Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

5

24e7882f29...18.exe

windows7-x64

7

24e7882f29...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2024, 20:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe

  • Size

    2.6MB

  • MD5

    24e7882f29cb3915c27491d3e5df82b0

  • SHA1

    41c7097a2751f4f0b6af0eb9c4f0bcdfdfb18212

  • SHA256

    3c4ff0e177a533320009993a981a518ca186fc33cac5b99ccad9d7d9631b5816

  • SHA512

    f8e6d9859c5ea83bcb1b40fb7169fc6249378cd2bdd97adafa063a401dcb1e7fb2e53b1afcf2252dfefc53326b050a178426f6a8211db4fc3fd9d4dac0c67632

  • SSDEEP

    49152:NMRWzjeL822+lKZqAg63HcFAXrPu0q9ay3:WwewB+HFIzzq93

Score
7/10
discoveryupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3860
    • C:\Users\Admin\AppData\Local\Temp\24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      PID:2116

Network

  • flag-us
    DNS
    69.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    cutit.org
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    cutit.org
    IN A
    Response
    cutit.org
    IN A
    172.232.25.148
    cutit.org
    IN A
    172.232.4.213
    cutit.org
    IN A
    172.232.31.180
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=096fab895fea43f2b43b9bdd5073989b&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=096fab895fea43f2b43b9bdd5073989b&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=3B622596D24D62A731D43085D34B63D7; domain=.bing.com; expires=Mon, 03-Nov-2025 01:54:35 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D4995AEE077542CB8080879CAE2F8665 Ref B: LON601060107060 Ref C: 2024-10-09T01:54:35Z
    date: Wed, 09 Oct 2024 01:54:34 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=096fab895fea43f2b43b9bdd5073989b&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=096fab895fea43f2b43b9bdd5073989b&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3B622596D24D62A731D43085D34B63D7
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=YBjT2D8ceajOH2A41-AJZ_YjyQ7PmNjaDXzXS68EffU; domain=.bing.com; expires=Mon, 03-Nov-2025 01:54:35 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: A00C39622AFC435EBCE2527C1E56394C Ref B: LON601060107060 Ref C: 2024-10-09T01:54:35Z
    date: Wed, 09 Oct 2024 01:54:35 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=096fab895fea43f2b43b9bdd5073989b&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=096fab895fea43f2b43b9bdd5073989b&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3B622596D24D62A731D43085D34B63D7; MSPTC=YBjT2D8ceajOH2A41-AJZ_YjyQ7PmNjaDXzXS68EffU
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 79729361C5E34C40A3BE33CA29ED16DA Ref B: LON601060107060 Ref C: 2024-10-09T01:54:35Z
    date: Wed, 09 Oct 2024 01:54:35 GMT
  • flag-us
    DNS
    148.25.232.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    148.25.232.172.in-addr.arpa
    IN PTR
    Response
    148.25.232.172.in-addr.arpa
    IN PTR
    172-232-25-148iplinodeusercontentcom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    q.gs
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    q.gs
    IN A
    Response
    q.gs
    IN A
    172.67.193.84
    q.gs
    IN A
    104.21.84.133
  • flag-us
    GET
    http://q.gs/EVnYC
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    Remote address:
    172.67.193.84:80
    Request
    GET /EVnYC HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: q.gs
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Moved Temporarily
    Date: Wed, 09 Oct 2024 01:54:38 GMT
    Content-Type: text/html
    Content-Length: 143
    Connection: keep-alive
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Location: https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TGvI6tLqAvQ52ZneYVf1n4wcMualtUU5L4KVzz%2FRILkDitdvXBHr7KbJHONxbc9gg%2F1NZslOVLINTDBbujpv5cpyTFbryJb0tPrtRSrY0o83vX4XKWS5"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Speculation-Rules: "/cdn-cgi/speculation"
    Server: cloudflare
    CF-RAY: 8cfabe712c6abd9a-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    publisher.linkvertise.com
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    publisher.linkvertise.com
    IN A
    Response
    publisher.linkvertise.com
    IN A
    104.22.22.72
    publisher.linkvertise.com
    IN A
    104.22.23.72
    publisher.linkvertise.com
    IN A
    172.67.31.186
  • flag-us
    GET
    https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    Remote address:
    104.22.22.72:443
    Request
