9f2400c583bf895751a988e1daa383932a0508273e27e76db89759c6ad0d3626

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 15:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
Size

232KB
MD5

b821af91801eb778f6ca1bdc67df042b
SHA1

3dd3ad700423bc0857df311ead7606b18857c5b4
SHA256

9f2400c583bf895751a988e1daa383932a0508273e27e76db89759c6ad0d3626
SHA512

b16b686502b3d32116c086563d6efcd1818a65d0a6b4ca8e95dceb6edcea99ed21ffdc46a31d2494c65016e2fbfb7819361f5f4c71462a8f0df346da08bb1d8f
SSDEEP

6144:7VdHl5i0Mm6aQc6UeI77KVgS/wnjhHFpG4b3y:7VdR16TBUJKVgk4jhGmy

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 652	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	84
PID 1140 wrote to memory of 652	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	84
PID 1140 wrote to memory of 652	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	84
PID 1140 wrote to memory of 3076	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	89
PID 1140 wrote to memory of 3076	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	89
PID 1140 wrote to memory of 3076	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	89
PID 1140 wrote to memory of 3632	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	90
PID 1140 wrote to memory of 3632	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	90
PID 1140 wrote to memory of 3632	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	90
PID 1140 wrote to memory of 4140	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	92
PID 1140 wrote to memory of 4140	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	92
PID 1140 wrote to memory of 4140	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	92
PID 1140 wrote to memory of 2992	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	93
PID 1140 wrote to memory of 2992	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	93
PID 1140 wrote to memory of 2992	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	93
PID 1140 wrote to memory of 4256	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	94
PID 1140 wrote to memory of 4256	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	94
PID 1140 wrote to memory of 4256	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	94
PID 1140 wrote to memory of 4444	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	95
PID 1140 wrote to memory of 4444	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	95
PID 1140 wrote to memory of 4444	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	95
PID 1140 wrote to memory of 4816	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	96
PID 1140 wrote to memory of 4816	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	96
PID 1140 wrote to memory of 4816	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	96
PID 1140 wrote to memory of 4856	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	97
PID 1140 wrote to memory of 4856	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	97
PID 1140 wrote to memory of 4856	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	97
PID 1140 wrote to memory of 3244	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	99
PID 1140 wrote to memory of 3244	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	99
PID 1140 wrote to memory of 3244	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:652
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3076
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin6FB9.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3632
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4140
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinB432.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4256
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin6ADE.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4444
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinACB9.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin79A0.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3244

Network

DNS

www.premiumsoft.info

b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

www.premiumsoft.info

IN A

Response

www.premiumsoft.info

IN A

84.32.84.33
GET

http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=1

b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe

Remote address:

84.32.84.33:80

Request

GET /dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=1 HTTP/1.1
Accept: */*
Host: www.premiumsoft.info
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: hcdn
Date: Thu, 22 Aug 2024 15:16:44 GMT
Content-Type: text/html
Content-Length: 10932
Connection: close
Vary: Accept-Encoding
alt-svc: h3=":443"; ma=86400
x-hcdn-request-id: 2fe2fe8f89ddffaf63825cbc650765a5-fast-edge2
Expires: Thu, 22 Aug 2024 15:16:43 GMT
Cache-Control: no-cache
Accept-Ranges: bytes
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

33.84.32.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

33.84.32.84.in-addr.arpa

IN PTR

Response
DNS

138.136.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.136.73.23.in-addr.arpa

IN PTR

Response

138.136.73.23.in-addr.arpa

IN PTR

a23-73-136-138deploystaticakamaitechnologiescom
GET

http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=0

b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe

Remote address:

84.32.84.33:80

Request

GET /dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=0 HTTP/1.1
Accept: */*
Host: www.premiumsoft.info
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: hcdn
Date: Thu, 22 Aug 2024 15:16:45 GMT
Content-Type: text/html
Content-Length: 10932
Connection: close
Vary: Accept-Encoding
alt-svc: h3=":443"; ma=86400
x-hcdn-request-id: cbb8ed78a888e488ce1334bd2f76af6b-fast-edge3
Expires: Thu, 22 Aug 2024 15:16:44 GMT
Cache-Control: no-cache
Accept-Ranges: bytes
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=18F273C6E91F64060FB56725E8A465C1; domain=.bing.com; expires=Tue, 16-Sep-2025 15:16:46 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1551E5CE1E8D430BBF9AB5910140D7C6 Ref B: LON04EDGE0813 Ref C: 2024-08-22T15:16:46Z
date: Thu, 22 Aug 2024 15:16:45 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=18F273C6E91F64060FB56725E8A465C1

