Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 08:54 UTC
Static task
static1
Behavioral task
behavioral1
Sample
12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
-
Size
576KB
-
MD5
12aa4a99be0d56cff118505edb815346
-
SHA1
a3fc6df33b90821231200771af03fd042228218b
-
SHA256
c9c98f92d4eee2ed2cb55d7410b6e3528c39d08d83cdac92526ca9bd34c1e00f
-
SHA512
18a03073629d384cdce192cc8a199777c6ab37414ab339713e1f952ae24d9e13dce0edd3e067c6c789ad7e2cf69436f039358e7c6cb6713b51f13b29559709d4
-
SSDEEP
12288:m4GdCP0FvEgU41cdqUK6Tgmss1sjZ7UqngHK6j1f6P0tB/6p5S:m4Gdtvi41cdqUK6T6s1sjFUqd6jlaYKS
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3060 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3060 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3060 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3060 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe 3060 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe 3060 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe 3060 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3060
Network
-
Remote address:8.8.8.8:53Requestimp.optimuminstaller.comIN AResponseimp.optimuminstaller.comIN CNAMEtraff-6.hugedomains.comtraff-6.hugedomains.comIN CNAMEhdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.comhdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.comIN A3.140.13.188hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.comIN A18.119.154.66
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_run&spsource=&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:3.140.13.188:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_run&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:28 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dpi_1&spsource=&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:3.140.13.188:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dpi_1&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:28 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=json_installer_initialize_62&spsource=&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:3.140.13.188:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=json_installer_initialize_62&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:29 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=install_bad_config&spsource=&referrer=0|http://install2.optimum-installer.com/config/clean/offers.json?version=1.0&pid=installer&ts=2012-10-23T15:29:08.1685164Z&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:3.140.13.188:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=install_bad_config&spsource=&referrer=0|http://install2.optimum-installer.com/config/clean/offers.json?version=1.0&pid=installer&ts=2012-10-23T15:29:08.1685164Z&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:30 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:3.140.13.188:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:34 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=offer_0_accepted_&spsource=&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:3.140.13.188:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=offer_0_accepted_&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:35 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:3.140.13.188:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:36 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
Remote address:8.8.8.8:53Requestwww.hugedomains.comIN AResponsewww.hugedomains.comIN A104.26.7.37www.hugedomains.comIN A172.67.70.191www.hugedomains.comIN A104.26.6.37
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:104.26.7.37:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Host: www.hugedomains.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: site_version_phase=108; expires=Mon, 29-Sep-2025 08:54:29 GMT; path=/
set-cookie: site_version=HDv3; expires=Mon, 29-Sep-2025 08:54:29 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Uud32TztYsw5nsACBKUn35JOi6LnqL55DZ2YtP%2By2yZybcDbzzBArRZ6Op1qU8uduOhM5v3p8Vv6FdQ83RitqkMCNNFED99cgowImaiAZniVvwOFQLU66FZf9SXlEldNWg6kodQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f28fdaacbd7e-LHR
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A172.217.169.67
-
Remote address:172.217.169.67:80RequestGET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 04 Oct 2024 08:24:08 GMT
Expires: Fri, 04 Oct 2024 09:14:08 GMT
Cache-Control: public, max-age=3000
Age: 1820
Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:172.217.169.67:80RequestGET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 04 Oct 2024 08:24:11 GMT
Expires: Fri, 04 Oct 2024 09:14:11 GMT
Cache-Control: public, max-age=3000
Age: 1818
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:104.26.7.37:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
Host: www.hugedomains.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:29 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FFKVLsgPSrSejgvnplxBS%2BsCdONR9%2BLwjSqIpIg4b7cfbhjMf0OdoL0wL2dZDPMzTqWoOpd0SrBDRIgHJ2VY6rkx%2BzD%2F9e%2Be7BtH%2F%2F0HmKHsMzm2%2Beylt6Ux6Klh8V5%2FaGoT4Yg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f292cab5cdb2-LHR
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Requestinstall2.optimum-installer.comIN AResponse
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:104.26.7.37:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
Host: www.hugedomains.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y0WfvhR6%2B%2Bd7nZC4pcEE02uvTuFNvdfl1pdG%2BE8pLeukrPf9E%2BQ7xC4AOGUkjrYkiaDaKHSAdFSagAzNpxxargxLqIBY6f9GLJHodMt0PXXyT08aD9y5kX3t3DzC85SgKSAxQes%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2961f435312-LHR
Content-Encoding: gzip
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:104.26.7.37:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
