Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 00:28 UTC
Behavioral task
behavioral1
Sample
3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
-
Size
158KB
-
MD5
3b51fab717e281580abca9c62aaa9685
-
SHA1
74cd77630ace2fa629405f0665f34f1bb86419c1
-
SHA256
3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e
-
SHA512
41502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f
-
SSDEEP
3072:/23lko29IApHuGPdsNjMb5LjZpTSNLjXTp2zEVZNNSdAXb:/do+FuGPds1cLjLSBjDpUEzNNS+L
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\2895k76 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rt04lto.exe" 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts rt04lto.exe -
Executes dropped EXE 2 IoCs
pid Process 3284 rt04lto.exe 4600 rt04lto.exe -
resource yara_rule behavioral2/memory/2368-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000800000002346b-5.dat upx behavioral2/memory/3284-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-24-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" Rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\osor.log rt04lto.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3296 sc.exe 3276 sc.exe 4056 sc.exe 4436 sc.exe 2904 sc.exe 3108 sc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Runs net.exe
-
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 3284 rt04lto.exe 3284 rt04lto.exe 3284 rt04lto.exe 4600 rt04lto.exe 4600 rt04lto.exe 4600 rt04lto.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 4660 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 88 PID 2368 wrote to memory of 4660 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 88 PID 2368 wrote to memory of 4660 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 88 PID 2368 wrote to memory of 4056 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 89 PID 2368 wrote to memory of 4056 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 89 PID 2368 wrote to memory of 4056 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 89 PID 2368 wrote to memory of 2352 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 91 PID 2368 wrote to memory of 2352 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 91 PID 2368 wrote to memory of 2352 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 91 PID 2368 wrote to memory of 4436 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 92 PID 2368 wrote to memory of 4436 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 92 PID 2368 wrote to memory of 4436 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 92 PID 2368 wrote to memory of 3284 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 93 PID 2368 wrote to memory of 3284 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 93 PID 2368 wrote to memory of 3284 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 93 PID 2368 wrote to memory of 956 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 97 PID 2368 wrote to memory of 956 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 97 PID 2368 wrote to memory of 956 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 97 PID 4660 wrote to memory of 4336 4660 net.exe 98 PID 4660 wrote to memory of 4336 4660 net.exe 98 PID 4660 wrote to memory of 4336 4660 net.exe 98 PID 2352 wrote to memory of 1088 2352 net.exe 99 PID 2352 wrote to memory of 1088 2352 net.exe 99 PID 2352 wrote to memory of 1088 2352 net.exe 99 PID 956 wrote to memory of 3888 956 Rundll32.exe 100 PID 956 wrote to memory of 3888 956 Rundll32.exe 100 PID 956 wrote to memory of 3888 956 Rundll32.exe 100 PID 2368 wrote to memory of 456 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 101 PID 2368 wrote to memory of 456 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 101 PID 2368 wrote to memory of 456 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 101 PID 3284 wrote to memory of 2932 3284 rt04lto.exe 103 PID 3284 wrote to memory of 2932 3284 rt04lto.exe 103 PID 3284 wrote to memory of 2932 3284 rt04lto.exe 103 PID 3284 wrote