Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-09-2024 15:46
Static task
static1
Behavioral task
behavioral1
Sample
fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe
-
Size
578KB
-
MD5
fab060854959752071dd189e5e8f02ed
-
SHA1
08d9ec618c6c9e6d3544c9877edb63575981aba3
-
SHA256
0609543d20e58f2d96e03d4a87a04dfb37f59b12f47b0f752327c1db06e37b0c
-
SHA512
edd8f4baccb95e25f771e1e9d077aa1fa1290d4fd467b5e54944c37673f40b05e499253ef1a74d09991fd8678fd9b44143b6bab2e09ade7b29705029d4088c2b
-
SSDEEP
6144:UKlr3FcfCElJk125U8SpVUagDsvb6mgmw4sFfTysVufBn597NX2I:UqVcfXlJkE5YVUjuOjysgfBnnl2I
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x0006000000019220-10.dat revengerat -
Executes dropped EXE 1 IoCs
pid Process 2124 ocs_v6z.exe -
Loads dropped DLL 2 IoCs
pid Process 1764 fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe 1764 fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe Token: SeShutdownPrivilege 2676 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe 2676 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1764 fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe 2124 ocs_v6z.exe 2124 ocs_v6z.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1764 wrote to memory of 2124 1764 fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe 31 PID 1764 wrote to memory of 2124 1764 fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe 31 PID 1764 wrote to memory of 2124 1764 fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe 31 PID 1764 wrote to memory of 2124 1764 fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe 31 PID 2124 wrote to memory of 2676 2124 ocs_v6z.exe 32 PID 2124 wrote to memory of 2676 2124 ocs_v6z.exe 32 PID 2124 wrote to memory of 2676 2124 ocs_v6z.exe 32 PID 2676 wrote to memory of 3000 2676 chrome.exe 33 PID 2676 wrote to memory of 3000 2676 chrome.exe 33 PID 2676 wrote to memory of 3000 2676 chrome.exe 33 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 3008 2676 chrome.exe 35 PID 2676 wrote to memory of 2248 2676 chrome.exe 36 PID 2676 wrote to memory of 2248 2676 chrome.exe 36 PID 2676 wrote to memory of 2248 2676 chrome.exe 36 PID 2676 wrote to memory of 1648 2676 chrome.exe 37 PID 2676 wrote to memory of 1648 2676 chrome.exe 37 PID 2676 wrote to memory of 1648 2676 chrome.exe 37 PID 2676 wrote to memory of 1648 2676 chrome.exe 37 PID 2676 wrote to memory of 1648 2676 chrome.exe 37 PID 2676 wrote to memory of 1648 2676 chrome.exe 37 PID 2676 wrote to memory of 1648 2676 chrome.exe 37 PID 2676 wrote to memory of 1648 2676 chrome.exe 37 PID 2676 wrote to memory of 1648 2676 chrome.exe 37 PID 2676 wrote to memory of 1648 2676 chrome.exe 37 PID 2676 wrote to memory of 1648 2676 chrome.exe 37 PID 2676 wrote to memory of 1648 2676 chrome.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exeC:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe -install -806691 -dcu -38047d8c737f43bb833845079fbe9836 - -ChromeBundle -sjmhbdczthfccftw2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e6578653⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1e79758,0x7fef1e79768,0x7fef1e797784⤵PID:3000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:24⤵PID:3008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:84⤵PID:2248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:84⤵PID:1648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2176 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:14⤵PID:344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2184 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:14⤵PID:852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3208 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:24⤵PID:1368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3260 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:14⤵PID:1644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:84⤵PID:296
