Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 11:31 UTC
Static task
static1
Behavioral task
behavioral1
Sample
49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
-
Size
733KB
-
MD5
49977ea91effefa69e91faaf406309c4
-
SHA1
29fdbe1a0ee9d6c7aa9499f3a70ef9bffcea3dab
-
SHA256
ca1d43c7df11837f12a37594e204bf75d59c40af5b8d24e6944f24a20a52577e
-
SHA512
27a4edf9e8b9962e6b50c3ad6d2fb353c09053d17032973c74fe2ffa526d94f1e9090ffc0023e5c7ab2ea5775861188bbc5eaf77ad014852479d41891caa070f
-
SSDEEP
12288:13Fpj4rBRLukn+zKg2oOR2OQl5xAdmxQDgGeItGBV07XpWZhASRXHYnrmc:1VpUFRUgoOwOY5xAqQlFtWVAqRXHYrmc
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4728 netsh.exe 1928 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4740 wrote to memory of 4196 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 84 PID 4740 wrote to memory of 4196 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 84 PID 4740 wrote to memory of 4196 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 84 PID 4740 wrote to memory of 1996 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 86 PID 4740 wrote to memory of 1996 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 86 PID 4740 wrote to memory of 1996 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 86 PID 4740 wrote to memory of 3204 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 89 PID 4740 wrote to memory of 3204 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 89 PID 4740 wrote to memory of 3204 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 89 PID 3204 wrote to memory of 4728 3204 cmd.exe 92 PID 3204 wrote to memory of 4728 3204 cmd.exe 92 PID 3204 wrote to memory of 4728 3204 cmd.exe 92 PID 4740 wrote to memory of 1760 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 93 PID 4740 wrote to memory of 1760 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 93 PID 4740 wrote to memory of 1760 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 93 PID 1760 wrote to memory of 1928 1760 cmd.exe 95 PID 1760 wrote to memory of 1928 1760 cmd.exe 95 PID 1760 wrote to memory of 1928 1760 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"2⤵PID:4196
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵PID:1996
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4728
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE2⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1928
-
-
Network
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.directdownloader.comIN AResponsewww.directdownloader.comIN A162.255.119.249
-
GEThttp://www.directdownloader.com/stub/stub_ddlr.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:162.255.119.249:80RequestGET /stub/stub_ddlr.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.directdownloader.com
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Content-Length: 102
Connection: keep-alive
Location: http://www.google.com/enterprise/apps/business/products.html/stub/stub_ddlr.exe
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
-
GEThttp://www.directdownloader.com/stub/OpenCL.dll49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:162.255.119.249:80RequestGET /stub/OpenCL.dll HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.directdownloader.com
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Content-Length: 99
Connection: keep-alive
Location: http://www.google.com/enterprise/apps/business/products.html/stub/OpenCL.dll
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
-
GEThttp://www.directdownloader.com/toolbars/BitAcceleratorDDLRinstaller.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:162.255.119.249:80RequestGET /toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.directdownloader.com
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Content-Length: 124
Connection: keep-alive
Location: http://www.google.com/enterprise/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
-
GEThttp://www.directdownloader.com/toolbars/optimizer.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:162.255.119.249:80RequestGET /toolbars/optimizer.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.directdownloader.com
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Content-Length: 106
Connection: keep-alive
Location: http://www.google.com/enterprise/apps/business/products.html/toolbars/optimizer.exe
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
-
GEThttp://www.directdownloader.com/DirectDownloaderInstaller.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:162.255.119.249:80RequestGET /DirectDownloaderInstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.directdownloader.com
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Content-Length: 113
Connection: keep-alive
Location: http://www.google.com/enterprise/apps/business/products.html/DirectDownloaderInstaller.exe
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.180.4
-
GEThttp://www.google.com/enterprise/apps/business/products.html/stub/stub_ddlr.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:142.250.180.4:80RequestGET /enterprise/apps/business/products.html/stub/stub_ddlr.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.google.com
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 273
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:05 GMT
Expires: Mon, 15 Jul 2024 11:47:05 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
-
GEThttp://www.google.com/enterprise/apps/business/products.html/stub/OpenCL.dll49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:142.250.180.4:80RequestGET /enterprise/apps/business/products.html/stub/OpenCL.dll HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.google.com
Connection: Keep-Alive
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 301 Moved Permanently
