93d9929bd1ee8fb84f3ac6d6aafb5955c2f8a8f0cb8319b5546cdbaa8f852af0

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 12:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe
Size

47KB
MD5

f5fec04f9c87894d236f36d94c046617
SHA1

bcb91a95943caa1250450cb7f31fce295d79e9a4
SHA256

93d9929bd1ee8fb84f3ac6d6aafb5955c2f8a8f0cb8319b5546cdbaa8f852af0
SHA512

5c0aebb9ce59569c05def9f1786f8053a7a79f0ea9807f1f6db6bebf8eb34b547298005103ebd249904a9809404e3e1cbc3e2524ed7cc17e23c86bcdbc58f7e7
SSDEEP

768:WQmFXYDHFlVD20CbDhN5GcF0juVA8IBwV4qgDC/39h:WQSoDHbVDg7UfjuVlhVh

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:436

Network

DNS

adobe.com

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

adobe.com

IN A

Response

adobe.com

IN A

2.20.12.90

adobe.com

IN A

2.20.12.104
POST

http://adobe.com/geo/productid.php

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

Remote address:

2.20.12.90:80

Request

POST /geo/productid.php HTTP/1.1
Host: adobe.com
User-Agent: Opera/10.80 Pesto/2.2.30
Content-Type: application/x-www-form-urlencoded
Content-Length: 21

Response

HTTP/1.1 403 Forbidden

Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 384
Expires: Wed, 25 Sep 2024 12:16:55 GMT
Date: Wed, 25 Sep 2024 12:16:55 GMT
Connection: close
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

90.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.12.20.2.in-addr.arpa

IN PTR

Response

90.12.20.2.in-addr.arpa

IN PTR

a2-20-12-90deploystaticakamaitechnologiescom
DNS

fusuhyt.co.cc

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

fusuhyt.co.cc

IN A

Response

fusuhyt.co.cc

IN A

35.91.2.62
GET

http://fusuhyt.co.cc/showthread.php?t=442552

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

Remote address:

35.91.2.62:80

Request

GET /showthread.php?t=442552 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: fusuhyt.co.cc
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Wed, 25 Sep 2024 12:16:56 GMT
Content-Type: text/html
Content-Length: 1103
Last-Modified: Mon, 23 Sep 2024 02:44:29 GMT
Connection: close
ETag: "66f0d60d-44f"
Accept-Ranges: bytes
GET

http://fusuhyt.co.cc/showthread.php?t=442552

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

Remote address:

35.91.2.62:80

Request

GET /showthread.php?t=442552 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: fusuhyt.co.cc
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Wed, 25 Sep 2024 12:16:56 GMT
Content-Type: text/html
Content-Length: 1103
Last-Modified: Mon, 23 Sep 2024 02:44:29 GMT
Connection: close
ETag: "66f0d60d-44f"
Accept-Ranges: bytes
DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR

Response
DNS

62.2.91.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

62.2.91.35.in-addr.arpa

IN PTR

Response

62.2.91.35.in-addr.arpa

IN PTR

ec2-35-91-2-62 us-west-2compute amazonawscom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
GET

http://fusuhyt.co.cc/showthread.php?t=442552

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

Remote address:

35.91.2.62:80

Request

GET /showthread.php?t=442552 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: fusuhyt.co.cc
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Wed, 25 Sep 2024 12:16:57 GMT
Content-Type: text/html
Content-Length: 1103
Last-Modified: Mon, 23 Sep 2024 02:44:29 GMT
Connection: close
ETag: "66f0d60d-44f"
Accept-Ranges: bytes
GET

http://fusuhyt.co.cc/showthread.php?t=442552

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

Remote address:

35.91.2.62:80

Request

GET /showthread.php?t=442552 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: fusuhyt.co.cc
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Wed, 25 Sep 2024 12:16:57 GMT
Content-Type: text/html
Content-Length: 1103
Last-Modified: Mon, 23 Sep 2024 02:44:29 GMT
Connection: close
ETag: "66f0d60d-44f"
Accept-Ranges: bytes
GET

http://fusuhyt.co.cc/showthread.php?t=442552

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

Remote address:

35.91.2.62:80

Request

GET /showthread.php?t=442552 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: fusuhyt.co.cc
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Wed, 25 Sep 2024 12:16:57 GMT
Content-Type: text/html
Content-Length: 1103
Last-Modified: Mon, 23 Sep 2024 02:44:29 GMT
Connection: close
ETag: "66f0d60d-44f"
Accept-Ranges: bytes
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

107.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.12.20.2.in-addr.arpa

IN PTR

Response

107.12.20.2.in-addr.arpa

IN PTR

a2-20-12-107deploystaticakamaitechnologiescom
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
GET

http://fusuhyt.co.cc/showthread.php?t=442552

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

Remote address:

35.91.2.62:80

Request

GET /showthread.php?t=442552 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: fusuhyt.co.cc
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Wed, 25 Sep 2024 12:18:58 GMT
Content-Type: text/html
Content-Length: 1103
Last-Modified: Mon, 23 Sep 2024 02:44:29 GMT
Connection: close
ETag: "66f0d60d-44f"
Accept-Ranges: bytes
GET

http://fusuhyt.co.cc/showthread.php?t=442552

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

Remote address:

