Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

5dab6e73af...18.exe

windows7-x64

10

5dab6e73af...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2024, 06:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe

  • Size

    4.2MB

  • MD5

    5dab6e73afd5e3c7e73b4f5003f8b394

  • SHA1

    70423263f4588db8dc4ad73b1b48eee476da29d3

  • SHA256

    4d27b20738d72f05c725b269b3592f91fe1f8d107b2bdf6f1a66101f68c92fc6

  • SHA512

    fd64e722f7d348573a27c04414454536b3f0fafdb5cfb90fd925f0d114f0c7960bb5d01d3be29fb1cb65491c4d95d0deebebc837f0e976497660a5d8a41f6c46

  • SSDEEP

    98304:0OghJVFG+lTLiUkIo7dkbYtxrETHMU6Lvj9lO6t1IrICgyhg:4VxlTyIk4sUujBQrNj

Score
10/10
fabookiepersistencespywarestealerupxvmprotect

Malware Config

Signatures

  • Detect Fabookie payload 1 IoCs
  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie
  • Nirsoft 2 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
      2⤵
      • Executes dropped EXE
      PID:2968
    • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3732

Network

  • flag-us
    DNS
    ip-api.com
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json/
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/ HTTP/1.1
    Connection: Keep-Alive
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
    viewport-width: 1920
    Host: ip-api.com
    Response
    HTTP/1.1 200 OK
    Date: Mon, 20 May 2024 06:38:42 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 297
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.112.95.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.112.95.208.in-addr.arpa
    IN PTR
    Response
    1.112.95.208.in-addr.arpa
    IN PTR
    ip-apicom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.facebook.com
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.facebook.com
    IN A
    Response
    www.facebook.com
    IN CNAME
    star-mini.c10r.facebook.com
    star-mini.c10r.facebook.com
    IN A
    163.70.151.35
  • flag-gb
    GET
    https://www.facebook.com/
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    Remote address:
    163.70.151.35:443
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
    viewport-width: 1920
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1
    Upgrade-Insecure-Requests: 1
    Host: www.facebook.com
    Response
    HTTP/1.1 302 Found
    Location: https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F
    reporting-endpoints: coop_report="https://www.facebook.com/browser_reporting/coop/?minimize=0", coep_report="https://www.facebook.com/browser_reporting/coep/?minimize=0"
    report-to: {"max_age":2592000,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coop\/?minimize=0"}],"group":"coop_report","include_subdomains":true}, {"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coep\/?minimize=0"}],"group":"coep_report"}
    content-security-policy-report-only: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
    content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
    document-policy: force-load-at-top
    permissions-policy: accelerometer=(), attribution-reporting=(self), autoplay=(), battery=(self), bluetooth=(), camera=(self), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-rtt=(), ch-save-data=(), ch-ua-arch=(), ch-ua-bitness=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(self), clipboard-write=(self), compute-pressure=(), display-capture=(self), encrypted-media=(self), fullscreen=(self), gamepad=*, geolocation=(self), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(self), midi=(), otp-credentials=(), payment=(), picture-in-picture=(self), private-state-token-issuance=(), publickey-credentials-get=(self), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), private-state-token-redemption=(), usb=(), usb-unrestricted=(), unload=(self), window-management=(), xr-spatial-tracking=(self);report-to="permissions_policy"
    cross-origin-resource-policy: same-origin
    cross-origin-embedder-policy-report-only: require-corp;report-to="coep_report"
    cross-origin-opener-policy: unsafe-none;report-to="coop_report"
    Pragma: no-cache
    Cache-Control: private, no-cache, no-store, must-revalidate
    Expires: Sat, 01 Jan 2000 00:00:00 GMT
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=15552000; preload
    Content-Type: text/html; charset="utf-8"
    X-FB-Debug: c8RUHFPbwHXsAjwzCxqrUyfurC4nj9sXWIK49zGJwTs5EgOAvBwaif5waTQjSgj82ThuopJwrq00vKNxqr8U9w==
    Date: Mon, 20 May 2024 06:38:44 GMT
    X-FB-Connection-Quality: EXCELLENT; q=0.9, rtt=21, rtx=0, c=10, mss=1357, tbw=3227, tp=-1, tpl=-1, uplat=25, ullat=0
    Alt-Svc: h3=":443"; ma=86400
    Connection: keep-alive
    Content-Length: 0
  • flag-gb
    GET
    https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    Remote address:
