eb64494307c287e46901643f69644594307f89a00d7440bc6129b88e3a62ae8f

Analysis

max time kernel
133s
max time network
130s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 06:22 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49c70554a60a6c76aaa79173ab32aaed_JaffaCakes118.html
Size

106KB
MD5

49c70554a60a6c76aaa79173ab32aaed
SHA1

01dc207f2a701d5f4edaafd94267df2302364bd7
SHA256

eb64494307c287e46901643f69644594307f89a00d7440bc6129b88e3a62ae8f
SHA512

68530aeda17405ad80392e251b4ffc65ff0a4f79b08ac51b1e184ea63ca1a96a5e4d9a2e8625b29946d48871a420aa2dac4e344a5c3363a90711e489479a602f
SSDEEP

1536:MDA/UnZ1zmkD0KNriR9dIPwnI26tO4D3o0:MDP1zmkD0KNriR9dIPwnI26HD3H

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000bb90ef63d09f9736de8fdc7508e8e1256a6bd051587bb6a6fe2ad3785ea76199000000000e8000000002000020000000036f3b66a0a10182bab279b22db1f6b9179d935fba191460d366a38ea76dff929000000059074156fab6109eeed30b307a4a806a6c7b95c084f68ad536866a3800e140b0cd99b3bc504b3a9f61693c839367dd91a3bda9bd78fa4ee85b5dbea640ac7ec52b37c98caf5360aeb1be6745f22f1a587b3a6989e0d20037f92827774c29959282d547063354fca6b3042efeec1d7b6de4e46b852e190f9f2360a9b691f59e6b067a57727448808ef8b291bfb564b8e440000000d303de17a40fbfadeff05e9b44db62d63681c977b4cdca0ba456468fcbcb024abc52ca5fee8f6e934e9242173154c9e74d5fe9cb3fa112c7420a666ed67c4e26	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000138da696499d85f07835e1533922200143b63fa9c3bd8c1ea9a1a142250c980e000000000e800000000200002000000047e85aab54052435e156d613c6f9b875ef7a9ed4503f21a69eb7846f5e4b033a2000000005a0681d8e9e4b707965f65de162c11a851244b3bd70ae690fca239939bcaf6b40000000a4be679d767896fb52c283a318f9389e29940cd1ca17c53b75f3e57c7da1c0b3137f0b729515d94b7f4da167a85ffe016aa7300e761a678a4c979fbeeabf97e8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BABF82D1-134C-11EF-9B71-FAB46556C0ED} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0432e9059a7da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422002441"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2428	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2428	iexplore.exe
2428	iexplore.exe
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2936	2428	iexplore.exe	28
PID 2428 wrote to memory of 2936	2428	iexplore.exe	28
PID 2428 wrote to memory of 2936	2428	iexplore.exe	28
PID 2428 wrote to memory of 2936	2428	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\49c70554a60a6c76aaa79173ab32aaed_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2428 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2936

Network

DNS

coinhive.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

coinhive.com

IN A

Response

coinhive.com

IN A

104.21.57.186

coinhive.com

IN A

172.67.165.117
DNS

gticng.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

gticng.com

IN A

Response

gticng.com

IN A

172.67.180.15

gticng.com

IN A

104.21.96.122
GET

https://gticng.com/blog/images/uploads/media1542295083.jpg

IEXPLORE.EXE

Remote address:

172.67.180.15:443

Request

GET /blog/images/uploads/media1542295083.jpg HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: gticng.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Date: Thu, 16 May 2024 06:22:56 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: http://www.gticng.com/blog/images/uploads/media1542295083.jpg
Cache-Control: max-age=14400
CF-Cache-Status: MISS
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SQzAmWb1QSduyd%2F8cXqP3rwh48eMvxHMgpM4OojtBM8tyAbsRIwLdrD6O4xFhSmM8DA%2Bt1UKFIBEr1Jx%2BKNrd5SA%2B47T8r9cZaPXFX%2FT1KOUyHQBHvkm%2Fe1IAY9y"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 884946b31d6706e1-LHR
alt-svc: h3=":443"; ma=86400
GET

https://gticng.com/blog/images/uploads/media1530729199.jpg

IEXPLORE.EXE

Remote address:

