Analysis

  • max time kernel
    134s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 00:04

General

  • Target

    31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    31b9bfaea5d5497f00a7c0ab00d0e47f

  • SHA1

    e1862fc7f0643badedc40332254325fdb4f6f78e

  • SHA256

    91f4ead9870c82ed4bb9b4759ec52c0a083c149ca027337de8680cb0a3363a05

  • SHA512

    166bf4cd09e846b59db7c27a79cc9c7e202cb9ed65788c02cd024072218bb9d7e8775dbdc03b424b2abe8f5776eca980c2e629192dd06992969c17a37fa3e339

  • SSDEEP

    49152:lpVtsGrf3UcISmuAM5MnM5WaibBrRqxhgqGJ+w8+Tn+rYTgF:lJRJ5XRibsy+wPnGn

Malware Config

Extracted

Family

azorult

C2

http://b-cointrade.com/sti/gate.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe"
      2⤵
        PID:2600
      • C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe"
        2⤵
          PID:3124
        • C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4212
          • C:\Users\Admin\AppData\Local\Temp\lsssa.exe
            "C:\Users\Admin\AppData\Local\Temp\lsssa.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3944
            • C:\Users\Admin\AppData\Local\Temp\lsssa.exe
              "C:\Users\Admin\AppData\Local\Temp\lsssa.exe"
              4⤵
              • Drops startup file
              • Executes dropped EXE
              • Maps connected drives based on registry
              • Suspicious use of WriteProcessMemory
              PID:1560
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k
                5⤵
                  PID:1156
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 1020
                  5⤵
                  • Program crash
                  PID:2968
            • C:\Users\Admin\AppData\Local\Temp\winIogon.exe
              "C:\Users\Admin\AppData\Local\Temp\winIogon.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2660
              • C:\Windows\SysWOW64\svchost.exe
                "C:\Windows\System32\svchost.exe"
                4⤵
                  PID:688
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1560 -ip 1560
            1⤵
              PID:4708