    163.70.151.35:443
    Request
    GET /login/?next=https%3A%2F%2Fwww.facebook.com%2F HTTP/1.1
    Connection: Keep-Alive
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
    viewport-width: 1920
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1
    Upgrade-Insecure-Requests: 1
    Host: www.facebook.com
    Response
    HTTP/1.1 200 OK
    Vary: Accept-Encoding
    reporting-endpoints: coop_report="https://www.facebook.com/browser_reporting/coop/?minimize=0", coep_report="https://www.facebook.com/browser_reporting/coep/?minimize=0", default="https://www.facebook.com/ajax/browser_error_reports/?device_level=unknown", permissions_policy="https://www.facebook.com/ajax/browser_error_reports/"
    report-to: {"max_age":2592000,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coop\/?minimize=0"}],"group":"coop_report","include_subdomains":true}, {"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coep\/?minimize=0"}],"group":"coep_report"}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}, {"max_age":21600,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/"}],"group":"permissions_policy"}
    content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
    document-policy: force-load-at-top
    permissions-policy: accelerometer=(), attribution-reporting=(self), autoplay=(), battery=(self), bluetooth=(), camera=(self), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-rtt=(), ch-save-data=(), ch-ua-arch=(), ch-ua-bitness=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(self), clipboard-write=(self), compute-pressure=(), display-capture=(self), encrypted-media=(self), fullscreen=(self), gamepad=*, geolocation=(self), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(self), midi=(), otp-credentials=(), payment=(), picture-in-picture=(self), private-state-token-issuance=(), publickey-credentials-get=(self), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), private-state-token-redemption=(), usb=(), usb-unrestricted=(), unload=(self), window-management=(), xr-spatial-tracking=(self);report-to="permissions_policy"
    cross-origin-resource-policy: same-origin
    cross-origin-embedder-policy-report-only: require-corp;report-to="coep_report"
    cross-origin-opener-policy: unsafe-none;report-to="coop_report"
    Pragma: no-cache
    Cache-Control: private, no-cache, no-store, must-revalidate
    Expires: Sat, 01 Jan 2000 00:00:00 GMT
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=15552000; preload
    Content-Type: text/html; charset="utf-8"
    X-FB-Debug: qZttrl5CtrRQw1pDbPYuR/hDNwp3VcY4hM9Kma6SFZzwV2gF/ZEylXh6QfDMTmDPBExEP0KeuyHoL0Vi/43cZQ==
    Date: Mon, 20 May 2024 06:38:45 GMT
    Transfer-Encoding: chunked
    X-FB-Connection-Quality: EXCELLENT; q=0.9, rtt=20, rtx=0, c=10, mss=1357, tbw=7860, tp=-1, tpl=-1, uplat=134, ullat=0
    Alt-Svc: h3=":443"; ma=86400
    Connection: keep-alive
  • flag-gb
    GET
    https://www.facebook.com/
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    Remote address:
    163.70.151.35:443
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
    viewport-width: 1920
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1
    Upgrade-Insecure-Requests: 1
    Host: www.facebook.com
    Response
    HTTP/1.1 302 Found
    Location: https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F
    reporting-endpoints: coop_report="https://www.facebook.com/browser_reporting/coop/?minimize=0", coep_report="https://www.facebook.com/browser_reporting/coep/?minimize=0"
    report-to: {"max_age":2592000,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coop\/?minimize=0"}],"group":"coop_report","include_subdomains":true}, {"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coep\/?minimize=0"}],"group":"coep_report"}
    content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
    document-policy: force-load-at-top
    permissions-policy: accelerometer=(), attribution-reporting=(self), autoplay=(), battery=(self), bluetooth=(), camera=(self), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-rtt=(), ch-save-data=(), ch-ua-arch=(), ch-ua-bitness=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(self), clipboard-write=(self), compute-pressure=(), display-capture=(self), encrypted-media=(self), fullscreen=(self), gamepad=*, geolocation=(self), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(self), midi=(), otp-credentials=(), payment=(), picture-in-picture=(self), private-state-token-issuance=(), publickey-credentials-get=(self), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), private-state-token-redemption=(), usb=(), usb-unrestricted=(), unload=(self), window-management=(), xr-spatial-tracking=(self);report-to="permissions_policy"
    cross-origin-resource-policy: same-origin