    GET /adfly-hard-migrator/url?url=http://q.gs/EVnYC HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Cache-Control: no-cache
    Host: publisher.linkvertise.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Date: Wed, 09 Oct 2024 01:54:39 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    location: https://linkvertise.com/adfly-notice
    Cache-Control: no-cache, private
    vary: Origin
    set-cookie: laravel_session=NH8M2bO6yGHsEPe2QGcfSQzuimYHVpRuTsKQMSVA; expires=Thu, 09 Oct 2025 01:54:39 GMT; Max-Age=31536000; path=/; domain=.linkvertise.com; httponly
    CF-Cache-Status: DYNAMIC
    Set-Cookie: __cf_bm=45tQkUyV4A59.MKgIjsSzwv5FrYB.QIWwZsuuwEbG10-1728438879-1.0.1.1-FVWN8DxJaYLUAs_v6pigX2aAf.7dVAcaOfS1tYYo9h3VRYif6fJS_xgABULmevbd_3rSppunVJOK5fTmKXHK8g; path=/; expires=Wed, 09-Oct-24 02:24:39 GMT; domain=.linkvertise.com; HttpOnly; Secure; SameSite=None
    X-Frame-Options: sameorigin
    Server: cloudflare
    CF-RAY: 8cfabe747d608879-LHR
  • flag-us
    DNS
    c.pki.goog
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.187.195
  • flag-gb
    GET
    http://c.pki.goog/r/gsr1.crl
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    Remote address:
    142.250.187.195:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Wed, 09 Oct 2024 01:43:38 GMT
    Expires: Wed, 09 Oct 2024 02:33:38 GMT
    Cache-Control: public, max-age=3000
    Age: 661
    Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-gb
    GET
    http://c.pki.goog/r/r4.crl
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    Remote address:
    142.250.187.195:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Wed, 09 Oct 2024 01:43:45 GMT
    Expires: Wed, 09 Oct 2024 02:33:45 GMT
    Cache-Control: public, max-age=3000
    Age: 654
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    linkvertise.com
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    linkvertise.com
    IN A
    Response
    linkvertise.com
    IN A
    104.22.23.72
    linkvertise.com
    IN A
    172.67.31.186
    linkvertise.com
    IN A
    104.22.22.72
  • flag-us
    GET
    https://linkvertise.com/adfly-notice
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    Remote address:
    104.22.23.72:443
    Request
    GET /adfly-notice HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Cache-Control: no-cache
    Connection: Keep-Alive
    Host: linkvertise.com
    Cookie: laravel_session=NH8M2bO6yGHsEPe2QGcfSQzuimYHVpRuTsKQMSVA; __cf_bm=45tQkUyV4A59.MKgIjsSzwv5FrYB.QIWwZsuuwEbG10-1728438879-1.0.1.1-FVWN8DxJaYLUAs_v6pigX2aAf.7dVAcaOfS1tYYo9h3VRYif6fJS_xgABULmevbd_3rSppunVJOK5fTmKXHK8g
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 01:54:39 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: public, max-age=0, must-revalidate
    Link: <//cdn.exmarketplace.com>; rel="preconnect", <//securepubads.g.doubleclick.net>; rel="preconnect"
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=toc7CzhJmrqPBpklWAuNtEz8LFpDUedlk%2BzTT5AXB9A9Odx050SvANl2sjqV4B%2Fow2PpWqxefrEgQc2cnLWLCL5O%2Bvgsdypg0KtWjKYBXrKVt4zWNjvooS%2B6PiyxmQ7t2aA%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Vary: Accept-Encoding
    Speculation-Rules: "/cdn-cgi/speculation"
    CF-Cache-Status: DYNAMIC
    X-Frame-Options: sameorigin
    Server: cloudflare
    CF-RAY: 8cfabe769eb17735-LHR
  • flag-us
    DNS
    84.193.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    84.193.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    195.187.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    195.187.250.142.in-addr.arpa
    IN PTR
    Response
    195.187.250.142.in-addr.arpa
    IN PTR
    lhr25s33-in-f31e100net
  • flag-us
    DNS
    72.22.22.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.22.22.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.23.22.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.23.22.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
    Response
    98.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-98deploystaticakamaitechnologiescom
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    10.73.50.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.73.50.20.in-addr.arpa
    IN PTR
    Response
  • 172.232.25.148:443
    cutit.org
    tls
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    452 B
     219 B
     6
    5
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=096fab895fea43f2b43b9bdd5073989b&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=
    tls, http2
    2.0kB
     9.3kB
     21
    17