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 270
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:06 GMT
Expires: Mon, 15 Jul 2024 11:47:06 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
-
GEThttp://www.google.com/enterprise/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:142.250.180.4:80RequestGET /enterprise/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.google.com
Connection: Keep-Alive
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 301 Moved Permanently
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 295
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:31:18 GMT
Expires: Mon, 15 Jul 2024 12:01:18 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 2
-
GEThttp://www.google.com/enterprise/apps/business/products.html/toolbars/optimizer.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:142.250.180.4:80RequestGET /enterprise/apps/business/products.html/toolbars/optimizer.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.google.com
Connection: Keep-Alive
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 301 Moved Permanently
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 277
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:07 GMT
Expires: Mon, 15 Jul 2024 11:47:07 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
-
GEThttp://www.google.com/enterprise/apps/business/products.html/DirectDownloaderInstaller.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:142.250.180.4:80RequestGET /enterprise/apps/business/products.html/DirectDownloaderInstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.google.com
Connection: Keep-Alive
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 301 Moved Permanently
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 284
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:08 GMT
Expires: Mon, 15 Jul 2024 11:47:08 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 852
-
Remote address:8.8.8.8:53Requestenterprise.google.comIN AResponseenterprise.google.comIN CNAMEwww3.l.google.comwww3.l.google.comIN A172.217.169.78
-
GEThttps://enterprise.google.com/apps/business/products.html/stub/stub_ddlr.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:172.217.169.78:443RequestGET /apps/business/products.html/stub/stub_ddlr.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: enterprise.google.com
ResponseHTTP/1.1 301 Moved Permanently
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 255
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:06 GMT
Expires: Mon, 15 Jul 2024 11:47:06 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://enterprise.google.com/apps/business/products.html/stub/OpenCL.dll49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:172.217.169.78:443RequestGET /apps/business/products.html/stub/OpenCL.dll HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: enterprise.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 301 Moved Permanently
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 252
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:06 GMT
Expires: Mon, 15 Jul 2024 11:47:06 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://enterprise.google.com/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:172.217.169.78:443RequestGET /apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: enterprise.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 301 Moved Permanently
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 277
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:31:18 GMT
Expires: Mon, 15 Jul 2024 12:01:18 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 2
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://enterprise.google.com/apps/business/products.html/toolbars/optimizer.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:172.217.169.78:443RequestGET /apps/business/products.html/toolbars/optimizer.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: enterprise.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 301 Moved Permanently
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 259
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:07 GMT
Expires: Mon, 15 Jul 2024 11:47:07 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://enterprise.google.com/apps/business/products.html/DirectDownloaderInstaller.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:172.217.169.78:443RequestGET /apps/business/products.html/DirectDownloaderInstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: enterprise.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 301 Moved Permanently
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 266
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:08 GMT
Expires: Mon, 15 Jul 2024 11:47:08 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 852
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request249.119.255.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request4.180.250.142.in-addr.arpaIN PTRResponse4.180.250.142.in-addr.arpaIN PTRlhr25s32-in-f41e100net
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A216.58.201.99
-
Remote address:216.58.201.99:80RequestGET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:05:37 GMT
Expires: Mon, 15 Jul 2024 11:55:37 GMT
Cache-Control: public, max-age=3000
Age: 1542
Last-Modified: Wed, 01 Nov 2023 07:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Requesto.pki.googIN AResponseo.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A216.58.201.99
-
GEThttp://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn9449977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:216.58.201.99:80RequestGET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Mon, 15 Jul 2024 10:46:38 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 2681