    cross-origin-embedder-policy-report-only: require-corp;report-to="coep_report"
    cross-origin-opener-policy: unsafe-none;report-to="coop_report"
    Pragma: no-cache
    Cache-Control: private, no-cache, no-store, must-revalidate
    Expires: Sat, 01 Jan 2000 00:00:00 GMT
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=15552000; preload
    Content-Type: text/html; charset="utf-8"
    X-FB-Debug: VxYiZ/K084fyD8qlkeVc+qQzR1J65svIXUsfgQ4LhkuCIbLjFahi4Rp+C+tNAqDSPWJldbUf9qan5rp2xDbbSw==
    Date: Mon, 20 May 2024 06:38:47 GMT
    X-FB-Connection-Quality: EXCELLENT; q=0.9, rtt=21, rtx=0, c=94, mss=1357, tbw=121212, tp=-1, tpl=-1, uplat=23, ullat=0
    Alt-Svc: h3=":443"; ma=86400
    Connection: keep-alive
    Content-Length: 0
  • flag-gb
    GET
    https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    Remote address:
    163.70.151.35:443
    Request
    GET /login/?next=https%3A%2F%2Fwww.facebook.com%2F HTTP/1.1
    Connection: Keep-Alive
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
    viewport-width: 1920
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1
    Upgrade-Insecure-Requests: 1
    Host: www.facebook.com
    Response
    HTTP/1.1 200 OK
    Vary: Accept-Encoding
    reporting-endpoints: coop_report="https://www.facebook.com/browser_reporting/coop/?minimize=0", coep_report="https://www.facebook.com/browser_reporting/coep/?minimize=0", default="https://www.facebook.com/ajax/browser_error_reports/?device_level=unknown", permissions_policy="https://www.facebook.com/ajax/browser_error_reports/"
    report-to: {"max_age":2592000,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coop\/?minimize=0"}],"group":"coop_report","include_subdomains":true}, {"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coep\/?minimize=0"}],"group":"coep_report"}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}, {"max_age":3600,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}],"group":"network-errors"}, {"max_age":21600,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/"}],"group":"permissions_policy"}
    nel: {"report_to":"network-errors","max_age":3600,"failure_fraction":0.01}
    content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
    document-policy: force-load-at-top
    permissions-policy: accelerometer=(), attribution-reporting=(self), autoplay=(), battery=(self), bluetooth=(), camera=(self), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-rtt=(), ch-save-data=(), ch-ua-arch=(), ch-ua-bitness=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(self), clipboard-write=(self), compute-pressure=(), display-capture=(self), encrypted-media=(self), fullscreen=(self), gamepad=*, geolocation=(self), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(self), midi=(), otp-credentials=(), payment=(), picture-in-picture=(self), private-state-token-issuance=(), publickey-credentials-get=(self), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), private-state-token-redemption=(), usb=(), usb-unrestricted=(), unload=(self), window-management=(), xr-spatial-tracking=(self);report-to="permissions_policy"
    cross-origin-resource-policy: same-origin
    cross-origin-embedder-policy-report-only: require-corp;report-to="coep_report"
    cross-origin-opener-policy: unsafe-none;report-to="coop_report"
    Pragma: no-cache
    Cache-Control: private, no-cache, no-store, must-revalidate
    Expires: Sat, 01 Jan 2000 00:00:00 GMT
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=15552000; preload
    Content-Type: text/html; charset="utf-8"
    X-FB-Debug: USia0ewxdZz2lzHlMMJi9UvRBrtJnV75+0Z1iVgV1tIDLxUkVB8uchHI13G2kJPNAM4KH0yB1FJ1sKJV7YIkQw==
    Date: Mon, 20 May 2024 06:38:47 GMT
    Transfer-Encoding: chunked
    X-FB-Connection-Quality: EXCELLENT; q=0.9, rtt=20, rtx=0, c=10, mss=1357, tbw=124776, tp=-1, tpl=-1, uplat=168, ullat=0
    Alt-Svc: h3=":443"; ma=86400
    Connection: keep-alive
  • flag-us
    DNS
    35.151.70.163.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    35.151.70.163.in-addr.arpa
    IN PTR
    Response
    35.151.70.163.in-addr.arpa
    IN PTR
    edge-star-mini-shv-02-lhr6facebookcom
  • flag-us
    DNS
    uskskskggkk3.2ihsfa.com
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    uskskskggkk3.2ihsfa.com
    IN A
    Response
    uskskskggkk3.2ihsfa.com
    IN A
    127.0.0.1
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.136.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.136.73.23.in-addr.arpa
    IN PTR
    Response
    138.136.73.23.in-addr.arpa
    IN PTR
    a23-73-136-138deploystaticakamaitechnologiescom
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 208.95.112.1:80
    http://ip-api.com/json/
    http
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    667 B
     606 B
     4
    3

