Analysis
-
max time kernel
95s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 08:54 UTC
Static task
static1
Behavioral task
behavioral1
Sample
12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
-
Size
576KB
-
MD5
12aa4a99be0d56cff118505edb815346
-
SHA1
a3fc6df33b90821231200771af03fd042228218b
-
SHA256
c9c98f92d4eee2ed2cb55d7410b6e3528c39d08d83cdac92526ca9bd34c1e00f
-
SHA512
18a03073629d384cdce192cc8a199777c6ab37414ab339713e1f952ae24d9e13dce0edd3e067c6c789ad7e2cf69436f039358e7c6cb6713b51f13b29559709d4
-
SSDEEP
12288:m4GdCP0FvEgU41cdqUK6Tgmss1sjZ7UqngHK6j1f6P0tB/6p5S:m4Gdtvi41cdqUK6T6s1sjFUqd6jlaYKS
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3768 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe 3768 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3768 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3768 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3768 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe 3768 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe 3768 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe 3768 12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3768
Network
-
Remote address:8.8.8.8:53Requestimp.optimuminstaller.comIN AResponseimp.optimuminstaller.comIN CNAMEtraff-1.hugedomains.comtraff-1.hugedomains.comIN CNAMEhdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.comhdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.comIN A54.209.32.212hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.comIN A52.71.57.184
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_run&spsource=&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:54.209.32.212:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_run&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:29 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dpi_1&spsource=&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:54.209.32.212:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dpi_1&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:29 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=json_installer_initialize_31&spsource=&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:54.209.32.212:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=json_installer_initialize_31&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:30 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=install_bad_config&spsource=&referrer=0|http://install2.optimum-installer.com/config/clean/offers.json?version=1.0&pid=installer&ts=2012-10-23T15:29:08.1685164Z&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:54.209.32.212:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=install_bad_config&spsource=&referrer=0|http://install2.optimum-installer.com/config/clean/offers.json?version=1.0&pid=installer&ts=2012-10-23T15:29:08.1685164Z&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:30 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:54.209.32.212:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
-
Remote address:8.8.8.8:53Requestwww.hugedomains.comIN AResponsewww.hugedomains.comIN A172.67.70.191www.hugedomains.comIN A104.26.7.37www.hugedomains.comIN A104.26.6.37
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:172.67.70.191:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: site_version_phase=108; expires=Mon, 29-Sep-2025 08:54:29 GMT; path=/
set-cookie: site_version=HDv3; expires=Mon, 29-Sep-2025 08:54:29 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SraUGUBSmDxNmkmeOePFcpdsKuN%2Bd4gakbYxoE%2BqFpXQ%2Bf24AfLHjYiErk3sY4nFDdhzgKzUgJSIMNGtxt0hhdQD2SC0UsfjcZv5R9dtTQM2SDguCWFqRfvArYwBr5RC6NSvr88%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f293acd50666-LHR
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A172.217.169.67
-
Remote address:172.217.169.67:80RequestGET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 04 Oct 2024 08:24:08 GMT
Expires: Fri, 04 Oct 2024 09:14:08 GMT
Cache-Control: public, max-age=3000
Age: 1821
Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:172.217.169.67:80RequestGET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 04 Oct 2024 08:24:11 GMT
Expires: Fri, 04 Oct 2024 09:14:11 GMT
Cache-Control: public, max-age=3000
Age: 1818
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.32.209.54.in-addr.arpaIN PTRResponse212.32.209.54.in-addr.arpaIN PTRec2-54-209-32-212 compute-1 amazonawscom
-
Remote address:8.8.8.8:53Request191.70.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request67.169.217.172.in-addr.arpaIN PTRResponse67.169.217.172.in-addr.arpaIN PTRlhr48s09-in-f31e100net
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:172.67.70.191:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:30 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TxzojChAMGzA80feIg1b1kRkdl3xS3IhrlE4cRVtM%2FdE3fd0%2F5WcxFe6raxLiQk9BfrjwkdunokAxKXQ%2BBsqFjfU%2BdOnB%2FFF98OfHv09WCLyd0nQv2%2F8blFFeQoA%2BCqbYpJsCmo%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f296680c732d-LHR
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Requestinstall2.optimum-installer.comIN AResponse
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:172.67.70.191:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:30 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A%2BJYfadLAMHd%2FWGKo6R4KQRfRC30mwP1x0mMWJQfxQi1YItSVVd%2Bd74xYclMAzPh8qqmn9D6Vna4dvfF9wYKqTZzgCNT7IH8q0v0nPkic5h6PnA4fZ8lUnBgNehAZc9nIdnd7Ls%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f29958736341-LHR
Content-Encoding: gzip
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:172.67.70.191:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:30 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oNXk8I4SC%2BYexhEI%2FqUBxDmG7B8kd7kI8RVMkspXI5PIO6ZCzcal3TB4xnLesp9xj5a4cJ%2B8FcuEFBC2j5cXjCGXvZlwZsJKLq%2BISHF4Lk9Ri61k4%2BLFyoxzwdo%2FSfnzILHPzCk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f29b4f89bea2-LHR
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Request23.159.190.20.in-addr.arpaIN PTRResponse
