Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 05:54 UTC
Static task
static1
Behavioral task
behavioral1
Sample
a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe
-
Size
610KB
-
MD5
a9d7c9ecfac263279b5db80e36cfa2b5
-
SHA1
9692b1385fb7ef2b056ca92f06de7916e3ae325d
-
SHA256
98e4cbbbb065cfc9e4638db9997a035813b69dbd7f6de485abb0048d88f16d5b
-
SHA512
61447f5f4ade8787a5e21ad882f172a22cb8963e844b594485396b672cc3d4dcf67bc9e104ec7f5f5498cf3df87bec9daf680bce85d60a536def5fa5eb1f4b64
-
SSDEEP
12288:U0/zSknQgmbFlXTPhvHA7azeJNrBRaMF7Yi8yR41VnUAqh1R:8RbFR9A7aCsc76U43UAqh/
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1272-3-0x0000000002430000-0x000000000345A000-memory.dmp upx behavioral2/memory/1272-7-0x0000000002430000-0x000000000345A000-memory.dmp upx behavioral2/memory/1272-9-0x0000000002430000-0x000000000345A000-memory.dmp upx behavioral2/memory/1272-21-0x0000000002430000-0x000000000345A000-memory.dmp upx behavioral2/memory/1272-35-0x0000000002430000-0x000000000345A000-memory.dmp upx behavioral2/memory/1272-62-0x0000000002430000-0x000000000345A000-memory.dmp upx behavioral2/memory/1272-69-0x0000000002430000-0x000000000345A000-memory.dmp upx behavioral2/memory/1272-75-0x0000000002430000-0x000000000345A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe Token: SeDebugPrivilege 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1272 wrote to memory of 800 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 8 PID 1272 wrote to memory of 792 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 9 PID 1272 wrote to memory of 64 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 13 PID 1272 wrote to memory of 620 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 50 PID 1272 wrote to memory of 768 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 51 PID 1272 wrote to memory of 3120 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 52 PID 1272 wrote to memory of 3384 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 55 PID 1272 wrote to memory of 3564 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 57 PID 1272 wrote to memory of 3748 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 58 PID 1272 wrote to memory of 3840 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 59 PID 1272 wrote to memory of 3908 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 60 PID 1272 wrote to memory of 3996 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 61 PID 1272 wrote to memory of 3584 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 62 PID 1272 wrote to memory of 952 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 75 PID 1272 wrote to memory of 1980 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 76 PID 1272 wrote to memory of 5092 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 81 PID 1272 wrote to memory of 3300 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 82 PID 1272 wrote to memory of 800 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 8 PID 1272 wrote to memory of 792 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 9 PID 1272 wrote to memory of 64 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 13 PID 1272 wrote to memory of 620 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 50 PID 1272 wrote to memory of 768 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 51 PID 1272 wrote to memory of 3120 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 52 PID 1272 wrote to memory of 3384 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 55 PID 1272 wrote to memory of 3564 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 57 PID 1272 wrote to memory of 3748 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 58 PID 1272 wrote to memory of 3840 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 59 PID 1272 wrote to memory of 3908 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 60 PID 1272 wrote to memory of 3996 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 61 PID 1272 wrote to memory of 3584 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 62 PID 1272 wrote to memory of 952 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 75 PID 1272 wrote to memory of 1980 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 76 PID 1272 wrote to memory of 5092 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 81 PID 1272 wrote to memory of 4968 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 85 PID 1272 wrote to memory of 5048 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 86 PID 1272 wrote to memory of 4404 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 98 PID 1272 wrote to memory of 4404 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 98 PID 1272 wrote to memory of 4404 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 98 PID 1272 wrote to memory of 4404 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 98 PID 1272 wrote to memory of 4480 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 99 PID 1272 wrote to memory of 4480 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 99 PID 1272 wrote to memory of 4480 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 99 PID 1272 wrote to memory of 4480 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 99 PID 1272 wrote to memory of 1800 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 100 PID 1272 wrote to memory of 1800 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 100 PID 1272 wrote to memory of 1800 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 100 PID 1272 wrote to memory of 1800 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 100 PID 1272 wrote to memory of 4784 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 101 PID 1272 wrote to memory of 4784 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 101 PID 1272 wrote to memory of 4784 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 101 PID 1272 wrote to memory of 4784 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 101 PID 1272 wrote to memory of 2816 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 102 PID 1272 wrote to memory of 2816 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 102 PID 1272 wrote to memory of 2816 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 102 PID 1272 wrote to memory of 2816 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 102 PID 1272 wrote to memory of 1388 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 103 PID 1272 wrote to memory of 1388 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 103 PID 1272 wrote to memory of 1388 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 103 PID 1272 wrote to memory of 1388 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 103 PID 1272 wrote to memory of 116 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 104 PID 1272 wrote to memory of 116 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 104 PID 1272 wrote to memory of 116 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 104 PID 1272 wrote to memory of 116 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 104 PID 1272 wrote to memory of 3692 1272 a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe 105 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:768