    HTTP Request

    GET http://ip-api.com/json/

    HTTP Response

    200
  • 163.70.151.35:443
    https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F
    tls, http
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    7.9kB
     261.5kB
     109
    197

    HTTP Request

    GET https://www.facebook.com/

    HTTP Response

    302

    HTTP Request

    GET https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F

    HTTP Response

    200

    HTTP Request

    GET https://www.facebook.com/

    HTTP Response

    302

    HTTP Request

    GET https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F

    HTTP Response

    200
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 127.0.0.1:80
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
  • 8.8.8.8:53
    ip-api.com
    dns
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    1.112.95.208.in-addr.arpa
    dns
    71 B
     95 B
     1
    1

    DNS Request

    1.112.95.208.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    www.facebook.com
    dns
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    62 B
     107 B
     1
    1

    DNS Request

    www.facebook.com

    DNS Response

    163.70.151.35

  • 8.8.8.8:53
    35.151.70.163.in-addr.arpa
    dns
    72 B
     125 B
     1
    1

    DNS Request

    35.151.70.163.in-addr.arpa

  • 8.8.8.8:53
    uskskskggkk3.2ihsfa.com
    dns
    5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
    69 B
     85 B
     1
    1

    DNS Request

    uskskskggkk3.2ihsfa.com

    DNS Response

    127.0.0.1

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    138.136.73.23.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    138.136.73.23.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
    Filesize

    31B

    MD5

    b7161c0845a64ff6d7345b67ff97f3b0

    SHA1

    d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

    SHA256

    fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

    SHA512

    98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
    Filesize

    1KB

    MD5

    ec0766000b2f53a6cb091a9fcfe68101

    SHA1

    9eb88dc49fa23b048ca635b5aa16364f6abc29ee

    SHA256

    7dbeddd1fe35b2e08d1500a155e26173a78bd1d731e4c59986f2d85ed4e2579e

    SHA512

    1daa3e8614b2bd9e44bf4019f1a4a8b3b02106b3577fb9b35ad6b833bed1772033408e788e0a891fe81f5a5b1c185ea63428ff5f0ccec966eaeba8db0a7a8fc8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
    Filesize

    61KB

    MD5

    a6279ec92ff948760ce53bba817d6a77

    SHA1

    5345505e12f9e4c6d569a226d50e71b5a572dce2

    SHA256

    8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

    SHA512

    213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
    Filesize

    184KB

    MD5

    7fee8223d6e4f82d6cd115a28f0b6d58

    SHA1

    1b89c25f25253df23426bd9ff6c9208f1202f58b

    SHA256

    a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

    SHA512

    3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

    Download Submit

  • memory/1484-0-0x0000000000AF0000-0x0000000001214000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/2968-8-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2968-10-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/3732-16-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3732-22-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.