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:54.209.32.212:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:35 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=offer_0_accepted_&spsource=&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:54.209.32.212:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=offer_0_accepted_&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:35 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
GEThttp://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=clean12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:54.209.32.212:80RequestGET /impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=clean HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: imp.optimuminstaller.com
ResponseHTTP/1.1 302 Found
date: Fri, 04 Oct 2024 08:54:36 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:172.67.70.191:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kq8onLVSbGH5TAYWaoMpJuPmJfarNUK%2B5FNQ7PTK0UQaUWSsXeJJqAgIw%2BCzGiylC0T783fw%2BuN%2BP0wc69IamfRfmsz9Cqi5n8JYeHdjPPYhUWSvz1OCdEmVmctSN1cPnpOlhrM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2bbef0d7332-LHR
Content-Encoding: gzip
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:172.67.70.191:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: captcha-tracker=; expires=Thu, 03-Oct-2024 08:54:36 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=52yNbUE5NagPrB69YHn7LITj8joHoP5ulNLM2dXpIsMQROXGR%2BJ6%2BvN%2FwN32nWJ3mLoxanIqEiqwgBrCTIoBtw%2BiMzy2dHBHjolkSjWtZpIzceCessQ3Iz1EI0brjexmA3FgkkU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2be8e6e6377-LHR
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Requestinstall2.optimum-installer.comIN AResponse
-
GEThttps://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com12aa4a99be0d56cff118505edb815346_JaffaCakes118.exeRemote address:172.67.70.191:443RequestGET /domain_profile.cfm?d=optimuminstaller.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: |Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.hugedomains.com
Connection: Keep-Alive
Cookie: site_version_phase=108; site_version=HDv3
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=14G%2F88tyLZKJn2ysKJ%2BSfHjVUKx%2FHYUQSSWwjQ2RlEMmK641ADuQ2IhPybpo5wCjBeTXYVHb3X7z%2FxNG6dngVGkNwTsrC%2BTnGEJ%2BYlsMYKMTM5xKjssHud9BbjZ%2FxLznEv6tftY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd3f2c70ad748ca-LHR
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request68.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
54.209.32.212:80http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=cleanhttp12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe2.1kB 1.0kB 13 9
HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_run&spsource=&offer_id=cleanHTTP Response
302HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dpi_1&spsource=&offer_id=cleanHTTP Response
302HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=json_installer_initialize_31&spsource=&offer_id=cleanHTTP Response
302HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=install_bad_config&spsource=&referrer=0|http://install2.optimum-installer.com/config/clean/offers.json?version=1.0&pid=installer&ts=2012-10-23T15:29:08.1685164Z&offer_id=cleanHTTP Response
302HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=clean -
172.67.70.191:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.5kB 14.6kB 22 18
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200 -
172.217.169.67:80http://c.pki.goog/r/r4.crlhttp12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe556 B 3.8kB 7 5
HTTP Request
GET http://c.pki.goog/r/gsr1.crlHTTP Response
200HTTP Request
GET http://c.pki.goog/r/r4.crlHTTP Response
200 -
172.67.70.191:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.4kB 3.8kB 14 10
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200 -
172.67.70.191:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.4kB 3.8kB 14 10
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200 -
172.67.70.191:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.4kB 3.8kB 14 10
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200 -
54.209.32.212:80http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=cleanhttp12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.3kB 689 B 10 5
HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=dotnet_version_4.0&spsource=&offer_id=cleanHTTP Response
302HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=offer_0_accepted_&spsource=&offer_id=cleanHTTP Response
302HTTP Request
GET http://imp.optimuminstaller.com/impression.do/?user_id=cc67164f-071a-42c1-8ea5-135a2cbc19f8&event=setup_complete&spsource=&offer_id=cleanHTTP Response
302 -
172.67.70.191:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.8kB 11.4kB 24 20
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200 -
172.67.70.191:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.3kB 3.7kB 13 9
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200 -
172.67.70.191:443https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comtls, http12aa4a99be0d56cff118505edb815346_JaffaCakes118.exe1.7kB 11.3kB 21 17
HTTP Request
GET https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.comHTTP Response
200
-
70 B 200 B 1 1
DNS Request
imp.optimuminstaller.com
DNS Response
54.209.32.21252.71.57.184
-
65 B 113 B 1 1
DNS Request
www.hugedomains.com
DNS Response
172.67.70.191104.26.7.37104.26.6.37
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
172.217.169.67
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
72 B 127 B 1 1
DNS Request
212.32.209.54.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
191.70.67.172.in-addr.arpa
-
73 B 111 B 1 1
DNS Request
67.169.217.172.in-addr.arpa
-
76 B 149 B 1 1
DNS Request
install2.optimum-installer.com
-
72 B 158 B 1 1
DNS Request
23.159.190.20.in-addr.arpa
-
76 B 149 B 1 1
DNS Request
install2.optimum-installer.com
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
68.32.126.40.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
146 B 147 B 2 1
DNS Request
104.219.191.52.in-addr.arpa
DNS Request
104.219.191.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD51959eb33004d6107d3412e109c37b742
SHA159c3a787483e7743d5b805cd36726a0bec7e4992
SHA256e60a764cd4d721c9fd261555510c51c668d112a37f2da2f0be1da6dceaa5f8ad
SHA512238724a6b809d371c6ebab6057c61019e48caf7dd3245c6dca77efb5c015703a206472a9b82f778114c8dce3f10dd13fba972644b137020e4e5507053358e68e