172.67.180.15:443

Request

GET /blog/images/uploads/media1530729199.jpg HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: gticng.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Date: Thu, 16 May 2024 06:22:56 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: http://www.gticng.com/blog/images/uploads/media1530729199.jpg
Cache-Control: max-age=14400
CF-Cache-Status: MISS
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tq6uetqQGSMtJ7pwB7HeEgKFoqqHjlrDBdxzfMh5TRIvleiM7ftlh4Fl8kQa39t6aF7HxsnwFz73sOkCMf5V%2FUmw1V0sXgSgOEBWQkKfhVTL4o%2FdaL4Qj7u1X9up"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 884946b38b18240d-LHR
alt-svc: h3=":443"; ma=86400
GET

https://gticng.com/blog/images/uploads/

IEXPLORE.EXE

Remote address:

172.67.180.15:443

Request

GET /blog/images/uploads/ HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: gticng.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Date: Thu, 16 May 2024 06:22:56 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: http://www.gticng.com/blog/images/uploads/
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5l2AXkUaomK0jQxnn4eqW5wDgdqrPBk9dGqle3g13LcX%2FbjUWcEonqS7PmIU81Ag8JIwmGTpw195%2Bh2CoxAAV578ab5FZcb%2FT8aJFjIm%2FZ6hpfxgSicVy0YExjvf"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 884946b38961547c-LHR
alt-svc: h3=":443"; ma=86400
GET

https://coinhive.com/lib/coinhive.min.js

IEXPLORE.EXE

Remote address:

104.21.57.186:443

Request

GET /lib/coinhive.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: coinhive.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 16 May 2024 06:22:57 GMT
Content-Type: application/x-javascript
Content-Length: 1115
Connection: keep-alive
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Content-Encoding: gzip
ETag: "806233d282cfd71:0"
Last-Modified: Tue, 02 Nov 2021 00:44:41 GMT
Set-Cookie: ARRAffinity=a9f9761156205d30496df6f366e16e6ba26df4a27a15e946a932cdf71877fd3b;Path=/;HttpOnly;Secure;Domain=coinhive.com
Set-Cookie: ARRAffinitySameSite=a9f9761156205d30496df6f366e16e6ba26df4a27a15e946a932cdf71877fd3b;Path=/;HttpOnly;SameSite=None;Secure;Domain=coinhive.com
Vary: Accept-Encoding
X-Powered-By: ASP.NET
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6P7tgTug2hREaFn5DE2Y0bEm%2FvF4bcgTcrmvaGf1Nra5GM2j6bbNkglMZRYOJN%2BVjIYKKCcGUQ6Dq7y4BrFNe%2FrAzBRpj0MSvgIxu19fI8TUtzyl3hTI%2B8Z1pvdQzOw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 884946b3081077b8-LHR
alt-svc: h3=":443"; ma=86400
DNS

www.gticng.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

www.gticng.com

IN A

Response

www.gticng.com

IN A

172.67.180.15

www.gticng.com

IN A

104.21.96.122
GET

http://www.gticng.com/blog/images/uploads/media1542295083.jpg

IEXPLORE.EXE

Remote address:

172.67.180.15:80

Request

GET /blog/images/uploads/media1542295083.jpg HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.gticng.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 16 May 2024 06:22:57 GMT
Content-Type: image/jpeg
Transfer-Encoding: chunked
Connection: keep-alive
cfrom: img
x-powered-by: java
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: BYPASS
Set-Cookie: PHPSESSID=ql8h3lq7o5gm004pnjbn0vevr0; path=/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FVilIEEgzKrU6ChSWIqb9gdCdcripLozchDID1Wf8tUvCl9PfrcRySaHM3UDD5RmvVzLyL3Xwwvl8l2duZXAa2E18ThLqPvc16cfBbxi7orPmQNlpj7LQ0PWku2Yykai2w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 884946b5598423d7-LHR
alt-svc: h3=":443"; ma=86400
GET

http://www.gticng.com/blog/images/uploads/media1530729199.jpg

IEXPLORE.EXE

Remote address:

172.67.180.15:80

Request

GET /blog/images/uploads/media1530729199.jpg HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.gticng.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 16 May 2024 06:22:57 GMT
Content-Type: image/jpeg
Transfer-Encoding: chunked
Connection: keep-alive
cfrom: img
x-powered-by: java
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: BYPASS
Set-Cookie: PHPSESSID=85vv6vlorjnbbqp8s8mlol44s6; path=/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N31%2BNew8rmw0clmY5TfKLUR1j1RTXD2wX3mlnpT3KGpZDAUANChbGxKhkuYpDeSKy7flthrkG1Yo5IzyZPF4Zc%2Fubafr0uGOoQDuXzRNwFN3Mi8yNeiThm6cWVHRYqKArA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 884946b57d8376bd-LHR
alt-svc: h3=":443"; ma=86400
GET

http://www.gticng.com/blog/images/uploads/

IEXPLORE.EXE

Remote address:

