295f9b09881e8d978bc84aaebb18daa0a79f047d013921e9119d361fe4b5443d

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 09:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
Size

109KB
MD5

859c3f171bcb3ed7d10007ec71f98082
SHA1

b02a91d37762e485e02284ad13040522ea41471c
SHA256

295f9b09881e8d978bc84aaebb18daa0a79f047d013921e9119d361fe4b5443d
SHA512

9bff308eb1ad3e01d4d95bda21f8018398ccafd9d6f6c1d9b209f77a0598f84b2245870184dac8a2278c34f97af38c9d8e36506ae552b29baecc6a84a7e34391
SSDEEP

3072:08jQ/bYnmYQus2HoUqrdT1x/QaiAjnLq845OKzNm:0IQ/b4nqbdB9Xnt45VRm

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	sgcxcxxaspf080521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\nyuserinit = "C:\\Windows\\system32\\inf\\svchosts.exe C:\\Windows\\system32\\lwfdfia16_080521.dll tanlt88"	sgcxcxxaspf080521.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	svchosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sgcxcxxaspf080521.exe

Deletes itself 1 IoCs

pid	Process
3604	svchosts.exe

Executes dropped EXE 2 IoCs

pid	Process
3604	svchosts.exe
4468	sgcxcxxaspf080521.exe

Loads dropped DLL 1 IoCs

pid	Process
3604	svchosts.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lwfdfia16_080521.dll	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mdccasys32_080521.dll	sgcxcxxaspf080521.exe
File created	C:\Windows\SysWOW64\inf\svchosts.exe	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchosts.exe	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\sppdcrs080521.scr	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mdccasys32_080521.dll	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\scsys16_080521.dll	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pwisys.ini	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
File created	C:\Windows\system\sgcxcxxaspf080521.exe	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
File opened for modification	C:\Windows\pwisys.ini	svchosts.exe
File opened for modification	C:\Windows\pwisys.ini	sgcxcxxaspf080521.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sgcxcxxaspf080521.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430047784"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	sgcxcxxaspf080521.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1563188665"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1563188665"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{88D5E3B3-56FC-11EF-939B-EEE1DD5A0987} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31124233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1566001151"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2416	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
2416	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
2416	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
2416	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
4468	sgcxcxxaspf080521.exe
4468	sgcxcxxaspf080521.exe
4468	sgcxcxxaspf080521.exe
4468	sgcxcxxaspf080521.exe
4468	sgcxcxxaspf080521.exe
4468	sgcxcxxaspf080521.exe
4468	sgcxcxxaspf080521.exe
4468	sgcxcxxaspf080521.exe
4468	sgcxcxxaspf080521.exe
4468	sgcxcxxaspf080521.exe
4468	sgcxcxxaspf080521.exe
4468	sgcxcxxaspf080521.exe
4468	sgcxcxxaspf080521.exe
4468	sgcxcxxaspf080521.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
Token: SeDebugPrivilege	2416	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	4468	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	4468	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	4468	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	4468	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	4468	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	4468	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	4468	sgcxcxxaspf080521.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4060	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4060	IEXPLORE.EXE
4060	IEXPLORE.EXE
632	IEXPLORE.EXE
632	IEXPLORE.EXE
632	IEXPLORE.EXE
632	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 3604	2416	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe	92
PID 2416 wrote to memory of 3604	2416	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe	92
PID 2416 wrote to memory of 3604	2416	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe	92
PID 3604 wrote to memory of 2132	3604	svchosts.exe	94
PID 3604 wrote to memory of 2132	3604	svchosts.exe	94
PID 3604 wrote to memory of 2132	3604	svchosts.exe	94
PID 2132 wrote to memory of 4468	2132	cmd.exe	96
PID 2132 wrote to memory of 4468	2132	cmd.exe	96
PID 2132 wrote to memory of 4468	2132	cmd.exe	96
PID 4468 wrote to memory of 4060	4468	sgcxcxxaspf080521.exe	99
PID 4468 wrote to memory of 4060	4468	sgcxcxxaspf080521.exe	99
PID 4060 wrote to memory of 632	4060	IEXPLORE.EXE	100
PID 4060 wrote to memory of 632	4060	IEXPLORE.EXE	100
PID 4060 wrote to memory of 632	4060	IEXPLORE.EXE	100
PID 4468 wrote to memory of 4060	4468	sgcxcxxaspf080521.exe	99

C:\Users\Admin\AppData\Local\Temp\859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\inf\svchosts.exe
  "C:\Windows\system32\inf\svchosts.exe" C:\Windows\system32\lwfdfia16_080521.dll tanlt88
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\system\sgcxcxxaspf080521.exe
      "C:\Windows\system\sgcxcxxaspf080521.exe" i
      4⤵
      Adds policy Run key to start application
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4060
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4060 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:632