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1204
Network
-
Remote address:8.8.8.8:53Requestwww.download-sponsor.deIN AResponsewww.download-sponsor.deIN A176.9.175.237
-
GEThttp://www.download-sponsor.de/initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=806691&pid=dcu&source=ChromeBundle&setupid=38047d8c737f43bb833845079fbe9836&lang=en-USocs_v6z.exeRemote address:176.9.175.237:80RequestGET /initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=806691&pid=dcu&source=ChromeBundle&setupid=38047d8c737f43bb833845079fbe9836&lang=en-US HTTP/1.1
Host: www.download-sponsor.de
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=5, max=1500
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:8.8.8.8:53Requestbin.download-sponsor.deIN AResponsebin.download-sponsor.deIN A176.9.175.234
-
Remote address:176.9.175.234:80ResponseHTTP/1.1 400 Bad Request
Date: Fri, 27 Sep 2024 15:47:03 GMT
Content-Type: text/html
Content-Length: 150
Connection: close
-
GEThttp://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865chrome.exeRemote address:176.9.175.237:80RequestGET /exitdownload/thankyou.php?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865 HTTP/1.1
Host: www.download-sponsor.de
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 302 Found
Server: Apache
location: http://dcu.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=5, max=1500
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:8.8.8.8:53Requestdcu.download-sponsor.deIN AResponsedcu.download-sponsor.deIN A176.9.175.237
-
GEThttp://dcu.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865chrome.exeRemote address:176.9.175.237:80RequestGET /feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865 HTTP/1.1
Host: dcu.download-sponsor.de
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 302 Found
Server: Apache
location: http://survey.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=5, max=1500
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:8.8.8.8:53Requestsurvey.download-sponsor.deIN AResponsesurvey.download-sponsor.deIN A176.9.175.237
-
GEThttp://survey.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865chrome.exeRemote address:176.9.175.237:80RequestGET /feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865 HTTP/1.1
Host: survey.download-sponsor.de
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2136
Keep-Alive: timeout=5, max=1500
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:176.9.175.237:80RequestGET /feedback/img/metalbg.jpg HTTP/1.1
Host: survey.download-sponsor.de
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://survey.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 12 Jun 2012 18:35:35 GMT
ETag: "96640c-3f262-4c24abb71abc0"
Accept-Ranges: bytes
Content-Length: 258658
Keep-Alive: timeout=5, max=1499
Connection: Keep-Alive
Content-Type: image/jpeg
-
Remote address:8.8.8.8:53Requestd.addelive.comIN AResponsed.addelive.comIN A66.216.109.248
-
Remote address:8.8.8.8:53Requestdownload-sponsor.deIN AResponsedownload-sponsor.deIN A176.9.175.237
-
Remote address:8.8.8.8:53Requestfiles.download-sponsor.deIN AResponsefiles.download-sponsor.deIN A176.9.175.237
-
Remote address:8.8.8.8:53Requestcontent-autofill.googleapis.comIN AResponsecontent-autofill.googleapis.comIN A142.250.187.234content-autofill.googleapis.comIN A216.58.204.74content-autofill.googleapis.comIN A142.250.200.10content-autofill.googleapis.comIN A172.217.169.42content-autofill.googleapis.comIN A142.250.200.42content-autofill.googleapis.comIN A216.58.213.10content-autofill.googleapis.comIN A172.217.169.74content-autofill.googleapis.comIN A142.250.179.234content-autofill.googleapis.comIN A216.58.212.202content-autofill.googleapis.comIN A172.217.16.234content-autofill.googleapis.comIN A142.250.180.10content-autofill.googleapis.comIN A216.58.201.106content-autofill.googleapis.comIN A142.250.187.202content-autofill.googleapis.comIN A142.250.178.10
