c9c98f92d4eee2ed2cb55d7410b6e3528c39d08d83cdac92526ca9bd34c1e00f

Analysis

max time kernel
95s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 08:54 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
Size

576KB
MD5

12aa4a99be0d56cff118505edb815346
SHA1

a3fc6df33b90821231200771af03fd042228218b
SHA256

c9c98f92d4eee2ed2cb55d7410b6e3528c39d08d83cdac92526ca9bd34c1e00f
SHA512

18a03073629d384cdce192cc8a199777c6ab37414ab339713e1f952ae24d9e13dce0edd3e067c6c789ad7e2cf69436f039358e7c6cb6713b51f13b29559709d4
SSDEEP

12288:m4GdCP0FvEgU41cdqUK6Tgmss1sjZ7UqngHK6j1f6P0tB/6p5S:m4Gdtvi41cdqUK6T6s1sjFUqd6jlaYKS

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3768	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
3768	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3768	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3768	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3768	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
3768	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
3768	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
3768	12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3768

Network

DNS

imp.optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

imp.optimuminstaller.com

IN A

Response

imp.optimuminstaller.com

IN CNAME

traff-1.hugedomains.com

traff-1.hugedomains.com

IN CNAME

hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com

hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com

IN A

54.209.32.212

hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com

IN A

52.71.57.184
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_run&spsource=&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

54.209.32.212:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_run&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:29 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dpi_1&spsource=&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

54.209.32.212:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dpi_1&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:29 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=json_installer_initialize_31&spsource=&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

54.209.32.212:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=json_installer_initialize_31&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:30 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=install_bad_config&spsource=&referrer=0|http://install2.optimum-installer.com/config/clean/offers.json?version=1.0&pid=installer&ts=2012-10-23T15:29:08.1685164Z&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

54.209.32.212:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=install_bad_config&spsource=&referrer=0|http://install2.optimum-installer.com/config/clean/offers.json?version=1.0&pid=installer&ts=2012-10-23T15:29:08.1685164Z&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:30 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

54.209.32.212:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
DNS

www.hugedomains.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

www.hugedomains.com

IN A

Response

www.hugedomains.com

IN A

172.67.70.191

www.hugedomains.com

IN A

104.26.7.37

www.hugedomains.com

IN A

104.26.6.37
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

172.67.70.191:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: site_version_phase=108; expires=Mon, 29-Sep-2025 08:54:29 GMT; path=/
set-cookie: site_version=HDv3; expires=Mon, 29-Sep-2025 08:54:29 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SraUGUBSmDxNmkmeOePFcpdsKuN%2Bd4gakbYxoE%2BqFpXQ%2Bf24AfLHjYiErk3sY4nFDdhzgKzUgJSIMNGtxt0hhdQD2SC0UsfjcZv5R9dtTQM2SDguCWFqRfvArYwBr5RC6NSvr88%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f293acd50666-LHR
Content-Encoding: gzip
DNS

c.pki.goog

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

172.217.169.67
GET

http://c.pki.goog/r/gsr1.crl

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

172.217.169.67:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 04 Oct 2024 08:24:08 GMT
Expires: Fri, 04 Oct 2024 09:14:08 GMT
Cache-Control: public, max-age=3000
Age: 1821
Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

172.217.169.67:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 04 Oct 2024 08:24:11 GMT
Expires: Fri, 04 Oct 2024 09:14:11 GMT
Cache-Control: public, max-age=3000
Age: 1818
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

212.32.209.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.32.209.54.in-addr.arpa

IN PTR

Response

212.32.209.54.in-addr.arpa

IN PTR

ec2-54-209-32-212 compute-1 amazonawscom
DNS

191.70.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

191.70.67.172.in-addr.arpa

IN PTR

Response
DNS

67.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.169.217.172.in-addr.arpa

IN PTR

Response

67.169.217.172.in-addr.arpa

IN PTR

lhr48s09-in-f31e100net
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

172.67.70.191:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:30 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:30 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TxzojChAMGzA80feIg1b1kRkdl3xS3IhrlE4cRVtM%2FdE3fd0%2F5WcxFe6raxLiQk9BfrjwkdunokAxKXQ%2BBsqFjfU%2BdOnB%2FFF98OfHv09WCLyd0nQv2%2F8blFFeQoA%2BCqbYpJsCmo%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f296680c732d-LHR
Content-Encoding: gzip
DNS

install2.optimum-installer.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

install2.optimum-installer.com

IN A

Response
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

172.67.70.191:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:30 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:30 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A%2BJYfadLAMHd%2FWGKo6R4KQRfRC30mwP1x0mMWJQfxQi1YItSVVd%2Bd74xYclMAzPh8qqmn9D6Vna4dvfF9wYKqTZzgCNT7IH8q0v0nPkic5h6PnA4fZ8lUnBgNehAZc9nIdnd7Ls%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f29958736341-LHR
Content-Encoding: gzip
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

172.67.70.191:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:31 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:30 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oNXk8I4SC%2BYexhEI%2FqUBxDmG7B8kd7kI8RVMkspXI5PIO6ZCzcal3TB4xnLesp9xj5a4cJ%2B8FcuEFBC2j5cXjCGXvZlwZsJKLq%2BISHF4Lk9Ri61k4%2BLFyoxzwdo%2FSfnzILHPzCk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f29b4f89bea2-LHR
Content-Encoding: gzip
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