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=096fab895fea43f2b43b9bdd5073989b&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=096fab895fea43f2b43b9bdd5073989b&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=096fab895fea43f2b43b9bdd5073989b&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=

    HTTP Response

    204
  • 172.232.25.148:443
    cutit.org
    tls
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    398 B
     219 B
     6
    5
  • 172.232.25.148:443
    cutit.org
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    190 B
     132 B
     4
    3
  • 172.67.193.84:80
    http://q.gs/EVnYC
    http
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    428 B
     1.1kB
     6
    4

    HTTP Request

    GET http://q.gs/EVnYC

    HTTP Response

    302
  • 104.22.22.72:443
    https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC
    tls, http
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    1.1kB
     4.9kB
     13
    10

    HTTP Request

    GET https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC

    HTTP Response

    302
  • 142.250.187.195:80
    http://c.pki.goog/r/r4.crl
    http
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    602 B
     3.9kB
     8
    6

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 104.22.23.72:443
    https://linkvertise.com/adfly-notice
    tls, http
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    3.1kB
     53.2kB
     53
    50

    HTTP Request

    GET https://linkvertise.com/adfly-notice

    HTTP Response

    200
  • 8.8.8.8:53
    69.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    69.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    cutit.org
    dns
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    55 B
     103 B
     1
    1

    DNS Request

    cutit.org

    DNS Response

    172.232.25.148
    172.232.4.213
    172.232.31.180

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    148.25.232.172.in-addr.arpa
    dns
    73 B
     126 B
     1
    1

    DNS Request

    148.25.232.172.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    q.gs
    dns
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    50 B
     82 B
     1
    1

    DNS Request

    q.gs

    DNS Response

    172.67.193.84
    104.21.84.133

  • 8.8.8.8:53
    publisher.linkvertise.com
    dns
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    71 B
     119 B
     1
    1

    DNS Request

    publisher.linkvertise.com

    DNS Response

    104.22.22.72
    104.22.23.72
    172.67.31.186

  • 8.8.8.8:53
    c.pki.goog
    dns
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.187.195

  • 8.8.8.8:53
    linkvertise.com
    dns
    24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    61 B
     109 B
     1
    1

    DNS Request

    linkvertise.com

    DNS Response

    104.22.23.72
    172.67.31.186
    104.22.22.72

  • 8.8.8.8:53
    84.193.67.172.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    84.193.67.172.in-addr.arpa

  • 8.8.8.8:53
    195.187.250.142.in-addr.arpa
    dns
    74 B
     112 B
     1
    1

    DNS Request

    195.187.250.142.in-addr.arpa

  • 8.8.8.8:53
    72.22.22.104.in-addr.arpa
    dns
    71 B
     133 B
     1
    1

    DNS Request

    72.22.22.104.in-addr.arpa

  • 8.8.8.8:53
    72.23.22.104.in-addr.arpa
    dns
    71 B
     133 B
     1
    1

    DNS Request

    72.23.22.104.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    98.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    98.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    10.73.50.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    10.73.50.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
    Filesize

    2.6MB

    MD5

    8b748715e6b4925607e952658eac8cfd

    SHA1

    ab266f4803c484ad496e6f7962708d0bb4dfb4a8

    SHA256

    5056a359b1df4a9876c838a9531fecb367f5e1a1c5a4130b1df27a6ac3dcd7db

    SHA512

    8132a4caa3be15524818da0801c0e465332e23a92b9655f740dd1b3ae492e5f6227ba762b2da19ebcaa95efb40151a8d6034e5a32c3def76373cb3d551903b6f

    Download Submit

  • memory/2116-21-0x0000000002320000-0x000000000257A000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2116-20-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2116-29-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3860-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3860-1-0x0000000000400000-0x0000000000605000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3860-8-0x00000000023F0000-0x000000000264A000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3860-13-0x0000000000400000-0x0000000000605000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.