-
Remote address:8.8.8.8:53Requestimpressum.thinklabs-ltd.deIN AResponseimpressum.thinklabs-ltd.deIN A176.9.175.237
-
Remote address:8.8.8.8:53Requestwww.download-sponsor.deIN AResponsewww.download-sponsor.deIN A176.9.175.237
-
GEThttp://download-sponsor.de//partnerbranding/brandmachine/brandmachine.php?pid=dcu&sl=3chrome.exeRemote address:176.9.175.237:80RequestGET //partnerbranding/brandmachine/brandmachine.php?pid=dcu&sl=3 HTTP/1.1
Host: download-sponsor.de
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://survey.download-sponsor.de/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 302 Found
Server: Apache
location: resources/images/ownupload/dcu-50bfd27d3f84907c3c34892a76ebf9ba.png
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=5, max=1500
Connection: Keep-Alive
Content-Type: text/html
-
GEThttp://download-sponsor.de//partnerbranding/brandmachine/resources/images/ownupload/dcu-50bfd27d3f84907c3c34892a76ebf9ba.pngchrome.exeRemote address:176.9.175.237:80RequestGET //partnerbranding/brandmachine/resources/images/ownupload/dcu-50bfd27d3f84907c3c34892a76ebf9ba.png HTTP/1.1
Host: download-sponsor.de
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://survey.download-sponsor.de/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Server: Apache
ETag: "9700d3-1eca-4d1fec53006c0"
Accept-Ranges: bytes
Content-Length: 7882
Last-Modified: Sat, 29 Dec 2012 14:41:07 GMT
Keep-Alive: timeout=5, max=1499
Connection: Keep-Alive
Content-Type: image/png
-
GEThttps://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTA2LjAuNTI0OS4xMTkSFwlEXNaJFrQNjBIFDeLcrB8SBQ1Xtmoh?alt=protochrome.exeRemote address:142.250.187.234:443RequestGET /v1/pages/ChVDaHJvbWUvMTA2LjAuNTI0OS4xMTkSFwlEXNaJFrQNjBIFDeLcrB8SBQ1Xtmoh?alt=proto HTTP/2.0
host: content-autofill.googleapis.com
x-goog-encode-response-if-executable: base64
x-goog-api-key: AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
x-client-data: COSIywE=
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
GEThttp://files.download-sponsor.de/guided-download/templates/publisher/icon-delivery.php?pid=dcu&cid=806691chrome.exeRemote address:176.9.175.237:80RequestGET /guided-download/templates/publisher/icon-delivery.php?pid=dcu&cid=806691 HTTP/1.1
Host: files.download-sponsor.de
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://survey.download-sponsor.de/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Server: Apache
Content-Length: 4435
Keep-Alive: timeout=5, max=1500
Connection: Keep-Alive
Content-Type: image/png
-
Remote address:8.8.8.8:53Requestdownload.chip.euIN AResponse
-
176.9.175.237:80http://www.download-sponsor.de/initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=806691&pid=dcu&source=ChromeBundle&setupid=38047d8c737f43bb833845079fbe9836&lang=en-UShttpocs_v6z.exe503 B 368 B 6 4
HTTP Request
GET http://www.download-sponsor.de/initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=806691&pid=dcu&source=ChromeBundle&setupid=38047d8c737f43bb833845079fbe9836&lang=en-USHTTP Response
200 -
435 B 507 B 5 5
HTTP Response
400 -
242 B 184 B 5 4
-
176.9.175.237:80http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865httpchrome.exe997 B 767 B 6 5
HTTP Request
GET http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865HTTP Response
302 -
176.9.175.237:80http://dcu.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865httpchrome.exe981 B 770 B 6 5
HTTP Request