172.67.180.15:80

Request

GET /blog/images/uploads/ HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.gticng.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 16 May 2024 06:22:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cfrom: index
x-powered-by: java
Set-Cookie: PHPSESSID=5vn46u5ts520gmguph71bf3up0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6TGRvhnMGSMe%2BJVapy47JMqS9OR3diLuOpiyzeyiVS6l1rWY5cL0vINGOKmpAUzqWgaz2Pw7lNJAE7p9Adt29Ne4QvbLZOuqD5cnjNgF6z7fc8utyaD34ST07AGrQSMgUw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 884946b5ab7223bf-LHR
Content-Encoding: gzip
alt-svc: h3=":443"; ma=86400

104.21.57.186:443

coinhive.com

tls

IEXPLORE.EXE

773 B
5.8kB
10
10
172.67.180.15:443

https://gticng.com/blog/images/uploads/media1542295083.jpg

tls, http

IEXPLORE.EXE

1.2kB
6.8kB
11
12

HTTP Request

GET https://gticng.com/blog/images/uploads/media1542295083.jpg

HTTP Response

301
172.67.180.15:443

https://gticng.com/blog/images/uploads/media1530729199.jpg

tls, http

IEXPLORE.EXE

1.3kB
6.6kB
11
11

HTTP Request

GET https://gticng.com/blog/images/uploads/media1530729199.jpg

HTTP Response

301
172.67.180.15:443

https://gticng.com/blog/images/uploads/

tls, http

IEXPLORE.EXE

1.3kB
6.6kB
11
11

HTTP Request

GET https://gticng.com/blog/images/uploads/

HTTP Response

301
104.21.57.186:443

https://coinhive.com/lib/coinhive.min.js

tls, http

IEXPLORE.EXE

1.1kB
8.0kB
11
12

HTTP Request

GET https://coinhive.com/lib/coinhive.min.js

HTTP Response

200
172.67.180.15:80

http://www.gticng.com/blog/images/uploads/media1542295083.jpg

http

IEXPLORE.EXE

629 B
1.8kB
7
5

HTTP Request

GET http://www.gticng.com/blog/images/uploads/media1542295083.jpg

HTTP Response

200
172.67.180.15:80

http://www.gticng.com/blog/images/uploads/media1530729199.jpg

http

IEXPLORE.EXE

629 B
1.8kB
7
5

HTTP Request

GET http://www.gticng.com/blog/images/uploads/media1530729199.jpg

HTTP Response

200
172.67.180.15:80

http://www.gticng.com/blog/images/uploads/

http

IEXPLORE.EXE

656 B
1.2kB
8
7

HTTP Request

GET http://www.gticng.com/blog/images/uploads/

HTTP Response

200
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

747 B
7.6kB
9
11
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

747 B
7.6kB
9
12
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

779 B
7.6kB
9
11

8.8.8.8:53

coinhive.com

dns

IEXPLORE.EXE

58 B
90 B
1
1

DNS Request

coinhive.com

DNS Response

104.21.57.186

172.67.165.117
8.8.8.8:53

gticng.com

dns

IEXPLORE.EXE

56 B
88 B
1
1

DNS Request

gticng.com

DNS Response

172.67.180.15

104.21.96.122
8.8.8.8:53

www.gticng.com

dns

IEXPLORE.EXE

60 B
92 B
1
1

DNS Request

www.gticng.com

DNS Response

172.67.180.15

104.21.96.122

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf5b44943cdf60ddbdda03c672ab3b5e

SHA1
6c4efdbc8038cc6b10e79f946894c3fd2d4f2c31

SHA256
f17f53bbec369e6ae98952df49bbf76a7bc9496f0051fb4f62ccd0430438e620

SHA512
c01c900bf1e350b28fe18eb90ffe5cdcdbcdfe6833e16cea9db7cf306edf113f814d4e9fa32d5e98e568db6ce741d9dd9e1e7f81d82a44e2be6117330db12f83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b289dffa62315366cef0566f89b8b2c9