35.91.2.62:80

Request

GET /showthread.php?t=442552 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: fusuhyt.co.cc
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Wed, 25 Sep 2024 12:18:58 GMT
Content-Type: text/html
Content-Length: 1103
Last-Modified: Mon, 23 Sep 2024 02:44:29 GMT
Connection: close
ETag: "66f0d60d-44f"
Accept-Ranges: bytes
GET

http://fusuhyt.co.cc/showthread.php?t=442552

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

Remote address:

35.91.2.62:80

Request

GET /showthread.php?t=442552 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: fusuhyt.co.cc
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Wed, 25 Sep 2024 12:18:58 GMT
Content-Type: text/html
Content-Length: 1103
Last-Modified: Mon, 23 Sep 2024 02:44:29 GMT
Connection: close
ETag: "66f0d60d-44f"
Accept-Ranges: bytes

2.20.12.90:80

http://adobe.com/geo/productid.php

http

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

411 B
804 B
5
5

HTTP Request

POST http://adobe.com/geo/productid.php

HTTP Response

403
35.91.2.62:80

http://fusuhyt.co.cc/showthread.php?t=442552

http

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

368 B
1.5kB
5
4

HTTP Request

GET http://fusuhyt.co.cc/showthread.php?t=442552

HTTP Response

200
35.91.2.62:80

http://fusuhyt.co.cc/showthread.php?t=442552

http

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

368 B
1.5kB
5
4

HTTP Request

GET http://fusuhyt.co.cc/showthread.php?t=442552

HTTP Response

200
35.91.2.62:80

http://fusuhyt.co.cc/showthread.php?t=442552

http

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

525 B
1.5kB
5
4

HTTP Request

GET http://fusuhyt.co.cc/showthread.php?t=442552

HTTP Response

200
35.91.2.62:80

http://fusuhyt.co.cc/showthread.php?t=442552

http

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

368 B
1.5kB
5
4

HTTP Request

GET http://fusuhyt.co.cc/showthread.php?t=442552

HTTP Response

200
35.91.2.62:80

http://fusuhyt.co.cc/showthread.php?t=442552

http

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

368 B
1.5kB
5
4

HTTP Request

GET http://fusuhyt.co.cc/showthread.php?t=442552

HTTP Response

200
35.91.2.62:80

http://fusuhyt.co.cc/showthread.php?t=442552

http

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

368 B
1.5kB
5
4

HTTP Request

GET http://fusuhyt.co.cc/showthread.php?t=442552

HTTP Response

200
35.91.2.62:80

http://fusuhyt.co.cc/showthread.php?t=442552

http

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

368 B
1.5kB
5
4

HTTP Request

GET http://fusuhyt.co.cc/showthread.php?t=442552

HTTP Response

200
35.91.2.62:80

http://fusuhyt.co.cc/showthread.php?t=442552

http

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

368 B
1.5kB
5
4

HTTP Request

GET http://fusuhyt.co.cc/showthread.php?t=442552

HTTP Response

200

8.8.8.8:53

adobe.com

dns

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

55 B
87 B
1
1

DNS Request

adobe.com

DNS Response

2.20.12.90

2.20.12.104
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

90.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

90.12.20.2.in-addr.arpa
8.8.8.8:53

fusuhyt.co.cc

dns

f5fec04f9c87894d236f36d94c046617_JaffaCakes118.exe

59 B
75 B
1
1

DNS Request

fusuhyt.co.cc

DNS Response

35.91.2.62
8.8.8.8:53

75.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

75.159.190.20.in-addr.arpa
8.8.8.8:53

62.2.91.35.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

62.2.91.35.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

107.12.20.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

107.12.20.2.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8WYVOD7\showthread[1].htm

Filesize
1KB

MD5
37e48bab25eb73fad50567c1b4932edd

SHA1
4b26a8ad91d4f94a38886f8b0d60793301f77133

SHA256
9a7542fbcf0a06197ee44c851b28fab213f08f15bb86bfd9653a874ce46c85c2

SHA512
3213d35f9ef884920ec08914b767b125f9c05f08c9c5591d0eccaa45121cf349bd23badd631455e9574cf03f0108a65294d2e5ea4e6f4bbaa7524e733781ca71

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\plugs\mmc87.exe

Filesize
1KB

MD5
f242ab1198d7ac959e0c651d7117472e

SHA1
50875943350f99eeb01501261d476ba67fa0e293

SHA256
b8673d414425e0e867434960b9a6252442c17bcccb6bbe57393ceeddf286254e

SHA512
705ba5f9ede97b07fc0a1516e574da5dd2df930ebbbf834887148269e723d942b3a8e04457d429260c9a27c38378fea46df11c5c1f63ade8b5f4a9550c55378c

Download Submit
memory/436-0-0x0000000002150000-0x000000000215F000-memory.dmp

Filesize
60KB

Download
memory/436-1-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/436-2-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/436-43-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/436-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/436-96-0x0000000002150000-0x000000000215F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.