Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/08/2024, 15:16 UTC

General

  • Target

    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe

  • Size

    232KB

  • MD5

    b821af91801eb778f6ca1bdc67df042b

  • SHA1

    3dd3ad700423bc0857df311ead7606b18857c5b4

  • SHA256

    9f2400c583bf895751a988e1daa383932a0508273e27e76db89759c6ad0d3626

  • SHA512

    b16b686502b3d32116c086563d6efcd1818a65d0a6b4ca8e95dceb6edcea99ed21ffdc46a31d2494c65016e2fbfb7819361f5f4c71462a8f0df346da08bb1d8f

  • SSDEEP

    6144:7VdHl5i0Mm6aQc6UeI77KVgS/wnjhHFpG4b3y:7VdR16TBUJKVgk4jhGmy

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:652
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3076
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin6FB9.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3632
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4140
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2992
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinB432.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4256
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin6ADE.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4444
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4816
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinACB9.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4856
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin79A0.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3244

Network

  • flag-us
    DNS
    www.premiumsoft.info
    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.premiumsoft.info
    IN A
    Response
    www.premiumsoft.info
    IN A
    84.32.84.33
  • flag-lt
    GET
    http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=1
    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    Remote address:
    84.32.84.33:80
    Request
    GET /dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=1 HTTP/1.1
    Accept: */*
    Host: www.premiumsoft.info
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: hcdn
    Date: Thu, 22 Aug 2024 15:16:44 GMT
    Content-Type: text/html
    Content-Length: 10932
    Connection: close
    Vary: Accept-Encoding
    alt-svc: h3=":443"; ma=86400
    x-hcdn-request-id: 2fe2fe8f89ddffaf63825cbc650765a5-fast-edge2
    Expires: Thu, 22 Aug 2024 15:16:43 GMT
    Cache-Control: no-cache
    Accept-Ranges: bytes
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    33.84.32.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    33.84.32.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.136.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.136.73.23.in-addr.arpa
    IN PTR
    Response
    138.136.73.23.in-addr.arpa
    IN PTR
    a23-73-136-138deploystaticakamaitechnologiescom
  • flag-lt
    GET
    http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=0
    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    Remote address:
    84.32.84.33:80
    Request
    GET /dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=0 HTTP/1.1
    Accept: */*
    Host: www.premiumsoft.info
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: hcdn
    Date: Thu, 22 Aug 2024 15:16:45 GMT
    Content-Type: text/html
    Content-Length: 10932
    Connection: close
    Vary: Accept-Encoding
    alt-svc: h3=":443"; ma=86400
    x-hcdn-request-id: cbb8ed78a888e488ce1334bd2f76af6b-fast-edge3
    Expires: Thu, 22 Aug 2024 15:16:44 GMT
    Cache-Control: no-cache
    Accept-Ranges: bytes
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=18F273C6E91F64060FB56725E8A465C1; domain=.bing.com; expires=Tue, 16-Sep-2025 15:16:46 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1551E5CE1E8D430BBF9AB5910140D7C6 Ref B: LON04EDGE0813 Ref C: 2024-08-22T15:16:46Z
    date: Thu, 22 Aug 2024 15:16:45 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=18F273C6E91F64060FB56725E8A465C1
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=48NueimIGkZSgBgyaJaaKwjLeXrrjaFe2xaDkEnpkXA; domain=.bing.com; expires=Tue, 16-Sep-2025 15:16:46 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6E4372D8DEE34BE18E6BB2DFA404B79F Ref B: LON04EDGE0813 Ref C: 2024-08-22T15:16:46Z
    date: Thu, 22 Aug 2024 15:16:45 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=18F273C6E91F64060FB56725E8A465C1; MSPTC=48NueimIGkZSgBgyaJaaKwjLeXrrjaFe2xaDkEnpkXA
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1E4363D08AB44FB6B1DB50B1CF57388D Ref B: LON04EDGE0813 Ref C: 2024-08-22T15:16:46Z
    date: Thu, 22 Aug 2024 15:16:46 GMT
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    17.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.27.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.27.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    65.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    65.139.73.23.in-addr.arpa
    IN PTR
    Response
    65.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-65deploystaticakamaitechnologiescom
  • flag-us
    DNS
    65.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    65.139.73.23.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    97.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.12.20.2.in-addr.arpa
    IN PTR
    Response
    97.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-97deploystaticakamaitechnologiescom
  • flag-us
    DNS
    58.99.105.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.99.105.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317300964_1C92FDN74123R86HE&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239317300964_1C92FDN74123R86HE&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 664785
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 59AE2BA95C5B45D4BFAC4F461287437C Ref B: LON04EDGE0706 Ref C: 2024-08-22T15:18:26Z
    date: Thu, 22 Aug 2024 15:18:26 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360607351_1LWNG3EPOKCB0ST8C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360607351_1LWNG3EPOKCB0ST8C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 917163
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 9189AD2EF9FA41DAA8782D6DAD4F2E52 Ref B: LON04EDGE0706 Ref C: 2024-08-22T15:18:26Z
    date: Thu, 22 Aug 2024 15:18:26 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360433144_1RLNQD8OFQA9LQ1KZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360433144_1RLNQD8OFQA9LQ1KZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 542449
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 31544355A13648068E235827B022E12D Ref B: LON04EDGE0706 Ref C: 2024-08-22T15:18:26Z
    date: Thu, 22 Aug 2024 15:18:26 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301397_1RRG7O37Z0P13Z6K4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239317301397_1RRG7O37Z0P13Z6K4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 584217
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B92AB435020A421EA1315AC5CDC98C7E Ref B: LON04EDGE0706 Ref C: 2024-08-22T15:18:26Z
    date: Thu, 22 Aug 2024 15:18:26 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360607350_1DIIHMLKOJP4KM45O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360607350_1DIIHMLKOJP4KM45O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 810507
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 9384509351E642838EDFB6314EE58E18 Ref B: LON04EDGE0706 Ref C: 2024-08-22T15:18:26Z
    date: Thu, 22 Aug 2024 15:18:26 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360433145_1P8I9JAN4TGEHJX5M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360433145_1P8I9JAN4TGEHJX5M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
  • 84.32.84.33:80
    http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=1
    http
    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    757 B
    11.8kB
    13
    12