SHA1
2747e0064aeb3bfd47db69df518e52b53ba3fa83

SHA256
3c4b04acc36dbd024bfbb5f60f78b377439ed4c26cbc5ba2a0ef1347d2f762dd

SHA512
084cb08ebc2546a475c069a815b96ec271cf6aea3aa8cf2ac7fc086b6fca0fd9d70121ea225ec49dc3feeeb9b6b0f7f886b34acbbc567bdf8266ba6ec75f23cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15e47e8f0db0aa62ddfa5587e2a89ac0

SHA1
0ae6e5fc432860e5eac7f072bae5a736ffe7fa81

SHA256
f550936d1a3075ea41a4372c22c3071c5b569ea5aeb0a9361247bb69ee0493a2

SHA512
8ac2471cbe64b3ca3c86a97a08d23f3aabee258f84dcef1fea26bbe731a0d8a415d1d4e70d432342745db4de436808709a6a892f4b88478ce3e2366a096bf6da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de2f6df18f6c52dd6a3a0003d1bf6514

SHA1
60672b44be2287bea444e7ac9773e626464291c4

SHA256
40766db16953487c569e8f3e574a671eac8414da0b15fb2dc3610a4370479f6a

SHA512
679537282da8baeed6f7a3fed691e6cc1e816dd3711e240b4cac6a7d195f55284e547c7a68134fbe1204eb7f401500783b2fc0c8d6b55079eecd1042cf14d38f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e3d103fb10d21e094db32e4c951df643

SHA1
92ce12720a56e7a51b1c41702b5c0b8fe9db3ddd

SHA256
2ace5c271f188b1b920d4e374092b0fa84b698d9e98137fe3da933b1cf67b7bd

SHA512
c6073ebdd1a4ef44f75ced4d2812fd0a7f3765771ada46e765d0c1d9444906e80d3163cbe94ece18500e3493b266201952ac51ad4946cba78175afc728bd50e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1dc8a70ecf718ce4112f7a04d2224889

SHA1
38b031ee2f548d807bb1b3819dc24c0238877d12

SHA256
8fa24f914c467bba2943949ea2450ddc7c230400cb5b1d865b6b08147fb9264a

SHA512
5b27cd0d7a85db01676bddefcc93f4ec4d4a18d0e5c320842680d2c4fcf64168990597bb1fae189e4f4c38a8e0632c0c4a00bcf30d624c77cf14e7604efffcc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
040635b0b3f1631714b48c868763895e

SHA1
87591dd4a1c35e46b6583d5f1d0680c2f8ccee0c

SHA256
28f676f961b2551026d669927ec89b25564ea71fe2d7d42b106d5e41b4a872da

SHA512
ad2cb22b1ed8a82fe7115bd110e2f1b540beca7da6e404bce2833feee604234e1c9c95da940857474079e2bb0cdc77a47ed26b38a433c4a1ea8dc8a8d8b2c977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa3a0470ef7073e25750999caa4c96d4

SHA1
e32aa2c5291b6233d687ce34f41ed8cca5763c06

SHA256
e0d3596afb1e4767a6455e5dfedba93789cc6751a0ba9da73215a30d55e6a742

SHA512
aff697755355716a9a4e29c5c32bd00eecf3f190f7f4ac29e6f5ab9fb413d4c605a255714fe3cdce53b4db0810c794b9249c6b3ff2d257c9ee974d341282ad8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73132f6f864fb184191f3397702100f1

SHA1
5fcdd669f0404fdf71ac69b9d205262366e36e7f

SHA256
befc06b89724d455ebf340ea2f77d3cb57de000030e3a95c11779d196c803b60

SHA512
a14c8ebe1f647574204d455244bf3726130f00b44be48fa358f5904af08150897ab3553701eb850f5d3b32eb669823eadd24be54f43890f9bffca3c74749ff83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
341b978252d4a970e63a0ee7431994b9

SHA1
89de8a4389a7082c05e23ebd848d7cacf9903caf

SHA256
c72b4a5835c696c796aab7254eb9ce33c79618dc5c080a2383a8c2b50f0c2e0e

SHA512
a6a70c936356a8768ff40439f52e104abf6cb1f2414b8d82f3a275cbde0b5cd4e1e28efed032a36616f4534169ad0adaf9d9dba16007bd21a431fef4e33ed904

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fba7dfa5aa4f00bb4b78b42ce1eb63cf

SHA1
dbe4bba62dc9713338e938a2eff4b1275d8e4945

SHA256
ba3ecc21571468e22f79aa01138582ed88499550092f6ce90c02389d1d3e9a79

SHA512
35c8bd5b08982629edee204f3fcf89f26e9461d4b99213a67ae2a9c8a68286f4a5036a885d8798b284d5fe07a8a5775d8f8bf8b92eced3db6564a2a13b4a2606