            Network

            • flag-us
              DNS
              28.118.140.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              28.118.140.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              172.210.232.199.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              172.210.232.199.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              b-cointrade.com
              svchost.exe
              Remote address:
              8.8.8.8:53
              Request
              b-cointrade.com
              IN A
              Response
            • flag-us
              DNS
              68.159.190.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              68.159.190.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              95.221.229.192.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              95.221.229.192.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              g.bing.com
              Remote address:
              8.8.8.8:53
              Request
              g.bing.com
              IN A
              Response
              g.bing.com
              IN CNAME
              g-bing-com.dual-a-0034.a-msedge.net
              g-bing-com.dual-a-0034.a-msedge.net
              IN CNAME
              dual-a-0034.a-msedge.net
              dual-a-0034.a-msedge.net
              IN A
              204.79.197.237
              dual-a-0034.a-msedge.net
              IN A
              13.107.21.237
            • flag-us
              GET
              https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
              Remote address:
              204.79.197.237:443
              Request
              GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
              host: g.bing.com
              accept-encoding: gzip, deflate
              user-agent: WindowsShellClient/9.0.40929.0 (Windows)
              Response
              HTTP/2.0 204
              cache-control: no-cache, must-revalidate
              pragma: no-cache
              expires: Fri, 01 Jan 1990 00:00:00 GMT
              set-cookie: MUID=2278401A70146C5F2E41546671AF6D8A; domain=.bing.com; expires=Thu, 05-Jun-2025 00:07:12 GMT; path=/; SameSite=None; Secure; Priority=High;
              strict-transport-security: max-age=31536000; includeSubDomains; preload
              access-control-allow-origin: *
              x-cache: CONFIG_NOCACHE
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: 3D9378CE8D6A4460B5BB13EDC33262DC Ref B: LON04EDGE0910 Ref C: 2024-05-11T00:07:12Z
              date: Sat, 11 May 2024 00:07:11 GMT
            • flag-us
              GET
              https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
              Remote address:
              204.79.197.237:443
              Request
              GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
              host: g.bing.com
              accept-encoding: gzip, deflate
              user-agent: WindowsShellClient/9.0.40929.0 (Windows)
              cookie: MUID=2278401A70146C5F2E41546671AF6D8A; _EDGE_S=SID=335DEBA4949468E50BCFFFD8953E697F
              Response
              HTTP/2.0 204
              cache-control: no-cache, must-revalidate
              pragma: no-cache
              expires: Fri, 01 Jan 1990 00:00:00 GMT
              set-cookie: MSPTC=64i3sWN1g_wk5yJlUCbV2PbHeyD_r_bVX4XHSXTLgTk; domain=.bing.com; expires=Thu, 05-Jun-2025 00:07:12 GMT; path=/; Partitioned; secure; SameSite=None
              strict-transport-security: max-age=31536000; includeSubDomains; preload
              access-control-allow-origin: *
              x-cache: CONFIG_NOCACHE
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: 28517192EB1B41CBBF55FE5B9D0CF6DF Ref B: LON04EDGE0910 Ref C: 2024-05-11T00:07:12Z
              date: Sat, 11 May 2024 00:07:12 GMT
            • flag-us
              DNS
              104.219.191.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              104.219.191.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              237.197.79.204.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              237.197.79.204.in-addr.arpa
              IN PTR
              Response
            • flag-nl
              GET
              https://www.bing.com/aes/c.gif?RG=5c1af5315b364c9c9432f8c23d99fb94&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131118Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038
              Remote address:
              23.62.61.97:443
              Request
              GET /aes/c.gif?RG=5c1af5315b364c9c9432f8c23d99fb94&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131118Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
              host: www.bing.com
              accept-encoding: gzip, deflate
              user-agent: WindowsShellClient/9.0.40929.0 (Windows)
              cookie: MUID=2278401A70146C5F2E41546671AF6D8A
              Response
              HTTP/2.0 200
              cache-control: private,no-store
              pragma: no-cache
              vary: Origin
              p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: 29B67B7E3806459AA5E31D04D02FFB09 Ref B: DUS30EDGE0719 Ref C: 2024-05-11T00:07:12Z
              content-length: 0
              date: Sat, 11 May 2024 00:07:12 GMT
              set-cookie: _EDGE_S=SID=335DEBA4949468E50BCFFFD8953E697F; path=/; httponly; domain=bing.com
              set-cookie: MUIDB=2278401A70146C5F2E41546671AF6D8A; path=/; httponly; expires=Thu, 05-Jun-2025 00:07:12 GMT
              alt-svc: h3=":443"; ma=93600
              x-cdn-traceid: 0.5d3d3e17.1715386032.427ce5a
            • flag-us
              DNS
              97.61.62.23.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              97.61.62.23.in-addr.arpa
              IN PTR
              Response
              97.61.62.23.in-addr.arpa
              IN PTR
              a23-62-61-97deploystaticakamaitechnologiescom
            • flag-nl
              GET
              https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
              Remote address:
              23.62.61.97:443
              Request
              GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
              host: www.bing.com
              accept: */*
              cookie: MUID=2278401A70146C5F2E41546671AF6D8A; _EDGE_S=SID=335DEBA4949468E50BCFFFD8953E697F; MSPTC=64i3sWN1g_wk5yJlUCbV2PbHeyD_r_bVX4XHSXTLgTk; MUIDB=2278401A70146C5F2E41546671AF6D8A
              accept-encoding: gzip, deflate, br
              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
              Response
              HTTP/2.0 200
              cache-control: public, max-age=2592000
              content-type: image/png
              access-control-allow-origin: *
              access-control-allow-headers: *
