EDGE0910 Ref C: 2024-05-11T00:07:12Z
date: Sat, 11 May 2024 00:07:11 GMT
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949Remote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2278401A70146C5F2E41546671AF6D8A; _EDGE_S=SID=335DEBA4949468E50BCFFFD8953E697F
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=64i3sWN1g_wk5yJlUCbV2PbHeyD_r_bVX4XHSXTLgTk; domain=.bing.com; expires=Thu, 05-Jun-2025 00:07:12 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 28517192EB1B41CBBF55FE5B9D0CF6DF Ref B: LON04EDGE0910 Ref C: 2024-05-11T00:07:12Z
date: Sat, 11 May 2024 00:07:12 GMT
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
GEThttps://www.bing.com/aes/c.gif?RG=5c1af5315b364c9c9432f8c23d99fb94&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131118Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038Remote address:23.62.61.97:443RequestGET /aes/c.gif?RG=5c1af5315b364c9c9432f8c23d99fb94&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131118Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2278401A70146C5F2E41546671AF6D8A
ResponseHTTP/2.0 200
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 29B67B7E3806459AA5E31D04D02FFB09 Ref B: DUS30EDGE0719 Ref C: 2024-05-11T00:07:12Z
content-length: 0
date: Sat, 11 May 2024 00:07:12 GMT
set-cookie: _EDGE_S=SID=335DEBA4949468E50BCFFFD8953E697F; path=/; httponly; domain=bing.com
set-cookie: MUIDB=2278401A70146C5F2E41546671AF6D8A; path=/; httponly; expires=Thu, 05-Jun-2025 00:07:12 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5d3d3e17.1715386032.427ce5a
-
Remote address:8.8.8.8:53Request97.61.62.23.in-addr.arpaIN PTRResponse97.61.62.23.in-addr.arpaIN PTRa23-62-61-97deploystaticakamaitechnologiescom
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:23.62.61.97:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=2278401A70146C5F2E41546671AF6D8A; _EDGE_S=SID=335DEBA4949468E50BCFFFD8953E697F; MSPTC=64i3sWN1g_wk5yJlUCbV2PbHeyD_r_bVX4XHSXTLgTk; MUIDB=2278401A70146C5F2E41546671AF6D8A
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Sat, 11 May 2024 00:07:14 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5d3d3e17.1715386034.427d039
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request31.251.17.2.in-addr.arpaIN PTRResponse31.251.17.2.in-addr.arpaIN PTRa2-17-251-31deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request77.190.18.2.in-addr.arpaIN PTRResponse77.190.18.2.in-addr.arpaIN PTRa2-18-190-77deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 499516
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1A4BA427B9FF4700AA5BBA9BEEF6AE43 Ref B: LON04EDGE1010 Ref C: 2024-05-11T00:08:48Z
date: Sat, 11 May 2024 00:08:48 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 382817
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B6EB378D8BB242FE80C65194B8F92B19 Ref B: LON04EDGE1010 Ref C: 2024-05-11T00:08:48Z
date: Sat, 11 May 2024 00:08:48 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 464243
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 94EDE73F3EFA4ACB88B0D927D6B4D348 Ref B: LON04EDGE1010 Ref C: 2024-05-11T00:08:48Z
date: Sat, 11 May 2024 00:08:48 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 476246
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3828F7E97C5F49E4BB3BF3805D601813 Ref B: LON04EDGE1010 Ref C: 2024-05-11T00:08:48Z
date: Sat, 11 May 2024 00:08:48 GMT
-
204.79.197.237:443https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949tls, http22.5kB 9.0kB 20 17
HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949HTTP Response
204 -
23.62.61.97:443https://www.bing.com/aes/c.gif?RG=5c1af5315b364c9c9432f8c23d99fb94&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131118Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038tls, http21.5kB 5.4kB 17 12
HTTP Request
GET https://www.bing.com/aes/c.gif?RG=5c1af5315b364c9c9432f8c23d99fb94&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131118Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038HTTP Response
200 -
23.62.61.97:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.7kB 6.4kB 18 12
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200 -
322 B 7
-
1.2kB 8.1kB 16 14
-
1.2kB 8.1kB 16 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90tls, http265.3kB 1.9MB 1377 1374
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
1.2kB 8.1kB 16 14
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
61 B 134 B 1 1
DNS Request
b-cointrade.com
-
72 B 158 B 1 1
DNS Request
68.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
97.61.62.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
31.251.17.2.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
77.190.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe.log
Filesize223B
MD51cc4c5b51e50ec74a6880b50ecbee28b
SHA11ba7bb0e86c3d23fb0dc8bf16798d37afb4c4aba
SHA2560556734df26e82e363d47748a3ceedd5c23ea4b9ded6e68bd5c373c1c9f8777b
SHA5125d5532602b381125b24a9bd78781ed722ce0c862214ef17e7d224d269e6e7045c919ab19896dd8d9ae8920726092efe0ffb776a77a9a9539c4a70188d5a4c706
-
Filesize
836KB
MD59b7565d601e2ab2c07ee754b642d39e8
SHA1d4ffb12906f5e1d52c0e94586d57615c70d83c90
SHA256d1f31cf808b1a1cd201672413b646c2a8c6a0ca9066011afcc2f145404ad0b90
SHA512816b268be5733a88b36a5f9c72b5ef9a8c5d4e25ea2d08b08c519276b13c74a399addcbb2cd76fe7fc12fe882a046c2ab16a16aba8ea033f5429512e2991fd04
-
Filesize
781KB
MD5d9355e3d79797a292e2d14aed3867711
SHA1f16607467f566b8bb3f3747e5d3a96925d2d1f86
SHA2566776a1076067899c3646967e037309108d3f93e24c777f0a46caa1f7910eb72e
SHA512ec30f650151370e0f0bab93c2edda0e8867e41bec2d132607fa164d88977a31cfbec4dc1e0d070ed6d46840d411316427dcdc18d3b0989a98dc8224294062c94