Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2024, 08:02 UTC

General

  • Target

    1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    1280bf6c35a8b0781849c3542dbda6ed

  • SHA1

    ae2228746cbd4eec11ad670b8920d0e224a4b344

  • SHA256

    27072ad500f7dfea57a88a7edb4f71f2c2b3ee3862d5f8be6189a35d9e766f10

  • SHA512

    129bb3e891cb7f1df1d808713dcb6e87106ecaf030a8e07d77217bd25bc00351464ea4ab283d09acfba67ca0891d8984313a2a04cfc3b2174f0b5cecbf0dc312

  • SSDEEP

    24576:zgFvyVFyuvGRWI0Gnl3UVP3zY8HEwpzxz0DLacT06K:zQqVFyKa3eP3zVHEwpdz0DucT5K

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Users\Admin\AppData\Local\Temp\crpD032.exe
      /aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\24F3E4~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
          4⤵
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          PID:764
        • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Latest\Setup.exe
          C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
          4⤵
          • Executes dropped EXE
          PID:4816
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\24F3E4~1\IEHelper.dll,UpdateProtectedModeCookieCache trkInfo|http://babylon.com
          4⤵
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          PID:4548

Network

  • flag-us
    DNS
    www.4shared.com
    1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.4shared.com
    IN A
    Response
    www.4shared.com
    IN A
    199.101.134.235
    www.4shared.com
    IN A
    199.101.134.236
    www.4shared.com
    IN A
    199.101.134.237
    www.4shared.com
    IN A
    74.117.178.90
    www.4shared.com
    IN A
    74.117.178.93
    www.4shared.com
    IN A
    74.117.178.58
    www.4shared.com
    IN A
    74.117.178.56
    www.4shared.com
    IN A
    199.101.134.234
  • flag-us
    GET
    https://www.4shared.com/downloadhelper/stat?type=firstrunexe
    1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe
    Remote address:
    199.101.134.235:443
    Request
    GET /downloadhelper/stat?type=firstrunexe HTTP/1.1
    User-Agent: B1 Tiny Loader/1.0
    Host: www.4shared.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 403 Forbidden
    Server: 558
    Set-Cookie: day1host=h; Domain=.4shared.com; Expires=Sat, 05-Oct-2024 08:02:36 GMT; Path=/
    Content-Type: text/html;charset=utf-8
    Content-Language: en
    Content-Length: 949
    Date: Fri, 04 Oct 2024 08:02:36 GMT
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    235.134.101.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    235.134.101.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    36.249.124.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    36.249.124.192.in-addr.arpa
    IN PTR
    Response
    36.249.124.192.in-addr.arpa
    IN PTR
    cloudproxy10036sucurinet
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    info.babylon.com
    Setup.exe
    Remote address:
    8.8.8.8:53
    Request
    info.babylon.com
    IN A
    Response
    info.babylon.com
    IN A
    184.154.27.235
  • flag-us
    DNS
    stp.babylon.com
    Setup.exe
    Remote address:
    8.8.8.8:53
    Request
    stp.babylon.com
    IN A
    Response
    stp.babylon.com
    IN CNAME
    stp.babylon-services.com
    stp.babylon-services.com
    IN A
    184.154.27.232
  • flag-us
    GET
    http://info.babylon.com/stat/report.php?no_policy=1&lang=0&source=setup-start&stage=0&ver=9.1.0.5&affilID=121631&guid={CC5A8F84-6B61-493B-B401-F68616FC2E88}&mntrId=776774510000000000007221d8032630&hwid=77677221D8032630&sufn=1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe&iev=11&ffv=0&crv=123&dwb=msedge&wbr=7&dlb=uk&spb=cr&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&tbtp=def&tbinst=1&w64=1&cat=delta&cntry=US&uac=0&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0
    Setup.exe
    Remote address:
    184.154.27.235:80
    Request
    GET /stat/report.php?no_policy=1&lang=0&source=setup-start&stage=0&ver=9.1.0.5&affilID=121631&guid={CC5A8F84-6B61-493B-B401-F68616FC2E88}&mntrId=776774510000000000007221d8032630&hwid=77677221D8032630&sufn=1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe&iev=11&ffv=0&crv=123&dwb=msedge&wbr=7&dlb=uk&spb=cr&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&tbtp=def&tbinst=1&w64=1&cat=delta&cntry=US&uac=0&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0 HTTP/1.1
    User-Agent: Babylon
    Host: info.babylon.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 04 Oct 2024 08:02:45 GMT
    Server: Apache
    Transfer-Encoding: chunked
    Content-Type: image/gif
  • flag-us
    GET