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9188afacf2c216488149345dc0399eb

SHA1
0ede154396a6c190a69e5c1b9d209597d3fe3a24

SHA256
f5d461cc3ef0db25906392fbfe5aae81939b2bce78973add0ab13737acbcbcb0

SHA512
587fa44b98b0993cef49aef2301adfb51c316122f424dc1c605189c1b9e2a0946528f4d48b033d618e1c8286ecb6f16e9a7d7bb91cfdc0cf502f3551d9e9301b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1259fabfb4166558a90705c829b8547

SHA1
489581cc9d6246a0534547c1b74fca78fdae8d00

SHA256
011989bbecb1f558e61f6593badba940da895273085270e477275bcd88da8657

SHA512
ea2e2fa12a0b3c1214c6d4bb91f64406c380e24a55e16eb1ee0c99d1955fae46f3d08dadd529fbdb821139327cf0b32fb30804658d570209254e96c41faef289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed0b874261ca4f82ff0d04b3f1423888

SHA1
44263cd1725c38b64d54b3f89e421968a1e45430

SHA256
f72c67f95e0fda3e129b8fe75060e71447bbd8071057d04b5e6337c80b39a827

SHA512
e58f57b30023586a7a2f31e5af68cde98a7f320e1746e0c746cf1240cce93e9f5f375f3f3782409bc028d9797074e77a27a734f3c34e198f8aa9859db9abd945

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96fb3c76b40f44d8aae931a2fc4730d9

SHA1
a0957a73e7f7db34bb0e6b932e54eb79e0d9e23e

SHA256
ad06079b040ae7d0eb100251ff519fc2a4db404e7ce1c98102ab960656690985

SHA512
48b9a4980fe39d22d669797e71c6719e4bbeb9acb56a78eaf60ace5df7467df52a324ab30ed3d218c93047d7d516acada4bfa71ffa17752eef61f041fa582023

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07424557d20478246f212abebe5999a5

SHA1
f6d24eb24c6280bca93a7bc9672372960de6c120

SHA256
2d65bff9b5b7b232244b0e0f69356cfce976764b255204801be64fd7ce0cb0a1

SHA512
a39e9b487d2418ad10a0d41dcddc29b2a3971501cb60ec483c9d7a5617fb478864097207d3dbdbbc758d62bf9f5f08298d04fc58d77ec908ec08ddae36c2b896

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad7d9a86eaaeae30da21cfe82aa399e2

SHA1
ea4869d7793d9ce76b5fcd6fdc5702d5fe4e967c

SHA256
da4f444b64aeef15a3f80b7280259250edfaafe1dd5eaf444452a6181cd35af9

SHA512
ccae3a0ae3b09d5842ea372d60db7c1ccc2c8d0aad757957de2b5ac0ab9bcf023f1b91449a8b6b68ad68af355d7625b9afa34dd3c3fe670ceb131924d2064ce6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d1d76c4c80b69838a35e55be2f0337f

SHA1
81a0a5db33d25844da49aae1c8a4d6b70237ba2e

SHA256
2d8801dd2640d1337f515911dd75540c36bf0c2e51e2a3f90cf829f189d91945

SHA512
387755a6f5c48716adb478690cd4b542aaff017a9c13957f11fa1dbc387a4ca2d4ea88998f774f31e9fa2ce3221e2874a6388269f89d92615cd63c423f50a74a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42cd3cdba6f614d78c3bff697f18ddbd

SHA1
1c3778cc97d24af3a2cfb9d18c67f79a0ae74db3

SHA256
7b3ef3752ace32dcd27ec7ba52c51e68d02fd772777303b03164f384e85dbdb2

SHA512
8242a6578fea5b584b29175a889dcf8dd4823fbd43a7f9d2f54016cb0917fe2aed7c37f499c035632198d70584486a102350463fd08d46ebd975018e742be7ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cdf8b380bc5da1167cf403cd18bcf7cb

SHA1
f3d9e5c0112da879c746812f97013ba4c6f7f3e0

SHA256
32d6c43c212d020df98a6cc7c48425e3010d8b5f05e338d0684afde84544a14b

SHA512
1160fcdf6898f1e44ab4bb3b9b0feddb3294806ec2ff6129d9847fedf31eb5837a3215d522516ced5f51f8589b0ed8c2f1cd57df8252d975b87b101d3a000c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3BD9.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3BDC.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.