-
Remote address:8.8.8.8:53Requestgsuite.google.comIN AResponsegsuite.google.comIN A216.58.204.78
-
GEThttps://gsuite.google.com/products.html/stub/stub_ddlr.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:216.58.204.78:443RequestGET /products.html/stub/stub_ddlr.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: gsuite.google.com
ResponseHTTP/1.1 301 Moved Permanently
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 258
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:06 GMT
Expires: Mon, 15 Jul 2024 11:47:06 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://gsuite.google.com/products.html/stub/OpenCL.dll49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:216.58.204.78:443RequestGET /products.html/stub/OpenCL.dll HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: gsuite.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 301 Moved Permanently
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 255
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:07 GMT
Expires: Mon, 15 Jul 2024 11:47:07 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 852
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://gsuite.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:216.58.204.78:443RequestGET /products.html/toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: gsuite.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 301 Moved Permanently
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 280
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:31:18 GMT
Expires: Mon, 15 Jul 2024 12:01:18 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 2
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://gsuite.google.com/products.html/toolbars/optimizer.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:216.58.204.78:443RequestGET /products.html/toolbars/optimizer.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: gsuite.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 301 Moved Permanently
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 262
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:07 GMT
Expires: Mon, 15 Jul 2024 11:47:07 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://gsuite.google.com/products.html/DirectDownloaderInstaller.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:216.58.204.78:443RequestGET /products.html/DirectDownloaderInstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: gsuite.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 301 Moved Permanently
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 269
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:08 GMT
Expires: Mon, 15 Jul 2024 11:47:08 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 852
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestworkspace.google.comIN AResponseworkspace.google.comIN A216.58.201.110
-
GEThttps://workspace.google.com/products.html/stub/stub_ddlr.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:216.58.201.110:443RequestGET /products.html/stub/stub_ddlr.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: workspace.google.com
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Date: Mon, 15 Jul 2024 11:31:19 GMT
Server: sffe
Content-Length: 159708
X-XSS-Protection: 0
Set-Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E; expires=Tue, 14-Jan-2025 11:31:19 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://workspace.google.com/products.html/stub/OpenCL.dll49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:216.58.201.110:443RequestGET /products.html/stub/OpenCL.dll HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: workspace.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=ISO-8859-1
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Date: Mon, 15 Jul 2024 11:31:20 GMT
Server: sffe
Content-Length: 159708
X-XSS-Protection: 0
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://workspace.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:216.58.201.110:443RequestGET /products.html/toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: workspace.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=ISO-8859-1
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Date: Mon, 15 Jul 2024 11:31:20 GMT
Server: sffe
Content-Length: 159708
X-XSS-Protection: 0
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://workspace.google.com/products.html/toolbars/optimizer.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:216.58.201.110:443RequestGET /products.html/toolbars/optimizer.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: workspace.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=ISO-8859-1
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Date: Mon, 15 Jul 2024 11:31:20 GMT
Server: sffe
Content-Length: 159708
X-XSS-Protection: 0
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://workspace.google.com/products.html/DirectDownloaderInstaller.exe49977ea91effefa69e91faaf406309c4_JaffaCakes118.exeRemote address:216.58.201.110:443RequestGET /products.html/DirectDownloaderInstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: workspace.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=ISO-8859-1
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Date: Mon, 15 Jul 2024 11:31:20 GMT
Server: sffe
Content-Length: 159708
X-XSS-Protection: 0
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Request78.169.217.172.in-addr.arpaIN PTRResponse78.169.217.172.in-addr.arpaIN PTRlhr48s09-in-f141e100net
-
Remote address:8.8.8.8:53Request78.204.58.216.in-addr.arpaIN PTRResponse78.204.58.216.in-addr.arpaIN PTRlhr25s13-in-f781e100net78.204.58.216.in-addr.arpaIN PTRlhr25s13-in-f14�H78.204.58.216.in-addr.arpaIN PTRlhr48s49-in-f14�H