to memory of 2904 3284 rt04lto.exe 104 PID 3284 wrote to memory of 2904 3284 rt04lto.exe 104 PID 3284 wrote to memory of 2904 3284 rt04lto.exe 104 PID 3284 wrote to memory of 1652 3284 rt04lto.exe 105 PID 3284 wrote to memory of 1652 3284 rt04lto.exe 105 PID 3284 wrote to memory of 1652 3284 rt04lto.exe 105 PID 3284 wrote to memory of 3108 3284 rt04lto.exe 106 PID 3284 wrote to memory of 3108 3284 rt04lto.exe 106 PID 3284 wrote to memory of 3108 3284 rt04lto.exe 106 PID 3284 wrote to memory of 4600 3284 rt04lto.exe 107 PID 3284 wrote to memory of 4600 3284 rt04lto.exe 107 PID 3284 wrote to memory of 4600 3284 rt04lto.exe 107 PID 1652 wrote to memory of 1704 1652 net.exe 112 PID 1652 wrote to memory of 1704 1652 net.exe 112 PID 1652 wrote to memory of 1704 1652 net.exe 112 PID 2932 wrote to memory of 1576 2932 net.exe 113 PID 2932 wrote to memory of 1576 2932 net.exe 113 PID 2932 wrote to memory of 1576 2932 net.exe 113 PID 3888 wrote to memory of 3364 3888 runonce.exe 114 PID 3888 wrote to memory of 3364 3888 runonce.exe 114 PID 3888 wrote to memory of 3364 3888 runonce.exe 114 PID 4600 wrote to memory of 1700 4600 rt04lto.exe 115 PID 4600 wrote to memory of 1700 4600 rt04lto.exe 115 PID 4600 wrote to memory of 1700 4600 rt04lto.exe 115 PID 4600 wrote to memory of 3276 4600 rt04lto.exe 116 PID 4600 wrote to memory of 3276 4600 rt04lto.exe 116 PID 4600 wrote to memory of 3276 4600 rt04lto.exe 116 PID 4600 wrote to memory of 4504 4600 rt04lto.exe 117 PID 4600 wrote to memory of 4504 4600 rt04lto.exe 117 PID 4600 wrote to memory of 4504 4600 rt04lto.exe 117 PID 4600 wrote to memory of 3296 4600 rt04lto.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"2⤵
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵PID:4336
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED2⤵
- Launches sc.exe
PID:4056
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"2⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵PID:1088
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED2⤵
- Launches sc.exe
PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\rt04lto.exeC:\Users\Admin\AppData\Local\Temp\rt04lto.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"3⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵PID:1576
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED3⤵
- Launches sc.exe
PID:2904
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵PID:1704
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED3⤵
- Launches sc.exe
PID:3108
-
-
C:\Users\Admin\AppData\Local\Temp\rt04lto.exeC:\Users\Admin\AppData\Local\Temp\rt04lto.exe -d716208E23EF9D708CB3A634430743C392DB8CDBD85E7C70E3559F88E78AED2BAA8D42B3684F8FEA06D19379885BBCBE3DD1EAD451AB1663A3A034E324F30C1B37C35C36C7971E90554158EC9609B959F6B5C410DA415FAFAEA58EE8659ADE7614017DECCF5EB0DBD1FD986D16CAF9ECBC875B68599C21B2C89AB145AE09F66D78492C96012501FCDB1807A2990552DAD26CB7A7AB44E9BCB970C3E616CB2A67B197C116C285C140D2B7C0852F769C759F69D398AECC99128D4D928A7C7834AAC106F8290D19D20DCEC9C0E9408992F67E957E0A57C3151DE42A1CF5FF93F38EFBA062A26E654BA0B9796A7366DA76B28EFDA9CB5DCAF71C5229272FA4CB794FFA84656FC800895210DEA310D0F46C1073999DBE2C6E9C55EF5C28BC348E5C4FEABE79364F7BCA79A6D534A351806B55939EF49F331B363517C4FDAADB6CF6D10D494AD14E539258E1AC0CDEEEF210BD7A083D3B158999FB7B75559FEA0AF73F775F6B2F52371845CB55CD8BC3E3FCA595E93A6F5B3390E6CE9A3481E4FE3FC181D29EF30CA93799A1D7BC944EEEE3691A5443004FBC986F8911C21474B446D7D9F14F1873290F9AC75E23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"4⤵PID:1700
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"5⤵PID:3600
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED4⤵
- Launches sc.exe
PID:3276
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵PID:4504
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"5⤵PID:4480
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED4⤵
- Launches sc.exe
PID:3296
-
-
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\mdinstall.inf2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o4⤵PID:3364