GET http://dcu.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865HTTP Response
302 -
6.3kB 269.2kB 107 198
HTTP Request
GET http://survey.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865HTTP Response
200HTTP Request
GET http://survey.download-sponsor.de/feedback/img/metalbg.jpgHTTP Response
200 -
152 B 3
-
176.9.175.237:80http://download-sponsor.de//partnerbranding/brandmachine/resources/images/ownupload/dcu-50bfd27d3f84907c3c34892a76ebf9ba.pnghttpchrome.exe1.4kB 9.0kB 11 13
HTTP Request
GET http://download-sponsor.de//partnerbranding/brandmachine/brandmachine.php?pid=dcu&sl=3HTTP Response
302HTTP Request
GET http://download-sponsor.de//partnerbranding/brandmachine/resources/images/ownupload/dcu-50bfd27d3f84907c3c34892a76ebf9ba.pngHTTP Response
200 -
142.250.187.234:443https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTA2LjAuNTI0OS4xMTkSFwlEXNaJFrQNjBIFDeLcrB8SBQ1Xtmoh?alt=prototls, http2chrome.exe1.8kB 6.8kB 15 17
HTTP Request
GET https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTA2LjAuNTI0OS4xMTkSFwlEXNaJFrQNjBIFDeLcrB8SBQ1Xtmoh?alt=proto -
176.9.175.237:80http://files.download-sponsor.de/guided-download/templates/publisher/icon-delivery.php?pid=dcu&cid=806691httpchrome.exe777 B 4.9kB 7 8
HTTP Request
GET http://files.download-sponsor.de/guided-download/templates/publisher/icon-delivery.php?pid=dcu&cid=806691HTTP Response
200 -
152 B 3
-
69 B 85 B 1 1
DNS Request
www.download-sponsor.de
DNS Response
176.9.175.237
-
69 B 85 B 1 1
DNS Request
bin.download-sponsor.de
DNS Response
176.9.175.234
-
69 B 85 B 1 1
DNS Request
dcu.download-sponsor.de
DNS Response
176.9.175.237
-
72 B 88 B 1 1
DNS Request
survey.download-sponsor.de
DNS Response
176.9.175.237
-
60 B 76 B 1 1
DNS Request
d.addelive.com
DNS Response
66.216.109.248
-
65 B 81 B 1 1
DNS Request
download-sponsor.de
DNS Response
176.9.175.237
-
71 B 87 B 1 1
DNS Request
files.download-sponsor.de
DNS Response
176.9.175.237
-
77 B 301 B 1 1
DNS Request
content-autofill.googleapis.com
DNS Response
142.250.187.234216.58.204.74142.250.200.10172.217.169.42142.250.200.42216.58.213.10172.217.169.74142.250.179.234216.58.212.202172.217.16.234142.250.180.10216.58.201.106142.250.187.202142.250.178.10
-
72 B 88 B 1 1
DNS Request
impressum.thinklabs-ltd.de
DNS Response
176.9.175.237
-
69 B 85 B 1 1
DNS Request
www.download-sponsor.de
DNS Response
176.9.175.237
-
62 B 133 B 1 1
DNS Request
download.chip.eu
-
204 B 3
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD5c1702ff6433f55ba9d6ac8e5d8cb8c69
SHA12a5bc67d785c989ba1683f0b7867e8848508b39b
SHA256dc22b82bb1af7d90e29ab413f52c7f00f23b6d4150bb98648fbe2a042e4b987b
SHA512167c9274b096d92245ca97c6e2d1e7badccd25861ba535ab547df9d2b791e14cf5f5d89266b066e8d80219c1e1aae536acc0648ebf5030d91d7cc335cca00699
-
Filesize
5KB
MD5e327bebb291e1b40529fc4d60dec38b2
SHA14d78e6a27bc76a3b1e2a980f88032f3753594930
SHA2569323a38bb9e130e26c267b696bf688d42dd3eca2f9d504fa61d37fe99af667a9
SHA51217a8713413628c12c88d8069796ab4b5effea08585e2bfed9ff7c4fa0a2c4cac16bfd73ed9e6035e41347b07757688de987a5ce45fbb7fd1da76e18bdc6d2c06
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
312KB
MD509f02c017e40a998537f26d0caee8d22
SHA17676d2f17068a9050bbbbe10908e75bc5d59b631
SHA256fae6c9cfda16a9f4587b0041156a7284bf7cb1fc48e1e34f33b50ebc2d00e2d7
SHA5120c7d4fad92bb7478e277f6c56e0e0dbd665171a7bea06a6668d9d0120c5f171cbcec37c60b6354a286192f2f0bbf104ccc5550159e863ee03cc2e23243eb93c7
-
Filesize
89B
MD59ede8209fd0d5d08a54b06331d0dd050
SHA10467285ff5da75f5004b696945a9b3aff23dc20c
SHA25683a9bb057e5fac5a27dfe83aaff2698141ec49717ad093d07af5c4e080a26aa7
SHA5123491f3680e70637ee6f7991a526552b065b66043881178bcda32a17929aa2e35352f44ac930b678de14aa2964ce0ff5b75767d13c5038aa7d3c61c3d35758c13