    HTTP Request

    GET http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=1

    HTTP Response

    200
  • 84.32.84.33:80
    http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=0
    http
    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    757 B
    11.8kB
    13
    12

    HTTP Request

    GET http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=0

    HTTP Response

    200
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=
    tls, http2
    2.0kB
    9.3kB
    22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

    HTTP Response

    204
  • 52.111.236.23:443
    322 B
    7
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.1kB
    6.9kB
    14
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.1kB
    6.9kB
    14
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.1kB
    6.9kB
    14
    13
  • 150.171.27.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239360433145_1P8I9JAN4TGEHJX5M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    71.2kB
    2.1MB
    1504
    1511

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317300964_1C92FDN74123R86HE&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360607351_1LWNG3EPOKCB0ST8C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360433144_1RLNQD8OFQA9LQ1KZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301397_1RRG7O37Z0P13Z6K4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360607350_1DIIHMLKOJP4KM45O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360433145_1P8I9JAN4TGEHJX5M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.1kB
    6.9kB
    14
    13
  • 8.8.8.8:53
    www.premiumsoft.info
    dns
    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    66 B
    82 B
    1
    1

    DNS Request

    www.premiumsoft.info

    DNS Response

    84.32.84.33

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    33.84.32.84.in-addr.arpa
    dns
    70 B
    129 B
    1
    1

    DNS Request

    33.84.32.84.in-addr.arpa

  • 8.8.8.8:53
    138.136.73.23.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    138.136.73.23.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    17.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    17.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    10.27.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.27.171.150.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    65.139.73.23.in-addr.arpa
    dns
    142 B
    135 B
    2
    1

    DNS Request

    65.139.73.23.in-addr.arpa

    DNS Request

    65.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    97.12.20.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    97.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    58.99.105.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    58.99.105.20.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.27.10
    150.171.28.10

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\InstallMate\BFCABAC5\cfg\1.ini