Network

DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR
DNS

api.bing.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

api.bing.com

IN A

Response

api.bing.com

IN CNAME

api-bing-com.e-0001.e-msedge.net

api-bing-com.e-0001.e-msedge.net

IN CNAME

e-0001.e-msedge.net

e-0001.e-msedge.net

IN A

13.107.5.80
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

192.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

192.142.123.92.in-addr.arpa

IN PTR

Response

192.142.123.92.in-addr.arpa

IN PTR

a92-123-142-192deploystaticakamaitechnologiescom
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

161.19.199.152.in-addr.arpa

Remote address:

8.8.8.8:53

Request

161.19.199.152.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

23.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.236.111.52.in-addr.arpa

IN PTR

Response
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 405350
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 710D0AC127F84935AA7970FF7E7268C3 Ref B: LON04EDGE0817 Ref C: 2024-08-10T09:41:20Z
date: Sat, 10 Aug 2024 09:41:19 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301582_1MLHFWTHBIK9NA4JB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317301582_1MLHFWTHBIK9NA4JB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 719294
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A37E2C4C21714D48BC3FD5B9EA255F6C Ref B: LON04EDGE0817 Ref C: 2024-08-10T09:41:20Z
date: Sat, 10 Aug 2024 09:41:19 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 561868
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0ACC5BCB57044E8FA86B5C8E5309F8F2 Ref B: LON04EDGE0817 Ref C: 2024-08-10T09:41:20Z
date: Sat, 10 Aug 2024 09:41:19 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301173_11CL6NTG6CSIMT5HR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317301173_11CL6NTG6CSIMT5HR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 830618
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6D43084B9B8441BE98A8B7397901D81C Ref B: LON04EDGE0817 Ref C: 2024-08-10T09:41:20Z
date: Sat, 10 Aug 2024 09:41:19 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317300927_1MHQY2TQNUIH7ZQRL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317300927_1MHQY2TQNUIH7ZQRL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 712307
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 549E42CAEEF84859A6575D7C97835147 Ref B: LON04EDGE0817 Ref C: 2024-08-10T09:41:20Z
date: Sat, 10 Aug 2024 09:41:19 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301360_1Q2LDLW388L48JF4Q&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317301360_1Q2LDLW388L48JF4Q&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 718774
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 89266A52C4634B6E9F044B62E853FF42 Ref B: LON04EDGE0817 Ref C: 2024-08-10T09:41:20Z
date: Sat, 10 Aug 2024 09:41:19 GMT
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

10.27.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.27.171.150.in-addr.arpa

IN PTR

Response

204.79.197.200:443

ieonline.microsoft.com

tls, http2

IEXPLORE.EXE

1.2kB
8.6kB
16
14
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.3kB
7.2kB
16
12
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.3kB
7.2kB
16
12
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.3kB
7.2kB
16
11
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.3kB
7.2kB
16
12
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301360_1Q2LDLW388L48JF4Q&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

144.1kB
4.1MB
2968
2962

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301582_1MLHFWTHBIK9NA4JB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301173_11CL6NTG6CSIMT5HR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317300927_1MHQY2TQNUIH7ZQRL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301360_1Q2LDLW388L48JF4Q&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

144 B
146 B
2
1

DNS Request

157.123.68.40.in-addr.arpa

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

api.bing.com

dns

IEXPLORE.EXE

58 B
134 B
1
1

DNS Request

api.bing.com

DNS Response

13.107.5.80
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

192.142.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

192.142.123.92.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

161.19.199.152.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

161.19.199.152.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

23.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.236.111.52.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

10.27.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.27.171.150.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\inf\svchosts.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\lwfdfia16_080521.dll

Filesize
30KB

MD5
545b50208a7058cbf817f692abf5e7ee

SHA1
e1cf5613dee8bb51102a0c0da99bf515db2c96ff

SHA256
329ae4cdebde953f989ebb0a7a815e9eeaf0f5b780cfaa6f4f37aeb8ae7194fe

SHA512
c17cc9d3d69b43fd9cba1465eecc637eba4dd2396cee488be26adb35d93d5926358bc782db75aef1d262094181a9a863f9cc1025a3a7b3c161b76fe3d41149a4

Download Submit
C:\Windows\SysWOW64\mdccasys32_080521.dll

Filesize
218KB

MD5
b64ce329b1243662ee34c2b15ee00aff

SHA1
a7b4fc826fb785ca8c1be74f665a7204c848b300

SHA256
17353a78a579784ad3194e3d19ca10ad8cbbb2f39bc7651f5f3e264932694a31

SHA512
ccaa27d3db61a8976f43439891afb27695982752cc1bccf5173300584e45a785191f9d991c26e2570acfe08550cc45168301200bc5a76803aad7847e2d8ce8b1