54.209.32.212:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:35 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=offer_0_accepted_&spsource=&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

54.209.32.212:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=offer_0_accepted_&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:35 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
GET

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=clean

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

54.209.32.212:80

Request

GET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com

Response

HTTP/1.1 302 Found

content-length: 0
date: Fri, 04 Oct 2024 08:54:36 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

172.67.70.191:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:36 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kq8onLVSbGH5TAYWaoMpJuPmJfarNUK%2B5FNQ7PTK0UQaUWSsXeJJqAgIw%2BCzGiylC0T783fw%2BuN%2BP0wc69IamfRfmsz9Cqi5n8JYeHdjPPYhUWSvz1OCdEmVmctSN1cPnpOlhrM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2bbef0d7332-LHR
Content-Encoding: gzip
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

172.67.70.191:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:36 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:36 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=52yNbUE5NagPrB69YHn7LITj8joHoP5ulNLM2dXpIsMQROXGR%2BJ6%2BvN%2FwN32nWJ3mLoxanIqEiqwgBrCTIoBtw%2BiMzy2dHBHjolkSjWtZpIzceCessQ3Iz1EI0brjexmA3FgkkU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2be8e6e6377-LHR
Content-Encoding: gzip
DNS

install2.optimum-installer.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

install2.optimum-installer.com

IN A

Response
GET

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

Remote address:

172.67.70.191:443

Request

GET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 08:54:38 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=14G%2F88tyLZKJn2ysKJ%2BSfHjVUKx%2FHYUQSSWwjQ2RlEMmK641ADuQ2IhPybpo5wCjBeTXYVHb3X7z%2FxNG6dngVGkNwTsrC%2BTnGEJ%2BYlsMYKMTM5xKjssHud9BbjZ%2FxLznEv6tftY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2c70ad748ca-LHR
Content-Encoding: gzip
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

68.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.32.126.40.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response

54.209.32.212:80

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean

http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

2.1kB
1.0kB
13
9

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_run&spsource=&offer_id=clean

HTTP Response

302

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dpi_1&spsource=&offer_id=clean

HTTP Response

302

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=json_installer_initialize_31&spsource=&offer_id=clean

HTTP Response

302

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=install_bad_config&spsource=&referrer=0|http://install2.optimum-installer.com/config/clean/offers.json?version=1.0&pid=installer&ts=2012-10-23T15:29:08.1685164Z&offer_id=clean

HTTP Response

302

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean
172.67.70.191:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.5kB
14.6kB
22
18

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200
172.217.169.67:80

http://c.pki.goog/r/r4.crl

http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

556 B
3.8kB
7
5

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
172.67.70.191:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.4kB
3.8kB
14
10

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200
172.67.70.191:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.4kB
3.8kB
14
10

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200
172.67.70.191:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.4kB
3.8kB
14
10

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200
54.209.32.212:80

http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=clean

http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.3kB
689 B
10
5

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean

HTTP Response

302

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=offer_0_accepted_&spsource=&offer_id=clean

HTTP Response

302

HTTP Request

GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=clean

HTTP Response

302
172.67.70.191:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.8kB
11.4kB
24
20

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200
172.67.70.191:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.3kB
3.7kB
13
9

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200
172.67.70.191:443

https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

tls, http

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

1.7kB
11.3kB
21
17

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com

HTTP Response

200

8.8.8.8:53

imp.optimuminstaller.com

dns

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

70 B
200 B
1
1

DNS Request

imp.optimuminstaller.com

DNS Response

54.209.32.212

52.71.57.184
8.8.8.8:53

www.hugedomains.com

dns

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

65 B
113 B
1
1

DNS Request

www.hugedomains.com

DNS Response

172.67.70.191

104.26.7.37

104.26.6.37
8.8.8.8:53

c.pki.goog

dns

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

172.217.169.67
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

212.32.209.54.in-addr.arpa

dns

72 B
127 B
1
1

DNS Request

212.32.209.54.in-addr.arpa
8.8.8.8:53

191.70.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

191.70.67.172.in-addr.arpa
8.8.8.8:53

67.169.217.172.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

67.169.217.172.in-addr.arpa
8.8.8.8:53

install2.optimum-installer.com

dns

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

76 B
149 B
1
1

DNS Request

install2.optimum-installer.com
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

install2.optimum-installer.com

dns

12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe

76 B
149 B
1
1

DNS Request

install2.optimum-installer.com
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

68.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

68.32.126.40.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

146 B
147 B
2
1

DNS Request

104.219.191.52.in-addr.arpa

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\truste.jpg

Filesize
5KB

MD5
1959eb33004d6107d3412e109c37b742

SHA1
59c3a787483e7743d5b805cd36726a0bec7e4992

SHA256
e60a764cd4d721c9fd261555510c51c668d112a37f2da2f0be1da6dceaa5f8ad

SHA512
238724a6b809d371c6ebab6057c61019e48caf7dd3245c6dca77efb5c015703a206472a9b82f778114c8dce3f10dd13fba972644b137020e4e5507053358e68e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.