c9c98f92d4eee2ed2cb55d7410b6e3528c39d08d83cdac92526ca9bd34c1e00f

Analysis

max time kernel
34s
max time network
35s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 08:54 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
Size

576KB
MD5

12aa4a99be0d56cff118505edb815346
SHA1

a3fc6df33b90821231200771af03fd042228218b
SHA256

c9c98f92d4eee2ed2cb55d7410b6e3528c39d08d83cdac92526ca9bd34c1e00f
SHA512

18a03073629d384cdce192cc8a199777c6ab37414ab339713e1f952ae24d9e13dce0edd3e067c6c789ad7e2cf69436f039358e7c6cb6713b51f13b29559709d4
SSDEEP

12288:m4GdCP0FvEgU41cdqUK6Tgmss1sjZ7UqngHK6j1f6P0tB/6p5S:m4Gdtvi41cdqUK6T6s1sjFUqd6jlaYKS

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3060	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3060	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3060	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3060	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
3060	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
3060	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
3060	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3060

Network

DNS

imp.optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

imp.optimuminstaller.com

IN A

Response

imp.optimuminstaller.com

IN CNAME

traff-6.hugedomains.com

traff-6.hugedomains.com

IN CNAME

hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com

hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com

IN A

3.140.13.188

hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com

IN A

18.119.154.66
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_run&spsource=&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

3.140.13.188:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_run&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:28 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dpi_1&spsource=&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

3.140.13.188:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dpi_1&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:28 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=json_installer_initialize_62&spsource=&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

3.140.13.188:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=json_installer_initialize_62&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:29 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=install_bad_config&spsource=&referrer=0|http://install2.optimum-installer.com/config/clean/offers.json?version=1.0&pid=installer&ts=2012-10-23T15:29:08.1685164Z&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

3.140.13.188:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=install_bad_config&spsource=&referrer=0|http://install2.optimum-installer.com/config/clean/offers.json?version=1.0&pid=installer&ts=2012-10-23T15:29:08.1685164Z&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:30 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

3.140.13.188:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:34 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=offer_0_accepted_&spsource=&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

3.140.13.188:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=offer_0_accepted_&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:35 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

3.140.13.188:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:36 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
DNS

www.hugedomains.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

www.hugedomains.com

IN A

Response

www.hugedomains.com

IN A

104.26.7.37

www.hugedomains.com

IN A

172.67.70.191

www.hugedomains.com

IN A

104.26.6.37
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

104.26.7.37:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Host: www.hugedomains.com

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: site_version_phase=108; expires=Mon, 29-Sep-2025 08:54:29 GMT; path=/
set-cookie: site_version=HDv3; expires=Mon, 29-Sep-2025 08:54:29 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Uud32TztYsw5nsACBKUn35JOi6LnqL55DZ2YtP%2By2yZybcDbzzBArRZ6Op1qU8uduOhM5v3p8Vv6FdQ83RitqkMCNNFED99cgowImaiAZniVvwOFQLU66FZf9SXlEldNWg6kodQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f28fdaacbd7e-LHR
Content-Encoding: gzip
DNS

c.pki.goog

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

172.217.169.67
GET

http://c.pki.goog/r/gsr1.crl

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

172.217.169.67:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 04 Oct 2024 08:24:08 GMT
Expires: Fri, 04 Oct 2024 09:14:08 GMT
Cache-Control: public, max-age=3000
Age: 1820
Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

172.217.169.67:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 04 Oct 2024 08:24:11 GMT
Expires: Fri, 04 Oct 2024 09:14:11 GMT
Cache-Control: public, max-age=3000
Age: 1818
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

104.26.7.37:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
Host: www.hugedomains.com

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:29 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FFKVLsgPSrSejgvnplxBS%2BsCdONR9%2BLwjSqIpIg4b7cfbhjMf0OdoL0wL2dZDPMzTqWoOpd0SrBDRIgHJ2VY6rkx%2BzD%2F9e%2Be7BtH%2F%2F0HmKHsMzm2%2Beylt6Ux6Klh8V5%2FaGoT4Yg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f292cab5cdb2-LHR
Content-Encoding: gzip
DNS

install2.optimum-installer.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

install2.optimum-installer.com

IN A

Response
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

104.26.7.37:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
Host: www.hugedomains.com

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:30 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y0WfvhR6%2B%2Bd7nZC4pcEE02uvTuFNvdfl1pdG%2BE8pLeukrPf9E%2BQ7xC4AOGUkjrYkiaDaKHSAdFSagAzNpxxargxLqIBY6f9GLJHodMt0PXXyT08aD9y5kX3t3DzC85SgKSAxQes%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2961f435312-LHR
Content-Encoding: gzip
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

104.26.7.37:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
Host: www.hugedomains.com

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:30 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=049n8V0e2hYRrDjOR5a9cYuq3R41jBPlJxIoVKecWoWjhB07rOk9Gd6cKHge0MrPJ%2BRZr4QoxA6EwbGkoPpRV6GoRr9iCzCur2MnlgCJC8CeuV7y1GZroixz6rcsymGQQf3DY0I%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f299ee3963fe-LHR
Content-Encoding: gzip
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

104.26.7.37:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
Host: www.hugedomains.com

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:35 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:35 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xvH5d2d4dizu%2Bue%2Bh%2FFoKkAnBAWqd3MHvmGePqkvwIXxCBxlqj9wABYP91av4OdWRvL0NzVP4IkGkZ3JsG6pu7cgpu4Sd477pKGdvkQzlK%2F1qyfoTAw2QhOs1Z1YlSe8ANxfN0w%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2b85fc8948e-LHR
Content-Encoding: gzip
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