-
Remote address:8.8.8.8:53Request110.201.58.216.in-addr.arpaIN PTRResponse110.201.58.216.in-addr.arpaIN PTRlhr48s48-in-f141e100net110.201.58.216.in-addr.arpaIN PTRprg03s02-in-f110�I110.201.58.216.in-addr.arpaIN PTRprg03s02-in-f14�I
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
162.255.119.249:80http://www.directdownloader.com/DirectDownloaderInstaller.exehttp49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe1.5kB 2.4kB 20 8
HTTP Request
GET http://www.directdownloader.com/stub/stub_ddlr.exeHTTP Response
302HTTP Request
GET http://www.directdownloader.com/stub/OpenCL.dllHTTP Response
302HTTP Request
GET http://www.directdownloader.com/toolbars/BitAcceleratorDDLRinstaller.exeHTTP Response
302HTTP Request
GET http://www.directdownloader.com/toolbars/optimizer.exeHTTP Response
302HTTP Request
GET http://www.directdownloader.com/DirectDownloaderInstaller.exeHTTP Response
302 -
142.250.180.4:80http://www.google.com/enterprise/apps/business/products.html/DirectDownloaderInstaller.exehttp49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe2.2kB 3.9kB 14 8
HTTP Request
GET http://www.google.com/enterprise/apps/business/products.html/stub/stub_ddlr.exeHTTP Response
301HTTP Request
GET http://www.google.com/enterprise/apps/business/products.html/stub/OpenCL.dllHTTP Response
301HTTP Request
GET http://www.google.com/enterprise/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exeHTTP Response
301HTTP Request
GET http://www.google.com/enterprise/apps/business/products.html/toolbars/optimizer.exeHTTP Response
301HTTP Request
GET http://www.google.com/enterprise/apps/business/products.html/DirectDownloaderInstaller.exeHTTP Response
301 -
172.217.169.78:443https://enterprise.google.com/apps/business/products.html/DirectDownloaderInstaller.exetls, http49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe3.0kB 11.1kB 22 15
HTTP Request
GET https://enterprise.google.com/apps/business/products.html/stub/stub_ddlr.exeHTTP Response
301HTTP Request
GET https://enterprise.google.com/apps/business/products.html/stub/OpenCL.dllHTTP Response
301HTTP Request
GET https://enterprise.google.com/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exeHTTP Response
301HTTP Request
GET https://enterprise.google.com/apps/business/products.html/toolbars/optimizer.exeHTTP Response
301HTTP Request
GET https://enterprise.google.com/apps/business/products.html/DirectDownloaderInstaller.exeHTTP Response
301 -
395 B 1.8kB 6 5
HTTP Request
GET http://c.pki.goog/r/r1.crlHTTP Response
200 -
216.58.201.99:80http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94http49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe509 B 885 B 6 4
HTTP Request
GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94HTTP Response
200 -
216.58.204.78:443https://gsuite.google.com/products.html/DirectDownloaderInstaller.exetls, http49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe2.9kB 11.0kB 22 14
HTTP Request
GET https://gsuite.google.com/products.html/stub/stub_ddlr.exeHTTP Response
301HTTP Request
GET https://gsuite.google.com/products.html/stub/OpenCL.dllHTTP Response
301HTTP Request
GET https://gsuite.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exeHTTP Response
301HTTP Request
GET https://gsuite.google.com/products.html/toolbars/optimizer.exeHTTP Response
301HTTP Request
GET https://gsuite.google.com/products.html/DirectDownloaderInstaller.exeHTTP Response
301 -
216.58.201.110:443https://workspace.google.com/products.html/DirectDownloaderInstaller.exetls, http49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe31.0kB 851.0kB 633 630
HTTP Request
GET https://workspace.google.com/products.html/stub/stub_ddlr.exeHTTP Response
404HTTP Request
GET https://workspace.google.com/products.html/stub/OpenCL.dllHTTP Response
404HTTP Request
GET https://workspace.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exeHTTP Response
404HTTP Request
GET https://workspace.google.com/products.html/toolbars/optimizer.exeHTTP Response
404HTTP Request
GET https://workspace.google.com/products.html/DirectDownloaderInstaller.exeHTTP Response
404
-
72 B 158 B 1 1
DNS Request
73.159.190.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
70 B 86 B 1 1
DNS Request
www.directdownloader.com
DNS Response
162.255.119.249
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.180.4
-
67 B 104 B 1 1
DNS Request
enterprise.google.com
DNS Response
172.217.169.78
-
71 B 157 B 1 1
DNS Request
205.47.74.20.in-addr.arpa
-
74 B 154 B 1 1
DNS Request
249.119.255.162.in-addr.arpa
-
72 B 110 B 1 1
DNS Request
4.180.250.142.in-addr.arpa
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
216.58.201.99
-
56 B 107 B 1 1
DNS Request
o.pki.goog
DNS Response
216.58.201.99
-
63 B 79 B 1 1
DNS Request
gsuite.google.com
DNS Response
216.58.204.78
-
66 B 82 B 1 1
DNS Request
workspace.google.com
DNS Response
216.58.201.110
-
73 B 112 B 1 1
DNS Request
78.169.217.172.in-addr.arpa
-
72 B 171 B 1 1
DNS Request
78.204.58.216.in-addr.arpa
-
73 B 173 B 1 1
DNS Request
110.201.58.216.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7B
MD5824ab679eea19c5b43b186800c2c625f
SHA1f8b90bc89117ac4f1a272e7acef952a79a64b617
SHA256f6d4a23bd6b412e4d4906cbd1c56dcbcf5ddd96b6a9098ceba96be94e52f7ab3
SHA512e13bb9c005c2acb412916bf0f4a37b39c2800298042d5344b877143d1b767342903c9bb3e8d4eda75f37cc323b5f623d6bf34629d2c999c7df316de4ffd3caf4
-
Filesize
155KB
MD5e1098470152dc10fb29b3ad7b4e5f5cf
SHA1ae5a796340be8f0912d6c85f81dce21211aaaf15
SHA2563832d19f80a84069c5010266fa3cf11eee5bb1c3d1b2ba278e49519519561b8a
SHA5120ba3a53a3021be99aaf5cf8af54f214feea0f80f112a7ffb209b4c2c0539f8b8b6cd087ba7ed6501c9b79e0a9496494e471ac43f9b7f0aacf58866c01e90e7c6