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3120
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a9d7c9ecfac263279b5db80e36cfa2b5_JaffaCakes118.exe"2⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1272 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:4404
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:4480
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:1800
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:4784
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:1388
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:116
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:3692
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:752
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:3648
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:5044
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3584
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:952
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1980
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:5092
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3300
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5048
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a4 0x41c1⤵PID:3928
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1768
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:748
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af1e49dd338e40bd905cb206d43e155f&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=backgroundTaskHost.exeRemote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af1e49dd338e40bd905cb206d43e155f&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1D7395E0B9FC63B51F878100B81C622B; domain=.bing.com; expires=Sat, 13-Sep-2025 05:54:34 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8BFC5D533D7248FDA415EFD34DC551B6 Ref B: LON04EDGE1219 Ref C: 2024-08-19T05:54:34Z
date: Mon, 19 Aug 2024 05:54:33 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=af1e49dd338e40bd905cb206d43e155f&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=backgroundTaskHost.exeRemote address:204.79.197.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=af1e49dd338e40bd905cb206d43e155f&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1D7395E0B9FC63B51F878100B81C622B
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=Ot3ltcqvufAmfjZP9Auc3HGVEBb5_1EUaXEaZB5HWJw; domain=.bing.com; expires=Sat, 13-Sep-2025 05:54:34 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F1331566D1B54D4AA570D348B5D778F6 Ref B: LON04EDGE1219 Ref C: 2024-08-19T05:54:34Z
date: Mon, 19 Aug 2024 05:54:33 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af1e49dd338e40bd905cb206d43e155f&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=backgroundTaskHost.exeRemote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af1e49dd338e40bd905cb206d43e155f&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1D7395E0B9FC63B51F878100B81C622B; MSPTC=Ot3ltcqvufAmfjZP9Auc3HGVEBb5_1EUaXEaZB5HWJw
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 888EA2F282294E11B2F102CC847CD574 Ref B: LON04EDGE1219 Ref C: 2024-08-19T05:54:34Z
date: Mon, 19 Aug 2024 05:54:33 GMT
-
Remote address:8.8.8.8:53Request74.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request57.169.31.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request57.169.31.20.in-addr.arpaIN PTR
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:92.123.142.186:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=1D7395E0B9FC63B51F878100B81C622B; MSPTC=Ot3ltcqvufAmfjZP9Auc3HGVEBb5_1EUaXEaZB5HWJw
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Mon, 19 Aug 2024 05:54:36 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.9c8e7b5c.1724046876.b93bd02
-
Remote address:8.8.8.8:53Request186.142.123.92.in-addr.arpaIN PTRResponse186.142.123.92.in-addr.arpaIN PTRa92-123-142-186deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request186.142.123.92.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 666327
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F07D090360844B119A21E861A1B61C7F Ref B: LON04EDGE0706 Ref C: 2024-08-19T05:56:08Z
date: Mon, 19 Aug 2024 05:56:07 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301060_1R4MHRP0LUJX09GMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301060_1R4MHRP0LUJX09GMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 665717
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E52C900090C8404B9A5D40E4375FCB2B Ref B: LON04EDGE0706 Ref C: 2024-08-19T05:56:08Z
date: Mon, 19 Aug 2024 05:56:07 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 325315
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 59B054A2562D47C2843474E006CDBD5A Ref B: LON04EDGE0706 Ref C: 2024-08-19T05:56:08Z
date: Mon, 19 Aug 2024 05:56:07 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301493_1LBG6KMWNFIA52WWP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301493_1LBG6KMWNFIA52WWP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 532229
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 33EE276601F94F719A1D98DEE57E55C8 Ref B: LON04EDGE0706 Ref C: 2024-08-19T05:56:08Z
date: Mon, 19 Aug 2024 05:56:07 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 473521
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3E2DC808D419492B8C177152BDE1B345 Ref B: LON04EDGE0706 Ref C: 2024-08-19T05:56:08Z
date: Mon, 19 Aug 2024 05:56:08 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 679182
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D7FA14BDD567495486F3DA6B764E064F Ref B: LON04EDGE0706 Ref C: 2024-08-19T05:56:08Z
date: Mon, 19 Aug 2024 05:56:08 GMT
-
Remote address:8.8.8.8:53Request10.27.171.150.in-addr.arpaIN PTRResponse
-
204.79.197.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af1e49dd338e40bd905cb206d43e155f&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=tls, http2backgroundTaskHost.exe2.0kB 9.3kB 21 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af1e49dd338e40bd905cb206d43e155f&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=af1e49dd338e40bd905cb206d43e155f&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af1e49dd338e40bd905cb206d43e155f&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=HTTP Response
204 -
92.123.142.186:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.5kB 6.3kB 16 13
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200 -
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2119.3kB 3.5MB 2535 2527
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301060_1R4MHRP0LUJX09GMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301493_1LBG6KMWNFIA52WWP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200 -
1.2kB 6.9kB 15 13
-
1.1kB 7.7kB 13 11
-
1.2kB 6.9kB 16 13
-
1.2kB 7.3kB 16 13
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
71 B 157 B 1 1
DNS Request
74.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
57.169.31.20.in-addr.arpa
DNS Request
57.169.31.20.in-addr.arpa
-
146 B 139 B 2 1
DNS Request
186.142.123.92.in-addr.arpa
DNS Request
186.142.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
-
72 B 158 B 1 1
DNS Request
10.27.171.150.in-addr.arpa
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2