              access-control-allow-methods: GET, POST, OPTIONS
              timing-allow-origin: *
              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
              content-length: 1107
              date: Sat, 11 May 2024 00:07:14 GMT
              alt-svc: h3=":443"; ma=93600
              x-cdn-traceid: 0.5d3d3e17.1715386034.427d039
            • flag-us
              DNS
              88.156.103.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              88.156.103.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              206.23.85.13.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              206.23.85.13.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              183.59.114.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              183.59.114.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              26.165.165.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              26.165.165.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              31.251.17.2.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              31.251.17.2.in-addr.arpa
              IN PTR
              Response
              31.251.17.2.in-addr.arpa
              IN PTR
              a2-17-251-31deploystaticakamaitechnologiescom
            • flag-us
              DNS
              77.190.18.2.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              77.190.18.2.in-addr.arpa
              IN PTR
              Response
              77.190.18.2.in-addr.arpa
              IN PTR
              a2-18-190-77deploystaticakamaitechnologiescom
            • flag-us
              DNS
              21.236.111.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              21.236.111.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              tse1.mm.bing.net
              Remote address:
              8.8.8.8:53
              Request
              tse1.mm.bing.net
              IN A
              Response
              tse1.mm.bing.net
              IN CNAME
              mm-mm.bing.net.trafficmanager.net
              mm-mm.bing.net.trafficmanager.net
              IN CNAME
              dual-a-0001.a-msedge.net
              dual-a-0001.a-msedge.net
              IN A
              204.79.197.200
              dual-a-0001.a-msedge.net
              IN A
              13.107.21.200
            • flag-us
              GET
              https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
              Remote address:
              204.79.197.200:443
              Request
              GET /th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
              host: tse1.mm.bing.net
              accept: */*
              accept-encoding: gzip, deflate, br
              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
              Response
              HTTP/2.0 200
              cache-control: public, max-age=2592000
              content-length: 499516
              content-type: image/jpeg
              x-cache: TCP_HIT
              access-control-allow-origin: *
              access-control-allow-headers: *
              access-control-allow-methods: GET, POST, OPTIONS
              timing-allow-origin: *
              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: 1A4BA427B9FF4700AA5BBA9BEEF6AE43 Ref B: LON04EDGE1010 Ref C: 2024-05-11T00:08:48Z
              date: Sat, 11 May 2024 00:08:48 GMT
            • flag-us
              GET
              https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
              Remote address:
              204.79.197.200:443
              Request
              GET /th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
              host: tse1.mm.bing.net
              accept: */*
              accept-encoding: gzip, deflate, br
              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
              Response
              HTTP/2.0 200
              cache-control: public, max-age=2592000
              content-length: 382817
              content-type: image/jpeg
              x-cache: TCP_HIT
              access-control-allow-origin: *
              access-control-allow-headers: *
              access-control-allow-methods: GET, POST, OPTIONS
              timing-allow-origin: *
              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: B6EB378D8BB242FE80C65194B8F92B19 Ref B: LON04EDGE1010 Ref C: 2024-05-11T00:08:48Z
              date: Sat, 11 May 2024 00:08:48 GMT
            • flag-us
              GET
              https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
              Remote address:
              204.79.197.200:443
              Request
              GET /th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
              host: tse1.mm.bing.net
              accept: */*
              accept-encoding: gzip, deflate, br
              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
              Response
              HTTP/2.0 200
              cache-control: public, max-age=2592000
              content-length: 464243
              content-type: image/jpeg
              x-cache: TCP_HIT
              access-control-allow-origin: *
              access-control-allow-headers: *
              access-control-allow-methods: GET, POST, OPTIONS
              timing-allow-origin: *
              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: 94EDE73F3EFA4ACB88B0D927D6B4D348 Ref B: LON04EDGE1010 Ref C: 2024-05-11T00:08:48Z
              date: Sat, 11 May 2024 00:08:48 GMT
            • flag-us
              GET
              https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
              Remote address:
              204.79.197.200:443
              Request
              GET /th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
              host: tse1.mm.bing.net
              accept: */*
              accept-encoding: gzip, deflate, br
              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
              Response
              HTTP/2.0 200
              cache-control: public, max-age=2592000
              content-length: 476246
              content-type: image/jpeg
              x-cache: TCP_HIT
              access-control-allow-origin: *
              access-control-allow-headers: *
              access-control-allow-methods: GET, POST, OPTIONS
              timing-allow-origin: *
              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: 3828F7E97C5F49E4BB3BF3805D601813 Ref B: LON04EDGE1010 Ref C: 2024-05-11T00:08:48Z
              date: Sat, 11 May 2024 00:08:48 GMT
            • 204.79.197.237:443
              https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
              tls, http2
              2.5kB
              9.0kB
              20
              17