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=48NueimIGkZSgBgyaJaaKwjLeXrrjaFe2xaDkEnpkXA; domain=.bing.com; expires=Tue, 16-Sep-2025 15:16:46 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6E4372D8DEE34BE18E6BB2DFA404B79F Ref B: LON04EDGE0813 Ref C: 2024-08-22T15:16:46Z
date: Thu, 22 Aug 2024 15:16:45 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=18F273C6E91F64060FB56725E8A465C1; MSPTC=48NueimIGkZSgBgyaJaaKwjLeXrrjaFe2xaDkEnpkXA

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1E4363D08AB44FB6B1DB50B1CF57388D Ref B: LON04EDGE0813 Ref C: 2024-08-22T15:16:46Z
date: Thu, 22 Aug 2024 15:16:46 GMT
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

10.27.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.27.171.150.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

65.139.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

65.139.73.23.in-addr.arpa

IN PTR

Response

65.139.73.23.in-addr.arpa

IN PTR

a23-73-139-65deploystaticakamaitechnologiescom
DNS

65.139.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

65.139.73.23.in-addr.arpa

IN PTR
DNS

97.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.12.20.2.in-addr.arpa

IN PTR

Response

97.12.20.2.in-addr.arpa

IN PTR

a2-20-12-97deploystaticakamaitechnologiescom
DNS

58.99.105.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.99.105.20.in-addr.arpa

IN PTR

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317300964_1C92FDN74123R86HE&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317300964_1C92FDN74123R86HE&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 664785
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 59AE2BA95C5B45D4BFAC4F461287437C Ref B: LON04EDGE0706 Ref C: 2024-08-22T15:18:26Z
date: Thu, 22 Aug 2024 15:18:26 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360607351_1LWNG3EPOKCB0ST8C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360607351_1LWNG3EPOKCB0ST8C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 917163
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9189AD2EF9FA41DAA8782D6DAD4F2E52 Ref B: LON04EDGE0706 Ref C: 2024-08-22T15:18:26Z
date: Thu, 22 Aug 2024 15:18:26 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360433144_1RLNQD8OFQA9LQ1KZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360433144_1RLNQD8OFQA9LQ1KZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 542449
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 31544355A13648068E235827B022E12D Ref B: LON04EDGE0706 Ref C: 2024-08-22T15:18:26Z
date: Thu, 22 Aug 2024 15:18:26 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301397_1RRG7O37Z0P13Z6K4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317301397_1RRG7O37Z0P13Z6K4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 584217
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B92AB435020A421EA1315AC5CDC98C7E Ref B: LON04EDGE0706 Ref C: 2024-08-22T15:18:26Z
date: Thu, 22 Aug 2024 15:18:26 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360607350_1DIIHMLKOJP4KM45O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360607350_1DIIHMLKOJP4KM45O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 810507
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9384509351E642838EDFB6314EE58E18 Ref B: LON04EDGE0706 Ref C: 2024-08-22T15:18:26Z
date: Thu, 22 Aug 2024 15:18:26 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360433145_1P8I9JAN4TGEHJX5M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360433145_1P8I9JAN4TGEHJX5M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

84.32.84.33:80

http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=1

http

b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe

757 B
11.8kB
13
12

HTTP Request

GET http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=1

HTTP Response

200
84.32.84.33:80

http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=0

http

b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe

757 B
11.8kB
13
12

HTTP Request

GET http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=0

HTTP Response

200
150.171.27.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

tls, http2

2.0kB
9.3kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a49b76fdbad8451a9f9ea06169ae146c&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

HTTP Response

204
52.111.236.23:443

322 B
7
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.1kB
6.9kB
14
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.1kB
6.9kB
14
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.1kB
6.9kB
14
13
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239360433145_1P8I9JAN4TGEHJX5M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