    Filesize

    10KB

    MD5

    5ecd0a1c0993a62ff81ec1b2e25906f2

    SHA1

    2f16403b0e33ab0e95b118e1055e62021273e62d

    SHA256

    512bce7a3c222e34851ec2065ec8e3f1334ed70538a27457dc6504c6994e3df9

    SHA512

    1b2eb0d86fb8530d7e7aac25c799f09a9205dbd1a2936500ef99771bd69c9f94414bc83bfbf0d74ab0e1d987ad859c2515180cfc034d9ccc85d4a1878aa995c3

  • C:\Users\Admin\AppData\Local\Temp\BFCABAC5\Setup.exe

    Filesize

    15KB

    MD5

    39e03e22e2c5cb67a7a750805de9435a

    SHA1

    50a3ff79f3815f58c8f2bb918fe156037a892387

    SHA256

    7d471a8df92de59217c60f1d1b2882fb04eadb44cf2dd313bba3c7e4d39678b4

    SHA512

    c7944d56f70190b3e6417f8923c844308d4840954afd613320c497170d87aa1300dc65472926c8691a242aa7fafbbdb3f2357ec178b340789f92245bb00dfff8

  • C:\Users\Admin\AppData\Local\Temp\BFCABAC5\Setup.ico

    Filesize

    4KB

    MD5

    c3926cef276c0940dadbc8142153cec9

    SHA1

    f8b350d2b7158f5ab147938961439860d77b9cb4

    SHA256

    0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

    SHA512

    5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

  • C:\Users\Admin\AppData\Local\Temp\BFCABAC5\_Setup.dll

    Filesize

    146KB

    MD5

    a3f3a3b608f9a6d604730cb689dc23c6

    SHA1

    67dbeb74940250916e0592e596aa492c09694f74

    SHA256

    4020fabec983278cb2f9b1eaa17cd9466bbdbd0842a35182e34ecd302ae9d342

    SHA512

    beb0ad1f1b2530366dbc366a642d27965d7e851055086d7c302612eae88d19a501d46c66737c8ee4d0d0c2915d9768cd4d2f1b8e5347bcc3480facdb73484c84

  • C:\Users\Admin\AppData\Local\Temp\BFCABAC5\_Setupx.dll

    Filesize

    16KB

    MD5

    f17dce858db6f84c1c149f8aebb1ce58

    SHA1

    e54f8c536dd66610d0678a3532c4f8834b01abe6

    SHA256

    f32c9be19334ec4a212d173f43e3a97e08434000ff7cef8584afbf72e05ba845

    SHA512

    c08f9efb7a3514c7829d7c9bd0ef384bbe038e695021a089b354eab6e9c13408fab31a01f502013c27c1a50e2e223ad3c33f4ed7424498b4077091c0044b7ce7

  • C:\Users\Admin\AppData\Local\Temp\Tsu-0474.dll

    Filesize

    245KB

    MD5

    8c7a58965b71c9dfbf1a14d3369a2620

    SHA1

    26380249b9bdf1ab864b1c8fa4d01e4c28ba9b5c

    SHA256

    f94e3692cf74256ef5f9df081592603e5b3aac4490ce39cf88363c5f24fa5aa7

    SHA512

    97302e9a0f53fb7239c92049d61d65be2958de3d674cdc25fb2ac10424814930e982278d6d6e8df2e270116a5a1b7d1cfea14250aea99191f3efd571357c7023

  • C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat

    Filesize

    44B

    MD5

    dce39f037d259610f300ecaab636b5c9

    SHA1

    26ebba14cbfe5b704633f417e467ecdf2c8c9d68

    SHA256

    0cc82832933412f9485b63298f2938a25f6a3d4bfb4c174df360fac92469a17f

    SHA512

    cc808305992211e48af76deb27664ee1fb26b31bdc237c2301e9a8d89779c20350ab1a11f467c75c3ba90309c84dec1bfa3f9fd8022c3aee85aefe1fd9b2f7d1