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\g9ngajqf.bat2⤵PID:456
-
Network
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 944920
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8C456DB8E1584D2F99D0AEEAECDDD60C Ref B: LON04EDGE0806 Ref C: 2024-07-12T00:29:02Z
date: Fri, 12 Jul 2024 00:29:01 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 495209
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6DFF58AA67B2468B987988076C6941A0 Ref B: LON04EDGE0806 Ref C: 2024-07-12T00:29:02Z
date: Fri, 12 Jul 2024 00:29:01 GMT
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request10.160.77.104.in-addr.arpaIN PTRResponse10.160.77.104.in-addr.arpaIN PTRa104-77-160-10deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A13.107.21.237dual-a-0034.a-msedge.netIN A204.79.197.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0F99AC62B6C16AF22F5DB8D8B7216BEF; domain=.bing.com; expires=Wed, 06-Aug-2025 00:29:02 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8840C75406204713865EE28562D19DB6 Ref B: LON04EDGE1121 Ref C: 2024-07-12T00:29:02Z
date: Fri, 12 Jul 2024 00:29:02 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0F99AC62B6C16AF22F5DB8D8B7216BEF
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=JvIPpHxe4C_Fd4YnmZP8drv2XzDw_auAN6vSM_JisVg; domain=.bing.com; expires=Wed, 06-Aug-2025 00:29:02 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1886A3C1704D4D82949F8300CD4EE4DC Ref B: LON04EDGE1121 Ref C: 2024-07-12T00:29:02Z
date: Fri, 12 Jul 2024 00:29:02 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0F99AC62B6C16AF22F5DB8D8B7216BEF; MSPTC=JvIPpHxe4C_Fd4YnmZP8drv2XzDw_auAN6vSM_JisVg
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B3CBB8821AAE4FB1A3A1B88A30CCE07D Ref B: LON04EDGE1121 Ref C: 2024-07-12T00:29:02Z
date: Fri, 12 Jul 2024 00:29:02 GMT
-
Remote address:8.8.8.8:53Request237.21.107.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Requestw.nucleardiscover.comIN AResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.193.132.51.in-addr.arpaIN PTRResponse
-
1.2kB 6.9kB 15 13
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http258.4kB 1.5MB 1089 1085
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200 -
13.107.21.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=tls, http22.0kB 9.3kB 21 18
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=HTTP Response
204
-
268 B 268 B 4 4
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
10.160.77.104.in-addr.arpa
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
13.107.21.237204.79.197.237
-
72 B 158 B 1 1
DNS Request
237.21.107.13.in-addr.arpa
-
268 B 268 B 4 4
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
-
268 B 268 B 4 4
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
268 B 268 B 4 4
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
268 B 268 B 4 4
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
-
268 B 268 B 4 4
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
DNS Request
w.nucleardiscover.com
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
104.193.132.51.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD5bc686b5b5dfc9fe33f1b9298988ffea4
SHA10f4aa7406da22b81e1e8c0413ede8f4d6077e063
SHA256134c6b80d275afa3ab4e52fd85b5cfe4e202fd2b52416c64b6b6a435712d9816
SHA5126b425aad3c7d98083f2e0d0e817939a8617f2a6c89c50a5de942b22945b88a5e80f5fe43425ff2dbdfb83de83b9eb32714070f6abd9d1cdbd5e10f5e97ba6335
-
Filesize
413B
MD5ce1f2d7c8e36f3c085a5d281b9ebeb2f
SHA1bbbfae948d625afe50f66f34282bda3974cfdce5
SHA256312239a5c6333e6d1e8ba9f0e81856c37347be0f21d194741ae1d25538cd130c
SHA51289f69b88bdfb391f58abaefbbae7e393571709c0ea6a268794c035200674ad3a8615a65944373559aead87e8d5ab09f334e2b1563c1bde912aa26a485b76357e
-
Filesize
158KB
MD53b51fab717e281580abca9c62aaa9685
SHA174cd77630ace2fa629405f0665f34f1bb86419c1
SHA2563a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e
SHA51241502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f