71.2kB
2.1MB
1504
1511

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317300964_1C92FDN74123R86HE&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360607351_1LWNG3EPOKCB0ST8C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360433144_1RLNQD8OFQA9LQ1KZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301397_1RRG7O37Z0P13Z6K4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360607350_1DIIHMLKOJP4KM45O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360433145_1P8I9JAN4TGEHJX5M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.1kB
6.9kB
14
13

8.8.8.8:53

www.premiumsoft.info

dns

b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe

66 B
82 B
1
1

DNS Request

www.premiumsoft.info

DNS Response

84.32.84.33
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

33.84.32.84.in-addr.arpa

dns

70 B
129 B
1
1

DNS Request

33.84.32.84.in-addr.arpa
8.8.8.8:53

138.136.73.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

138.136.73.23.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

10.27.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.27.171.150.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

65.139.73.23.in-addr.arpa

dns

142 B
135 B
2
1

DNS Request

65.139.73.23.in-addr.arpa

DNS Request

65.139.73.23.in-addr.arpa
8.8.8.8:53

97.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

97.12.20.2.in-addr.arpa
8.8.8.8:53

58.99.105.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

58.99.105.20.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\BFCABAC5\cfg\1.ini

Filesize
10KB

MD5
5ecd0a1c0993a62ff81ec1b2e25906f2

SHA1
2f16403b0e33ab0e95b118e1055e62021273e62d

SHA256
512bce7a3c222e34851ec2065ec8e3f1334ed70538a27457dc6504c6994e3df9

SHA512
1b2eb0d86fb8530d7e7aac25c799f09a9205dbd1a2936500ef99771bd69c9f94414bc83bfbf0d74ab0e1d987ad859c2515180cfc034d9ccc85d4a1878aa995c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFCABAC5\Setup.exe

Filesize
15KB

MD5
39e03e22e2c5cb67a7a750805de9435a

SHA1
50a3ff79f3815f58c8f2bb918fe156037a892387

SHA256
7d471a8df92de59217c60f1d1b2882fb04eadb44cf2dd313bba3c7e4d39678b4

SHA512
c7944d56f70190b3e6417f8923c844308d4840954afd613320c497170d87aa1300dc65472926c8691a242aa7fafbbdb3f2357ec178b340789f92245bb00dfff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFCABAC5\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFCABAC5\_Setup.dll

Filesize
146KB

MD5
a3f3a3b608f9a6d604730cb689dc23c6

SHA1
67dbeb74940250916e0592e596aa492c09694f74

SHA256
4020fabec983278cb2f9b1eaa17cd9466bbdbd0842a35182e34ecd302ae9d342

SHA512
beb0ad1f1b2530366dbc366a642d27965d7e851055086d7c302612eae88d19a501d46c66737c8ee4d0d0c2915d9768cd4d2f1b8e5347bcc3480facdb73484c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFCABAC5\_Setupx.dll

Filesize
16KB

MD5
f17dce858db6f84c1c149f8aebb1ce58

SHA1
e54f8c536dd66610d0678a3532c4f8834b01abe6

SHA256
f32c9be19334ec4a212d173f43e3a97e08434000ff7cef8584afbf72e05ba845

SHA512
c08f9efb7a3514c7829d7c9bd0ef384bbe038e695021a089b354eab6e9c13408fab31a01f502013c27c1a50e2e223ad3c33f4ed7424498b4077091c0044b7ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu-0474.dll

Filesize
245KB

MD5
8c7a58965b71c9dfbf1a14d3369a2620

SHA1
26380249b9bdf1ab864b1c8fa4d01e4c28ba9b5c

SHA256
f94e3692cf74256ef5f9df081592603e5b3aac4490ce39cf88363c5f24fa5aa7

SHA512
97302e9a0f53fb7239c92049d61d65be2958de3d674cdc25fb2ac10424814930e982278d6d6e8df2e270116a5a1b7d1cfea14250aea99191f3efd571357c7023