  • C:\Users\Admin\AppData\Local\Temp\_tin6ADE.vbs

    Filesize

    819B

    MD5

    be2c5cb2df4adaad822c79253b0c0a99

    SHA1

    d77c6abb7a36c5ee7b6c9fab61f9d5c9b5a39405

    SHA256

    aa3a64db11a0b10c2138f76d2682ca7f15ed28026b7cb8f46ef43f5e3d2c68ba

    SHA512

    42dc34b9985a6fb5e1a29e7fc9998522a6def504f625575df3376f0aa4a0a2dcfa71932e5d695629e6b2c073bf6948101bf1b37597d4c3eb57f6f74a849fe24a

  • C:\Users\Admin\AppData\Local\Temp\_tin6FB9.vbs

    Filesize

    1KB

    MD5

    9a9fe33d6ab7b72f20d3f527bcf65d77

    SHA1

    42ed279fbb906dd2266f338cd3a7b7ab09c6a8c1

    SHA256

    a6dbe61ab8642b5704ee2dac1e4eeffdb0d5ca020ad9708be8cbd608d895b3d8

    SHA512

    f8793b65190992d38ee5e87c16691649bf32babc47e27f01b5e4fa59c1ad577d9a057d7723a29620025f9d34dc4b0d0f6aef5bd6724bbc9abfa6e790673d93a0

  • C:\Users\Admin\AppData\Local\Temp\_tin79A0.bat

    Filesize

    46B

    MD5

    ee88105f41af6d2033cc6260557b2075

    SHA1

    d4cbbb224e0505747b09e61eff58eb351772db65

    SHA256

    78e2750eb21e422cb66742ef7249e588c7f44ba8e61ecc8a4082f6c2569c1062

    SHA512

    0d576b2d375237c2c4f4c1cc9df42b6bcdb547db9dd1d239bd12c457997465f9385d37fee93ae81f2826b6456efa2b58a088473d15a38f03ecd1a864970f3e7a

  • C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs

    Filesize

    2KB

    MD5

    c351b265943887aeeaa7107e2eb42cfd

    SHA1

    259a3ce743cd68113067d6724cc33e9a8c259f0e

    SHA256

    43893ea5c209e868a1c378bd83dac016b0a2538fc141765175e429d19ff22e3c

    SHA512

    7daefde238283f2f0931de8fabcc7475fd6ca86ec2ad7b00bb111f34d1148c254e8ce1b8e9bce273a5c9d36ed0425c015944abda9b39fc9fbb908206a29eb5ad

  • C:\Users\Admin\AppData\Local\Temp\_tinACB9.bat

    Filesize

    50B

    MD5

    025845a297c86694a92c986fd5138063

    SHA1

    9d99aaea0c4e1d861fb99eec763ff0c2d49d1a39

    SHA256

    0742a556a7bd1190f86724a5ca7218115c9623f48ab4fbc4edebaf955f160a63

    SHA512

    4992c4124c0833e502b413ace55a95012d23b8f12c495af3a2b5291faba846c06225a62a277401642547e75512912d42aaa8123c57ced108c17e2937cc04d3d4

  • C:\Users\Admin\AppData\Local\Temp\_tinB432.vbs

    Filesize

    419B

    MD5

    3018e007343612abc7c7ba79d702e891

    SHA1

    229e37be962fbb8b847093995acd446063164193

    SHA256

    dc8ed4e7f31a1a7dca203230ee5d5b4d057d696a49513d3aa1dfc51ff3b6f688

    SHA512

    0fb37e510e3f9c8097d3445b6719bbfc9561d531dac821e24211d881cd3c9e9bcbac7ceec410a2dd5091c563e8b3f1e7254989f9a79b01b403c89b4872d75199

  • C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs

    Filesize

    304B

    MD5

    88e71d4721a85056573dc06a05d2e758

    SHA1

    098c4de1a9f5ae31c475aead205533764c9c3d29

    SHA256

    8df815ee2410caca428516a8c5fb29d1b936dc5c4351e4a87d60b502102638e5

    SHA512

    496fb52cbfbf57f363c3525d3818b216bd08cc44b1e7b0c634b7ea1dd8bfda925842b6e5f998bced21c0a3231e1c5e02d9b14f114c6486a0d0253dd70139987f

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.