    http://stp.babylon.com/downloader.php?ver=9.1.0.5&affilID=121631&guid={CC5A8F84-6B61-493B-B401-F68616FC2E88}&mntrId=776774510000000000007221d8032630&hwid=77677221D8032630&sufn=1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe&iev=11&ffv=0&crv=123&dwb=msedge&wbr=7&dlb=uk&spb=cr&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&tbtp=def&tbinst=1&w64=1&cat=delta&cntry=US&uac=0&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&lang=en&zpb=1&geo=1
    Setup.exe
    Remote address:
    184.154.27.232:80
    Request
    GET /downloader.php?ver=9.1.0.5&affilID=121631&guid={CC5A8F84-6B61-493B-B401-F68616FC2E88}&mntrId=776774510000000000007221d8032630&hwid=77677221D8032630&sufn=1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe&iev=11&ffv=0&crv=123&dwb=msedge&wbr=7&dlb=uk&spb=cr&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&tbtp=def&tbinst=1&w64=1&cat=delta&cntry=US&uac=0&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&lang=en&zpb=1&geo=1 HTTP/1.1
    User-Agent: Babylon
    Host: stp.babylon.com
    Connection: Keep-Alive
    Cookie: affilID=121631
    Response
    HTTP/1.1 200 OK
    Date: Fri, 04 Oct 2024 08:02:45 GMT
    Server: Apache
    Set-Cookie: affilID=deleted; expires=Thu, 05-Oct-2023 08:02:44 GMT; path=/; domain=.babylon.com
    Vary: Accept-Encoding
    Keep-Alive: timeout=1, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html
  • flag-us
    DNS
    dl.babylon.com
    Setup.exe
    Remote address:
    8.8.8.8:53
    Request
    dl.babylon.com
    IN A
    Response
    dl.babylon.com
    IN CNAME
    dl.babylon-services.com
    dl.babylon-services.com
    IN A
    198.143.128.244
  • flag-us
    DNS
    235.27.154.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    235.27.154.184.in-addr.arpa
    IN PTR
    Response
    235.27.154.184.in-addr.arpa
    IN PTR
    DedLoadLM2200babyloncom
  • flag-us
    DNS
    232.27.154.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.27.154.184.in-addr.arpa
    IN PTR
    Response
    232.27.154.184.in-addr.arpa
    IN PTR
    DedLoadLM2200babyloncom
  • flag-us
    GET
    http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb
    Setup.exe
    Remote address:
    198.143.128.244:80
    Request
    GET /site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb HTTP/1.1
    User-Agent: Babylon
    Host: dl.babylon.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.13.12
    Date: Fri, 04 Oct 2024 08:02:29 GMT
    Content-Type: application/octet-stream
    Content-Length: 3844
    Last-Modified: Wed, 01 Oct 2014 12:08:35 GMT
    Connection: keep-alive
    Keep-Alive: timeout=30
    ETag: "542beec3-f04"
    Accept-Ranges: bytes
  • flag-us
    GET
    http://info.babylon.com/stat/report.php?no_policy=1&lang=0&source=setup-end&stage=91&ver=9.1.0.5&affilID=121631&guid={CC5A8F84-6B61-493B-B401-F68616FC2E88}&mntrId=776774510000000000007221d8032630&hwid=77677221D8032630&sufn=1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe&iev=11&ffv=0&crv=123&dwb=msedge&wbr=7&dlb=uk&spb=cr&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&tbtp=def&tbinst=1&w64=1&cat=delta&cntry=US&uac=0&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&hp=1&dsp=1&tb=1&hpx=0&dspx=0&tbx=0&dnld=100&dcnt=1&dtot=1&dlerr=200&rvrt=0&excd=0&stm=0&nvs=0&rbts=0&rbtt=0
    Setup.exe
    Remote address:
    184.154.27.235:80
    Request
    GET /stat/report.php?no_policy=1&lang=0&source=setup-end&stage=91&ver=9.1.0.5&affilID=121631&guid={CC5A8F84-6B61-493B-B401-F68616FC2E88}&mntrId=776774510000000000007221d8032630&hwid=77677221D8032630&sufn=1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe&iev=11&ffv=0&crv=123&dwb=msedge&wbr=7&dlb=uk&spb=cr&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&tbtp=def&tbinst=1&w64=1&cat=delta&cntry=US&uac=0&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&hp=1&dsp=1&tb=1&hpx=0&dspx=0&tbx=0&dnld=100&dcnt=1&dtot=1&dlerr=200&rvrt=0&excd=0&stm=0&nvs=0&rbts=0&rbtt=0 HTTP/1.1
    User-Agent: Babylon
    Host: info.babylon.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 04 Oct 2024 12:02:16 GMT
    Server: Apache
    Transfer-Encoding: chunked
    Content-Type: image/gif
  • flag-us
    DNS
    244.128.143.198.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    244.128.143.198.in-addr.arpa
    IN PTR
    Response
    244.128.143.198.in-addr.arpa
    IN PTR
    244128143198 unassignedord singlehopnet
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.117.19.2.in-addr.arpa
    IN PTR
    Response
    75.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-75deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 199.101.134.235:443
    https://www.4shared.com/downloadhelper/stat?type=firstrunexe
    tls, http
    1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe
    1.0kB
    7.2kB
    12
    8