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat

Filesize
44B

MD5
dce39f037d259610f300ecaab636b5c9

SHA1
26ebba14cbfe5b704633f417e467ecdf2c8c9d68

SHA256
0cc82832933412f9485b63298f2938a25f6a3d4bfb4c174df360fac92469a17f

SHA512
cc808305992211e48af76deb27664ee1fb26b31bdc237c2301e9a8d89779c20350ab1a11f467c75c3ba90309c84dec1bfa3f9fd8022c3aee85aefe1fd9b2f7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6ADE.vbs

Filesize
819B

MD5
be2c5cb2df4adaad822c79253b0c0a99

SHA1
d77c6abb7a36c5ee7b6c9fab61f9d5c9b5a39405

SHA256
aa3a64db11a0b10c2138f76d2682ca7f15ed28026b7cb8f46ef43f5e3d2c68ba

SHA512
42dc34b9985a6fb5e1a29e7fc9998522a6def504f625575df3376f0aa4a0a2dcfa71932e5d695629e6b2c073bf6948101bf1b37597d4c3eb57f6f74a849fe24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6FB9.vbs

Filesize
1KB

MD5
9a9fe33d6ab7b72f20d3f527bcf65d77

SHA1
42ed279fbb906dd2266f338cd3a7b7ab09c6a8c1

SHA256
a6dbe61ab8642b5704ee2dac1e4eeffdb0d5ca020ad9708be8cbd608d895b3d8

SHA512
f8793b65190992d38ee5e87c16691649bf32babc47e27f01b5e4fa59c1ad577d9a057d7723a29620025f9d34dc4b0d0f6aef5bd6724bbc9abfa6e790673d93a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin79A0.bat

Filesize
46B

MD5
ee88105f41af6d2033cc6260557b2075

SHA1
d4cbbb224e0505747b09e61eff58eb351772db65

SHA256
78e2750eb21e422cb66742ef7249e588c7f44ba8e61ecc8a4082f6c2569c1062

SHA512
0d576b2d375237c2c4f4c1cc9df42b6bcdb547db9dd1d239bd12c457997465f9385d37fee93ae81f2826b6456efa2b58a088473d15a38f03ecd1a864970f3e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs

Filesize
2KB

MD5
c351b265943887aeeaa7107e2eb42cfd

SHA1
259a3ce743cd68113067d6724cc33e9a8c259f0e

SHA256
43893ea5c209e868a1c378bd83dac016b0a2538fc141765175e429d19ff22e3c

SHA512
7daefde238283f2f0931de8fabcc7475fd6ca86ec2ad7b00bb111f34d1148c254e8ce1b8e9bce273a5c9d36ed0425c015944abda9b39fc9fbb908206a29eb5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinACB9.bat

Filesize
50B

MD5
025845a297c86694a92c986fd5138063

SHA1
9d99aaea0c4e1d861fb99eec763ff0c2d49d1a39

SHA256
0742a556a7bd1190f86724a5ca7218115c9623f48ab4fbc4edebaf955f160a63

SHA512
4992c4124c0833e502b413ace55a95012d23b8f12c495af3a2b5291faba846c06225a62a277401642547e75512912d42aaa8123c57ced108c17e2937cc04d3d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinB432.vbs

Filesize
419B

MD5
3018e007343612abc7c7ba79d702e891

SHA1
229e37be962fbb8b847093995acd446063164193

SHA256
dc8ed4e7f31a1a7dca203230ee5d5b4d057d696a49513d3aa1dfc51ff3b6f688

SHA512
0fb37e510e3f9c8097d3445b6719bbfc9561d531dac821e24211d881cd3c9e9bcbac7ceec410a2dd5091c563e8b3f1e7254989f9a79b01b403c89b4872d75199

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs

Filesize
304B

MD5
88e71d4721a85056573dc06a05d2e758

SHA1
098c4de1a9f5ae31c475aead205533764c9c3d29

SHA256
8df815ee2410caca428516a8c5fb29d1b936dc5c4351e4a87d60b502102638e5

SHA512
496fb52cbfbf57f363c3525d3818b216bd08cc44b1e7b0c634b7ea1dd8bfda925842b6e5f998bced21c0a3231e1c5e02d9b14f114c6486a0d0253dd70139987f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.