Host: www.hugedomains.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=049n8V0e2hYRrDjOR5a9cYuq3R41jBPlJxIoVKecWoWjhB07rOk9Gd6cKHge0MrPJ%2BRZr4QoxA6EwbGkoPpRV6GoRr9iCzCur2MnlgCJC8CeuV7y1GZroixz6rcsymGQQf3DY0I%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f299ee3963fe-LHR
Content-Encoding: gzip
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:104.26.7.37:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
Host: www.hugedomains.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:35 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xvH5d2d4dizu%2Bue%2Bh%2FFoKkAnBAWqd3MHvmGePqkvwIXxCBxlqj9wABYP91av4OdWRvL0NzVP4IkGkZ3JsG6pu7cgpu4Sd477pKGdvkQzlK%2F1qyfoTAw2QhOs1Z1YlSe8ANxfN0w%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2b85fc8948e-LHR
Content-Encoding: gzip
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:104.26.7.37:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
Host: www.hugedomains.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yGJS%2FbyGSLiNQ27Xdf%2BLuN%2FtNDgDRVXyk%2BXWLXJLZZjvZd2PR2B7Mg8wSOj%2FgubcL9i9rrhOZhR07RwbUcIoHUXv8sqpd6x3GBHuFWsS%2FVg9fW9kD%2FezjRiReNIo7dIeYfOsca8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2bb9e44952c-LHR
Content-Encoding: gzip
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:104.26.7.37:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
Host: www.hugedomains.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:37 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q%2FrVr9YpFhBaTCzImLP2Yx%2FOUzhfhPc8GlgrUd%2FNhATMtssUDznNzaC86D4xPA1sQl95Xk51CDVjdvOPjo02LkI%2Bvy78ObABhAfDWa0m%2FFrJKgpS9n4ctKAWWZ4S9C69mWNG2%2F0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2c4cc6d63c3-LHR
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A2.19.117.18a1363.dscg.akamai.netIN A2.19.117.22
-
Remote address:2.19.117.18:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
ETag: 0x8DCDDD1E3AF2C76
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: b28c4ea1-d01e-0016-0ebc-0fa13d000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 04 Oct 2024 08:55:02 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A2.17.5.133
-
Remote address:2.17.5.133:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: cyz+t2uRxNE5eKALjGZu1w==
Last-Modified: Sun, 18 Aug 2024 00:23:49 GMT
ETag: 0x8DCBF1C07FCB4BF
x-ms-request-id: f8a60053-701e-000f-593e-f12186000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 04 Oct 2024 08:55:02 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV3d43708b.0
ms-cv-esi: CASMicrosoftCV3d43708b.0
X-RTag: RT
-
3.140.13.188:80http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=cleanhttp12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe2.8kB 1.5kB 18 9
HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_run&spsource=&offer_id=cleanHTTP Response
302HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dpi_1&spsource=&offer_id=cleanHTTP Response
302HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=json_installer_initialize_62&spsource=&offer_id=cleanHTTP Response
302HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=install_bad_config&spsource=&referrer=0|http://install2.optimum-installer.com/config/clean/offers.json?version=1.0&pid=installer&ts=2012-10-23T15:29:08.1685164Z&offer_id=cleanHTTP Response
302HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=cleanHTTP Response
302HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=offer_0_accepted_&spsource=&offer_id=cleanHTTP Response
302HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=cleanHTTP Response
302 -
104.26.7.37:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.2kB 14.5kB 15 19
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200 -
172.217.169.67:80http://c.pki.goog/r/r4.crlhttp12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe560 B 5.0kB 7 6
HTTP Request
GET http://c.pki.goog/r/gsr1.crlHTTP Response
200HTTP Request
GET http://c.pki.goog/r/r4.crlHTTP Response
200 -
104.26.7.37:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.1kB 6.9kB 10 13
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200 -
104.26.7.37:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.5kB 14.6kB 20 23
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200 -
104.26.7.37:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.3kB 14.4kB 14 19
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200 -
104.26.7.37:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.1kB 6.9kB 10 12
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200 -
104.26.7.37:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.1kB 11.2kB 12 15
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200 -
104.26.7.37:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.1kB 6.9kB 11 13
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200 -
399 B 1.7kB 4 4
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200 -
393 B 1.7kB 4 4
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200
-
70 B 201 B 1 1
DNS Request
imp.optimuminstaller.com
DNS Response
3.140.13.18818.119.154.66
-
65 B 113 B 1 1
DNS Request
www.hugedomains.com
DNS Response
104.26.7.37172.67.70.191104.26.6.37
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
172.217.169.67
-
76 B 149 B 1 1
DNS Request
install2.optimum-installer.com
-
63 B 162 B 1 1
DNS Request
crl.microsoft.com
DNS Response
2.19.117.182.19.117.22
-
63 B 230 B 1 1
DNS Request
www.microsoft.com
DNS Response
2.17.5.133
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD51959eb33004d6107d3412e109c37b742
SHA159c3a787483e7743d5b805cd36726a0bec7e4992
SHA256e60a764cd4d721c9fd261555510c51c668d112a37f2da2f0be1da6dceaa5f8ad
SHA512238724a6b809d371c6ebab6057c61019e48caf7dd3245c6dca77efb5c015703a206472a9b82f778114c8dce3f10dd13fba972644b137020e4e5507053358e68e