    HTTP Request

    GET https://www.4shared.com/downloadhelper/stat?type=firstrunexe

    HTTP Response

    403
  • 127.0.0.1:9876
    Setup.exe
  • 184.154.27.235:80
    http://info.babylon.com/stat/report.php?no_policy=1&lang=0&source=setup-start&stage=0&ver=9.1.0.5&affilID=121631&guid={CC5A8F84-6B61-493B-B401-F68616FC2E88}&mntrId=776774510000000000007221d8032630&hwid=77677221D8032630&sufn=1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe&iev=11&ffv=0&crv=123&dwb=msedge&wbr=7&dlb=uk&spb=cr&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&tbtp=def&tbinst=1&w64=1&cat=delta&cntry=US&uac=0&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0
    http
    Setup.exe
    906 B
    351 B
    7
    4

    HTTP Request

    GET http://info.babylon.com/stat/report.php?no_policy=1&lang=0&source=setup-start&stage=0&ver=9.1.0.5&affilID=121631&guid={CC5A8F84-6B61-493B-B401-F68616FC2E88}&mntrId=776774510000000000007221d8032630&hwid=77677221D8032630&sufn=1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe&iev=11&ffv=0&crv=123&dwb=msedge&wbr=7&dlb=uk&spb=cr&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&tbtp=def&tbinst=1&w64=1&cat=delta&cntry=US&uac=0&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0

    HTTP Response

    200
  • 184.154.27.232:80
    http://stp.babylon.com/downloader.php?ver=9.1.0.5&affilID=121631&guid={CC5A8F84-6B61-493B-B401-F68616FC2E88}&mntrId=776774510000000000007221d8032630&hwid=77677221D8032630&sufn=1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe&iev=11&ffv=0&crv=123&dwb=msedge&wbr=7&dlb=uk&spb=cr&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&tbtp=def&tbinst=1&w64=1&cat=delta&cntry=US&uac=0&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&lang=en&zpb=1&geo=1
    http
    Setup.exe
    901 B
    799 B
    7
    5

    HTTP Request

    GET http://stp.babylon.com/downloader.php?ver=9.1.0.5&affilID=121631&guid={CC5A8F84-6B61-493B-B401-F68616FC2E88}&mntrId=776774510000000000007221d8032630&hwid=77677221D8032630&sufn=1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe&iev=11&ffv=0&crv=123&dwb=msedge&wbr=7&dlb=uk&spb=cr&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&tbtp=def&tbinst=1&w64=1&cat=delta&cntry=US&uac=0&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&lang=en&zpb=1&geo=1

    HTTP Response

    200
  • 198.143.128.244:80
    http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb
    http
    Setup.exe
    502 B
    4.4kB
    8
    6

    HTTP Request

    GET http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb

    HTTP Response

    200
  • 184.154.27.235:80
    http://info.babylon.com/stat/report.php?no_policy=1&lang=0&source=setup-end&stage=91&ver=9.1.0.5&affilID=121631&guid={CC5A8F84-6B61-493B-B401-F68616FC2E88}&mntrId=776774510000000000007221d8032630&hwid=77677221D8032630&sufn=1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe&iev=11&ffv=0&crv=123&dwb=msedge&wbr=7&dlb=uk&spb=cr&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&tbtp=def&tbinst=1&w64=1&cat=delta&cntry=US&uac=0&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&hp=1&dsp=1&tb=1&hpx=0&dspx=0&tbx=0&dnld=100&dcnt=1&dtot=1&dlerr=200&rvrt=0&excd=0&stm=0&nvs=0&rbts=0&rbtt=0
    http
    Setup.exe
    1.0kB
    351 B
    7
    4