104.26.7.37:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
Host: www.hugedomains.com

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:36 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yGJS%2FbyGSLiNQ27Xdf%2BLuN%2FtNDgDRVXyk%2BXWLXJLZZjvZd2PR2B7Mg8wSOj%2FgubcL9i9rrhOZhR07RwbUcIoHUXv8sqpd6x3GBHuFWsS%2FVg9fW9kD%2FezjRiReNIo7dIeYfOsca8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2bb9e44952c-LHR
Content-Encoding: gzip
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

104.26.7.37:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
Host: www.hugedomains.com

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:37 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:37 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q%2FrVr9YpFhBaTCzImLP2Yx%2FOUzhfhPc8GlgrUd%2FNhATMtssUDznNzaC86D4xPA1sQl95Xk51CDVjdvOPjo02LkI%2Bvy78ObABhAfDWa0m%2FFrJKgpS9n4ctKAWWZ4S9C69mWNG2%2F0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2c4cc6d63c3-LHR
Content-Encoding: gzip
DNS

crl.microsoft.com

Remote address:

8.8.8.8:53

Request

crl.microsoft.com

IN A

Response

crl.microsoft.com

IN CNAME

crl.www.ms.akadns.net

crl.www.ms.akadns.net

IN CNAME

a1363.dscg.akamai.net

a1363.dscg.akamai.net

IN A

2.19.117.18

a1363.dscg.akamai.net

IN A

2.19.117.22
GET

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

Remote address:

2.19.117.18:80

Request

GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1036
Content-Type: application/octet-stream
Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
ETag: 0x8DCDDD1E3AF2C76
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: b28c4ea1-d01e-0016-0ebc-0fa13d000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 04 Oct 2024 08:55:02 GMT
Connection: keep-alive
DNS

www.microsoft.com

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

2.17.5.133
GET

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

Remote address:

2.17.5.133:80

Request

GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: cyz+t2uRxNE5eKALjGZu1w==
Last-Modified: Sun, 18 Aug 2024 00:23:49 GMT
ETag: 0x8DCBF1C07FCB4BF
x-ms-request-id: f8a60053-701e-000f-593e-f12186000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 04 Oct 2024 08:55:02 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV3d43708b.0
ms-cv-esi: CASMicrosoftCV3d43708b.0
X-RTag: RT

3.140.13.188:80

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=clean

http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

2.8kB
1.5kB
18
9

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_run&spsource=&offer_id=clean

HTTP Response

302

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dpi_1&spsource=&offer_id=clean

HTTP Response

302

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=json_installer_initialize_62&spsource=&offer_id=clean

HTTP Response

302

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=install_bad_config&spsource=&referrer=0|http://install2.optimum-installer.com/config/clean/offers.json?version=1.0&pid=installer&ts=2012-10-23T15:29:08.1685164Z&offer_id=clean

HTTP Response

302

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean

HTTP Response

302

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=offer_0_accepted_&spsource=&offer_id=clean

HTTP Response

302

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=clean

HTTP Response

302
104.26.7.37:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.2kB
14.5kB
15
19

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200
172.217.169.67:80

http://c.pki.goog/r/r4.crl

http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

560 B
5.0kB
7
6

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
104.26.7.37:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.1kB
6.9kB
10
13

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200
104.26.7.37:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.5kB
14.6kB
20
23

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200
104.26.7.37:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.3kB
14.4kB
14
19

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200
104.26.7.37:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.1kB
6.9kB
10
12

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200
104.26.7.37:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.1kB
11.2kB
12
15

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200
104.26.7.37:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.1kB
6.9kB
11
13

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200
2.19.117.18:80

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

http

399 B
1.7kB
4
4

HTTP Request

GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

HTTP Response

200
2.17.5.133:80

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

http

393 B
1.7kB
4
4

HTTP Request

GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

HTTP Response

200

8.8.8.8:53

imp.optimuminstaller.com

dns

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

70 B
201 B
1
1

DNS Request

imp.optimuminstaller.com

DNS Response

3.140.13.188

18.119.154.66
8.8.8.8:53

www.hugedomains.com

dns

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

65 B
113 B
1
1

DNS Request

www.hugedomains.com

DNS Response

104.26.7.37

172.67.70.191

104.26.6.37
8.8.8.8:53

c.pki.goog

dns

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

172.217.169.67
8.8.8.8:53

install2.optimum-installer.com

dns

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

76 B
149 B
1
1

DNS Request

install2.optimum-installer.com
8.8.8.8:53

crl.microsoft.com

dns

63 B
162 B
1
1

DNS Request

crl.microsoft.com

DNS Response

2.19.117.18

2.19.117.22
8.8.8.8:53

www.microsoft.com

dns

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

2.17.5.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\truste.jpg

Filesize
5KB

MD5
1959eb33004d6107d3412e109c37b742

SHA1
59c3a787483e7743d5b805cd36726a0bec7e4992

SHA256
e60a764cd4d721c9fd261555510c51c668d112a37f2da2f0be1da6dceaa5f8ad

SHA512
238724a6b809d371c6ebab6057c61019e48caf7dd3245c6dca77efb5c015703a206472a9b82f778114c8dce3f10dd13fba972644b137020e4e5507053358e68e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.