Download Submit
C:\Windows\System\sgcxcxxaspf080521.exe

Filesize
109KB

MD5
859c3f171bcb3ed7d10007ec71f98082

SHA1
b02a91d37762e485e02284ad13040522ea41471c

SHA256
295f9b09881e8d978bc84aaebb18daa0a79f047d013921e9119d361fe4b5443d

SHA512
9bff308eb1ad3e01d4d95bda21f8018398ccafd9d6f6c1d9b209f77a0598f84b2245870184dac8a2278c34f97af38c9d8e36506ae552b29baecc6a84a7e34391

Download Submit
C:\Windows\pwisys.ini

Filesize
46B

MD5
02a44daab973d76f4d098b09bb769341

SHA1
f08c38e8f4204154b5e0abd563e52eb8ac18daba

SHA256
7c0b825425cd7bf72504488463b492b9c8531ea796988fcf7f7f5868a2293f73

SHA512
1320a0f8fbd6ee431a636d932994d53a6253ce9ba8847d0efd7c99f3e2817d2f5edba39cdd6a5fcf7e94938ad0933a2b3eb951a24836efec01fb8a4dc5558d90

Download Submit
C:\Windows\pwisys.ini

Filesize
462B

MD5
e4a597ac6a528195d251d510df8bf71a

SHA1
76a5b62d6b91e31d813cd62d2119430f3fbe55a0

SHA256
37dac674fe56c07abad128bc012f3c3376e530b851a00ff482188d6ca5ff474a

SHA512
2f5ae4438c38186f3abb996325cae79c3abe7208807a8308f716213f73d1c0c70746db623d2c644e9535759f1c5519fb26279700722f6e2b35bf0163f5eaba87

Download Submit
C:\Windows\pwisys.ini

Filesize
378B

MD5
abbaa9a765414a0fdc24dbe9ce532f40

SHA1
bfe805d6ddf84697841ec4755c82c7e9e93f3d24

SHA256
2ef297d5f1d5fc24ab4a4bddedf70e40392a0482f36655599aeabb2a1c142b1c

SHA512
11f82c93d9a40bff0567dbda7abce71c9d691c27e9fcb754b1389ee97a73915bf364e2948038e2bfe0cab5a3881837ba336ecfdec6399027f852edc20f04c6b1

Download Submit
C:\Windows\pwisys.ini

Filesize
406B

MD5
3bde21d9225f08f610849475259a2ad0

SHA1
c5924b016d75c7e55dc9162a7a067268e80be0ab

SHA256
4838d22a50bc7f72121943a280852048e50d04e7e6af7d1a23586125a4d02860

SHA512
57a1defff7079ed624619e48fe8a3c2564e6d8a99eff0f965c05f246cbd957266a3725ee851b4a360dc6761aca499bd376126c7c649db4cf2c7e4b9b46c11988

Download Submit
C:\Windows\pwisys.ini

Filesize
412B

MD5
33f58ad13eb73a2db5f5742c1abdec6f

SHA1
95d0b31201ca35e38cac6d72ca948ff570849c42

SHA256
508da3348f05bcc4023b176828f985553a36411b9b722fbc1fa53b70ce3c78d1

SHA512
41d408242301fa7dfa011bbd2c49dadb83cddc690658bad68bb3a1d1c247891ffc73362536628a49e384be9a3303c99956c51acb23af3981af28aaa531e80e12

Download Submit
C:\Windows\pwisys.ini

Filesize
445B

MD5
31455763d54417b06d02539065e0bd4b

SHA1
575d9e0ec77264f5d38d5d2b1aa268b4bf75cd60

SHA256
c355f3d72c07223261bdb91f4e4b6231ee02ea253909c60320cf42e95a40af92

SHA512
e2f85bc5a4d21bd215703ef64bc93243f351dfbe554a0db1140d96d79ac9ea93c03a1d3dbb858a4e5c5b4c6e428fcbf6b558f8ed8eff75638de7899c3d522394

Download Submit
C:\Windows\pwisys.ini

Filesize
472B

MD5
ba68736bb091dfa427efa5dd6185087d

SHA1
57ab795d4cc4997dbbda06d19e9425b57b1c16e4

SHA256
05501ed09119326c1f79664d8d19bea3f796945b55426a864af3d55b8940ee2d

SHA512
ceecf9600f260b02394e04b54f9f4e42dc718bcf300a22c2a7dcb9d1c6b18191cfbc5d512bde67e05cf5dea4ac5c3d4501649bfaba892002a904354376fbce08

Download Submit
\??\c:\mylstecj.bat

Filesize
53B

MD5
a030a092e0004463d8277d9a7f5aa38a

SHA1
544bd23833a144c2bb965b494253aedf2a78f27c

SHA256
09973710a0dbef6e906db4dfa88b531ff2abe02a3af84b37adfb9e0c387a52e9

SHA512
c3306df79ab7820046a9144e7949fb6a5da56f1ca900f89fd1f6ab8f477b24b8364ed01f98f75ea0c14de35a380314aeb9f840b5e4eef77cf6c48a223a31bb47

Download Submit
memory/3604-72-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3604-64-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3604-85-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3604-108-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3604-109-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.