              HTTP Request

              GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

              HTTP Response

              204

              HTTP Request

              GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Q6gaN6iWji3FUdYlkNMC9jVUCUyrKRLzbcFy1vL58JwzePs0IhSmWr-YbwsUNFSr1_sqZ-D4Ac3nwM1shDWxF0-UMHnbp5iwtnjXibv_JJ0ZQK6VS4wvqec5Ny_J66AVUdDY3Pt0VT0LblIE9jz0ZE6wpKO1eqCGmzChLM-p9cIZ_-AE%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dcbe58035ad7913364a63e61e0aae3d2e&TIME=20240426T131118Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

              HTTP Response

              204
            • 23.62.61.97:443
              https://www.bing.com/aes/c.gif?RG=5c1af5315b364c9c9432f8c23d99fb94&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131118Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038
              tls, http2
              1.5kB
              5.4kB
              17
              12

              HTTP Request

              GET https://www.bing.com/aes/c.gif?RG=5c1af5315b364c9c9432f8c23d99fb94&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131118Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

              HTTP Response

              200
            • 23.62.61.97:443
              https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
              tls, http2
              1.7kB
              6.4kB
              18
              12

              HTTP Request

              GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

              HTTP Response

              200
            • 52.111.227.11:443
              322 B
              7
            • 204.79.197.200:443
              tse1.mm.bing.net
              tls, http2
              1.2kB
              8.1kB
              16
              14
            • 204.79.197.200:443
              tse1.mm.bing.net
              tls, http2
              1.2kB
              8.1kB
              16
              14
            • 204.79.197.200:443
              https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
              tls, http2
              65.3kB
              1.9MB
              1377
              1374

              HTTP Request

              GET https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

              HTTP Request

              GET https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

              HTTP Request

              GET https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

              HTTP Request

              GET https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

              HTTP Response

              200

              HTTP Response

              200

              HTTP Response

              200

              HTTP Response

              200
            • 204.79.197.200:443
              tse1.mm.bing.net
              tls, http2
              1.2kB
              8.1kB
              16
              14
            • 8.8.8.8:53
              28.118.140.52.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              28.118.140.52.in-addr.arpa

            • 8.8.8.8:53
              172.210.232.199.in-addr.arpa
              dns
              74 B
              128 B
              1
              1

              DNS Request

              172.210.232.199.in-addr.arpa

            • 8.8.8.8:53
              b-cointrade.com
              dns
              svchost.exe
              61 B
              134 B
              1
              1

              DNS Request

              b-cointrade.com

            • 8.8.8.8:53
              68.159.190.20.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              68.159.190.20.in-addr.arpa

            • 8.8.8.8:53
              95.221.229.192.in-addr.arpa
              dns
              73 B
              144 B
              1
              1

              DNS Request

              95.221.229.192.in-addr.arpa

            • 8.8.8.8:53
              g.bing.com
              dns
              56 B
              151 B
              1
              1

              DNS Request

              g.bing.com

              DNS Response

              204.79.197.237
              13.107.21.237

            • 8.8.8.8:53
              104.219.191.52.in-addr.arpa
              dns
              73 B
              147 B
              1
              1

              DNS Request

              104.219.191.52.in-addr.arpa

            • 8.8.8.8:53
              237.197.79.204.in-addr.arpa
              dns
              73 B
              143 B
              1
              1

              DNS Request

              237.197.79.204.in-addr.arpa

            • 8.8.8.8:53
              97.61.62.23.in-addr.arpa
              dns
              70 B
              133 B
              1
              1

              DNS Request

              97.61.62.23.in-addr.arpa

            • 8.8.8.8:53
              88.156.103.20.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              88.156.103.20.in-addr.arpa

            • 8.8.8.8:53
              206.23.85.13.in-addr.arpa
              dns
              71 B
              145 B
              1
              1

              DNS Request

              206.23.85.13.in-addr.arpa

            • 8.8.8.8:53
              183.59.114.20.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              183.59.114.20.in-addr.arpa

            • 8.8.8.8:53
              26.165.165.52.in-addr.arpa
              dns
              72 B
              146 B
              1
              1

              DNS Request

              26.165.165.52.in-addr.arpa

            • 8.8.8.8:53
              31.251.17.2.in-addr.arpa
              dns
              70 B
              133 B
              1
              1

              DNS Request

              31.251.17.2.in-addr.arpa

            • 8.8.8.8:53
              77.190.18.2.in-addr.arpa
              dns
              70 B
              133 B
              1
              1

              DNS Request

              77.190.18.2.in-addr.arpa

            • 8.8.8.8:53
              21.236.111.52.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              21.236.111.52.in-addr.arpa

            • 8.8.8.8:53
              tse1.mm.bing.net
              dns
              62 B
              173 B
              1
              1

              DNS Request

              tse1.mm.bing.net

              DNS Response

              204.79.197.200
              13.107.21.200

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\31b9bfaea5d5497f00a7c0ab00d0e47f_JaffaCakes118.exe.log

              Filesize

              223B

              MD5

              1cc4c5b51e50ec74a6880b50ecbee28b

              SHA1

              1ba7bb0e86c3d23fb0dc8bf16798d37afb4c4aba

              SHA256

              0556734df26e82e363d47748a3ceedd5c23ea4b9ded6e68bd5c373c1c9f8777b

              SHA512

              5d5532602b381125b24a9bd78781ed722ce0c862214ef17e7d224d269e6e7045c919ab19896dd8d9ae8920726092efe0ffb776a77a9a9539c4a70188d5a4c706

            • C:\Users\Admin\AppData\Local\Temp\lsssa.exe

              Filesize

              836KB

              MD5

              9b7565d601e2ab2c07ee754b642d39e8

              SHA1

              d4ffb12906f5e1d52c0e94586d57615c70d83c90

              SHA256

              d1f31cf808b1a1cd201672413b646c2a8c6a0ca9066011afcc2f145404ad0b90

              SHA512

              816b268be5733a88b36a5f9c72b5ef9a8c5d4e25ea2d08b08c519276b13c74a399addcbb2cd76fe7fc12fe882a046c2ab16a16aba8ea033f5429512e2991fd04