    HTTP Request

    GET http://info.babylon.com/stat/report.php?no_policy=1&lang=0&source=setup-end&stage=91&ver=9.1.0.5&affilID=121631&guid={CC5A8F84-6B61-493B-B401-F68616FC2E88}&mntrId=776774510000000000007221d8032630&hwid=77677221D8032630&sufn=1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe&iev=11&ffv=0&crv=123&dwb=msedge&wbr=7&dlb=uk&spb=cr&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&tbtp=def&tbinst=1&w64=1&cat=delta&cntry=US&uac=0&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&hp=1&dsp=1&tb=1&hpx=0&dspx=0&tbx=0&dnld=100&dcnt=1&dtot=1&dlerr=200&rvrt=0&excd=0&stm=0&nvs=0&rbts=0&rbtt=0

    HTTP Response

    200
  • 8.8.8.8:53
    www.4shared.com
    dns
    1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe
    61 B
    189 B
    1
    1

    DNS Request

    www.4shared.com

    DNS Response

    199.101.134.235
    199.101.134.236
    199.101.134.237
    74.117.178.90
    74.117.178.93
    74.117.178.58
    74.117.178.56
    199.101.134.234

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    235.134.101.199.in-addr.arpa
    dns
    74 B
    138 B
    1
    1

    DNS Request

    235.134.101.199.in-addr.arpa

  • 8.8.8.8:53
    36.249.124.192.in-addr.arpa
    dns
    73 B
    113 B
    1
    1

    DNS Request

    36.249.124.192.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    info.babylon.com
    dns
    Setup.exe
    62 B
    78 B
    1
    1

    DNS Request

    info.babylon.com

    DNS Response

    184.154.27.235

  • 8.8.8.8:53
    stp.babylon.com
    dns
    Setup.exe
    61 B
    112 B
    1
    1

    DNS Request

    stp.babylon.com

    DNS Response

    184.154.27.232

  • 8.8.8.8:53
    dl.babylon.com
    dns
    Setup.exe
    60 B
    110 B
    1
    1

    DNS Request

    dl.babylon.com

    DNS Response

    198.143.128.244

  • 8.8.8.8:53
    235.27.154.184.in-addr.arpa
    dns
    73 B
    112 B
    1
    1

    DNS Request

    235.27.154.184.in-addr.arpa

  • 8.8.8.8:53
    232.27.154.184.in-addr.arpa
    dns
    73 B
    112 B
    1
    1

    DNS Request

    232.27.154.184.in-addr.arpa

  • 8.8.8.8:53
    244.128.143.198.in-addr.arpa
    dns
    74 B
    132 B
    1
    1

    DNS Request

    244.128.143.198.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    75.117.19.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    75.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb

    Filesize

    3KB

    MD5

    5e6230b3b16798e23720958756ac6d9e

    SHA1

    c7bcb001c48a67d4c9d6e70e92473ebd85b30585

    SHA256

    d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2

    SHA512

    6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

  • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\BExternal.dll

    Filesize

    129KB

    MD5

    3e3becf439465e96f35b4ecdbac44641

    SHA1

    6511b37c7ace73216d35c2aa7af2034e1780eb56

    SHA256

    592d8164fd85e2f0324ba06ed27f7eb39989f53e5121a4562f7d78323228c0b9

    SHA512

    dcf6edb55b77130e03e0c51ec6043d515ce0397a1443642743c37211d2aa081dc1c16002e3af768248361296b149a1ab4605f64cba2310c967c26cd6663d0e83

  • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Babylon.dat

    Filesize

    12KB

    MD5

    825e5733974586a0a1229a53361ed13e

    SHA1

    9ec5b8944c6727fda6fdc3c18856884554cf6b31

    SHA256

    0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96

    SHA512

    ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

  • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\HtmlScreens\loading.html

    Filesize

    644B

    MD5

    f50fa4673555652289652753183fd1ee

    SHA1

    f496797f0d34eb866d6328d2fd1492b485f74d0a

    SHA256

    afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812

    SHA512

    6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da

  • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\HtmlScreens\navError.html

    Filesize

    926B

    MD5

    0c464e407c81764ebc09eacbe41f0b3e

    SHA1

    245afe550a05215e5873d8f5f21c22d12aa46b6a

    SHA256

    770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26

    SHA512

    71070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc

  • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\HtmlScreens\pBar.gif

    Filesize

    3KB

    MD5

    26621cb27bbc94f6bab3561791ac013b

    SHA1

    4010a489350cf59fd8f36f8e59b53e724c49cc5b

    SHA256

    e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3

    SHA512

    9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

  • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Latest\setup.exe

    Filesize

    8KB

    MD5

    5790a04f78c61c3caea7ddd6f01829d2

    SHA1

    9d783d964338a5378280dd3c3b72519d11f73ffa

    SHA256

    726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606

    SHA512

    9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0

  • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Setup.exe

    Filesize

    1.8MB

    MD5

    74af846f2ad4aec60779623fc8bbcd83

    SHA1

    9f2fbfe260c9111f88e8edc6dfc068d08c1491c5

    SHA256

    f795ffc4c850a6a214aac740258c6560a72a5a5c1759bb9cd231df2e1a271edf

    SHA512

    157e612a02e0a6ca87f5d8b572950cc85c8980641bc1f973b20836c1e91d0df0a132a58191a99efdba0b5c4923bc412083b833a12a1ef3554ade745c07a2605f

  • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\SetupStrings.dat

    Filesize

    89KB

    MD5

    407846797c5ba247abeb5fa7c0c0ba05

    SHA1

    44386455eed8e74d75e95e9e81e96a19f0b27884

    SHA256

    0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3

    SHA512

    7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

  • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\bab033.tbinst.dat

    Filesize

    205B

    MD5

    90713ab7a74884cd36a5fb4cfcdece8a

    SHA1

    7bb56d08fd69a98e543b923bd0a9156f92a9c473

    SHA256

    bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb

    SHA512

    639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191

  • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\bab091.norecovericon.dat

    Filesize

    174B

    MD5

    4f6e1fdbef102cdbd379fdac550b9f48

    SHA1

    5da6ee5b88a4040c80e5269e0cd2b0880b20659c

    SHA256

    e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

    SHA512

    54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

  • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\bab307.sp_pop0.dat

    Filesize

    178B

    MD5

    0b7be9c4b72c2c5166bfd61ca5ebbfed

    SHA1

    aea0aa4e8226c1b4efce92e909da773744baa6d4

    SHA256

    673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd

    SHA512

    4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8

  • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\bab327.ff_2.dat

    Filesize

    179B

    MD5

    acc576624b76c140ce6e78885d279efe

    SHA1

    f5816e66ab9da86bdff210f96399078c36a4af54

    SHA256

    78dc1600b62ca4aac2ce5c94f7b1973800349ac56804aba4b17c410e0fff4c17

    SHA512

    449cdfa0a93191ae9d109c689f09ed444ccf53a4b087a9e5005527561c1598233d05396d1b118db6fe6d6dc45c6dc9909238200f8fa8d4a4dbf903deca19201b

  • C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\sqlite3.dll

    Filesize

    508KB

    MD5

    0f66e8e2340569fb17e774dac2010e31

    SHA1

    406bb6854e7384ff77c0b847bf2f24f3315874a3

    SHA256

    de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

    SHA512

    39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

  • C:\Users\Admin\AppData\Local\Temp\24F3E4~1\IEHelper.dll

    Filesize

    6KB

    MD5

    9cb62aa0c5c554f2557d29d1601c8347

    SHA1

    f2fb5115b7d03e90f6e9d4b1f6e882385aa00f5f

    SHA256

    a65ba80d23494077575f505c20c9f9516aa21b9bded2b7032b6d5e7bc1737fa5

    SHA512

    0a325a02c323d52c9f374bc22e5182f5f49f485a689b6ca561196222ff18127f84ea7a48ac438277b9dcd1237c983f03eab54606eacbb1f79aadb0a0f84f0cea

  • C:\Users\Admin\AppData\Local\Temp\crpD032.exe

    Filesize

    754KB

    MD5

    5ac98c84160a9400db448d153c959bb6

    SHA1

    829d808c091045f45c513a6e4ab17055a52a9320

    SHA256

    e4f1009192f163aacafc3ac23f3fbce358122040a5dbf99b86c9f4cac9809ecc

    SHA512

    36f4e7f4c0f2bd647d23714b08d322ff8383e52ede16f5719f09e710e133669586af0ae7c3af2ab98a066724b2f1dffc114437d7d8820e98614b86470ade2376

  • memory/1756-75-0x0000000060900000-0x0000000060970000-memory.dmp

    Filesize

    448KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.