            • C:\Users\Admin\AppData\Local\Temp\winIogon.exe

              Filesize

              781KB

              MD5

              d9355e3d79797a292e2d14aed3867711

              SHA1

              f16607467f566b8bb3f3747e5d3a96925d2d1f86

              SHA256

              6776a1076067899c3646967e037309108d3f93e24c777f0a46caa1f7910eb72e

              SHA512

              ec30f650151370e0f0bab93c2edda0e8867e41bec2d132607fa164d88977a31cfbec4dc1e0d070ed6d46840d411316427dcdc18d3b0989a98dc8224294062c94

            • memory/688-51-0x0000000000400000-0x0000000000483000-memory.dmp

              Filesize

              524KB

            • memory/688-59-0x0000000000400000-0x0000000000483000-memory.dmp

              Filesize

              524KB

            • memory/688-52-0x0000000000400000-0x0000000000483000-memory.dmp

              Filesize

              524KB

            • memory/688-56-0x0000000000400000-0x0000000000483000-memory.dmp

              Filesize

              524KB

            • memory/688-54-0x0000000000400000-0x0000000000483000-memory.dmp

              Filesize

              524KB

            • memory/688-55-0x0000000000400000-0x0000000000483000-memory.dmp

              Filesize

              524KB

            • memory/1560-62-0x00000000038B0000-0x00000000039EC000-memory.dmp

              Filesize

              1.2MB

            • memory/1560-48-0x0000000000400000-0x0000000000474000-memory.dmp

              Filesize

              464KB

            • memory/1560-42-0x0000000000400000-0x0000000000474000-memory.dmp

              Filesize

              464KB

            • memory/1560-63-0x0000000010000000-0x0000000010089000-memory.dmp

              Filesize

              548KB

            • memory/1560-40-0x0000000000400000-0x0000000000474000-memory.dmp

              Filesize

              464KB

            • memory/1560-41-0x0000000000400000-0x0000000000474000-memory.dmp

              Filesize

              464KB

            • memory/1560-50-0x0000000000400000-0x0000000000474000-memory.dmp

              Filesize

              464KB

            • memory/1560-44-0x0000000000400000-0x0000000000474000-memory.dmp

              Filesize

              464KB

            • memory/1560-43-0x0000000000400000-0x0000000000474000-memory.dmp

              Filesize

              464KB

            • memory/2660-39-0x0000000075260000-0x0000000075811000-memory.dmp

              Filesize

              5.7MB

            • memory/2660-60-0x0000000075260000-0x0000000075811000-memory.dmp

              Filesize

              5.7MB

            • memory/2808-0-0x0000000075262000-0x0000000075263000-memory.dmp

              Filesize

              4KB

            • memory/2808-2-0x0000000075260000-0x0000000075811000-memory.dmp

              Filesize

              5.7MB

            • memory/2808-10-0x0000000075260000-0x0000000075811000-memory.dmp

              Filesize

              5.7MB

            • memory/2808-1-0x0000000075260000-0x0000000075811000-memory.dmp

              Filesize

              5.7MB

            • memory/3944-49-0x0000000075260000-0x0000000075811000-memory.dmp

              Filesize

              5.7MB

            • memory/3944-35-0x0000000075260000-0x0000000075811000-memory.dmp

              Filesize

              5.7MB

            • memory/3944-38-0x0000000075260000-0x0000000075811000-memory.dmp

              Filesize

              5.7MB

            • memory/3944-37-0x0000000075260000-0x0000000075811000-memory.dmp

              Filesize

              5.7MB

            • memory/4212-36-0x0000000075260000-0x0000000075811000-memory.dmp

              Filesize

              5.7MB

            • memory/4212-4-0x0000000000400000-0x0000000000624000-memory.dmp

              Filesize

              2.1MB

            • memory/4212-5-0x0000000000400000-0x0000000000624000-memory.dmp

              Filesize

              2.1MB

            • memory/4212-11-0x0000000075260000-0x0000000075811000-memory.dmp

              Filesize

              5.7MB

            • memory/4212-3-0x0000000000400000-0x0000000000624000-memory.dmp

              Filesize

              2.1MB

            • memory/4212-13-0x0000000075260000-0x0000000075811000-memory.dmp

              Filesize

              5.7MB

            • memory/4212-9-0x0000000075260000-0x0000000075811000-memory.dmp

              Filesize

              5.7MB

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.