bc1e43d79968ab8cd31b28c30cf02868e4c1139fd453175bf002ef5639b00a8d

Analysis

max time kernel
135s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2024, 20:50 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
Size

495KB
MD5

36bd2a93f18b19139564904ededa008f
SHA1

a83180a69b4b06d1d482f2311cbaa1a734b5da1d
SHA256

bc1e43d79968ab8cd31b28c30cf02868e4c1139fd453175bf002ef5639b00a8d
SHA512

3250e8ddd0a3ac0c7aa147d832949ea0b5dd8eaf6556ba23bec26d317e357dd750a442baf0a8d4a6d0bedfcf3f9fec00dd0b936f9c887af9c6ef8455118245bc
SSDEEP

6144:Be34R2QYNzh36dqXEVTrnCRZG/t7FTBqTzP7n7O7L6K2Bfo7pn:525zh36VVTGf0ZTsnz7O7L6ju7pn

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 13 IoCs

pid	Process
2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2900	msedge.exe
2900	msedge.exe
2896	msedge.exe
2896	msedge.exe
4196	identity_helper.exe
4196	identity_helper.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2896	2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe	86
PID 2616 wrote to memory of 2896	2616	36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe	86
PID 2896 wrote to memory of 876	2896	msedge.exe	87
PID 2896 wrote to memory of 876	2896	msedge.exe	87
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 208	2896	msedge.exe	88
PID 2896 wrote to memory of 2900	2896	msedge.exe	89
PID 2896 wrote to memory of 2900	2896	msedge.exe	89
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90
PID 2896 wrote to memory of 3140	2896	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pf.phpnuke.org/s/5/4/54423-54424-powerpoint-to-flash.exe?iv=2012100610&t=1728679835
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd98c46f8,0x7ffcd98c4708,0x7ffcd98c4718
    3⤵
    PID:876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
    3⤵
    PID:208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
    3⤵
    PID:3140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:3024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:1244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
    3⤵
    PID:2308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
    3⤵
    PID:2836
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
    3⤵
    PID:4060
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
    3⤵
    PID:1772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
    3⤵
    PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
    3⤵
    PID:776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
    3⤵
    PID:1676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
    3⤵
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
    3⤵
    PID:4880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,2741456735831835134,6194528761907971310,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5792 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3540

Network

DNS

download.phpnuke.org

36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

download.phpnuke.org

IN A

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=234480287AD66BAC05ED953D7BD06ADB; domain=.bing.com; expires=Wed, 05-Nov-2025 20:50:29 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A4E94EE61C474459916FC506293D7ABF Ref B: LON601060108011 Ref C: 2024-10-11T20:50:29Z
date: Fri, 11 Oct 2024 20:50:29 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=234480287AD66BAC05ED953D7BD06ADB

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=4s9RoSzNo25tsz-5aouFqTdeIWR4gpx9fPZASJsLdU8; domain=.bing.com; expires=Wed, 05-Nov-2025 20:50:29 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0992D7F70F7F4194AE6AD2C024ECAFFE Ref B: LON601060108011 Ref C: 2024-10-11T20:50:29Z
date: Fri, 11 Oct 2024 20:50:29 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=234480287AD66BAC05ED953D7BD06ADB; MSPTC=4s9RoSzNo25tsz-5aouFqTdeIWR4gpx9fPZASJsLdU8

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CBA15713A3C14786AE15510B8A3ED0D5 Ref B: LON601060108011 Ref C: 2024-10-11T20:50:29Z
date: Fri, 11 Oct 2024 20:50:29 GMT
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

pf.phpnuke.org

msedge.exe

Remote address:

8.8.8.8:53

Request

pf.phpnuke.org

IN A

Response
DNS

pf.phpnuke.org

msedge.exe

Remote address:

8.8.8.8:53

Request

pf.phpnuke.org

IN A

Response
DNS

google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.250.178.14
DNS

google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.250.178.14
DNS

pf.phpnuke.org

msedge.exe

Remote address:

8.8.8.8:53

Request

pf.phpnuke.org

IN A

Response
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

98.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

98.117.19.2.in-addr.arpa

IN PTR

Response

98.117.19.2.in-addr.arpa

IN PTR

a2-19-117-98deploystaticakamaitechnologiescom
DNS

pf.phpnuke.org

msedge.exe

Remote address:

8.8.8.8:53

Request

pf.phpnuke.org

IN A

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

pf.phpnuke.org

msedge.exe

Remote address:

8.8.8.8:53

Request

pf.phpnuke.org

IN A

Response

150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

HTTP Response

204

8.8.8.8:53

download.phpnuke.org

dns

36bd2a93f18b19139564904ededa008f_JaffaCakes118.exe

66 B
128 B
1
1

DNS Request

download.phpnuke.org
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

pf.phpnuke.org

dns

msedge.exe

60 B
122 B
1
1

DNS Request

pf.phpnuke.org
8.8.8.8:53

pf.phpnuke.org

dns

msedge.exe

60 B
122 B
1
1

DNS Request

pf.phpnuke.org
8.8.8.8:53

google.com

dns

msedge.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.178.14
8.8.8.8:53

google.com

dns

msedge.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.178.14
224.0.0.251:5353

523 B
8
8.8.8.8:53

pf.phpnuke.org

dns

msedge.exe

60 B
122 B
1
1

DNS Request

pf.phpnuke.org
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

98.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

98.117.19.2.in-addr.arpa
8.8.8.8:53

pf.phpnuke.org

dns

msedge.exe

60 B
122 B
1
1

DNS Request

pf.phpnuke.org
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

pf.phpnuke.org

dns

msedge.exe

60 B
122 B
1
1

DNS Request

pf.phpnuke.org

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
05f97802be59be83198a18a4d284a5f7

SHA1
169a3f0b897e1f10580811a6b57d1d581ad1e7f4

SHA256
5b7f303d0c6fecb075eed1171966fdf768adf1fea12a94a3122ce2e55c212199

SHA512
bacf115bf80c1c48a41b5e731e2feb9c6ed36c850e9ef5cd4ba088f4dc8dd831f0bda5ee815d1698f9a34d547271ca692d7b3ab03076b44e329dc178cb343d42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60280c4d97ef58c9e579ab6aaab01334

SHA1
9da53359461f47d52194424cc979a73f74a42f67

SHA256
3565b9a7bc0d8d2ed28833e02fc2a10d7849ca9e95451d9e60784dfb9fdbb019

SHA512
16237b94cf78940407ee21f0638d8e119dd1fa5a4fdd92c51c4ea31b2897f828fcf096f460597e319a83da8eaf628ba2070f5df66d1bd698cb0beb450449c4d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
467bd8dc8b0d76132112e335d9668052

SHA1
de881461d825da0561a7ce0db7be36558b0ea849

SHA256
eb19252a5187856f7dc2664fa3d558af546a4918193ce975ea1f002d8b6e4901

SHA512
291c17ceac2e741c0a81c6e2ba29556639879fe20524528810aced4ee4ad8a4e249eeda6e046f080b3c53f4354aa44d0547057291b58522adb1ef7a46aa76dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB76A.tmp\BrandingURL.dll

Filesize
4KB

MD5
71c46b663baa92ad941388d082af97e7

SHA1
5a9fcce065366a526d75cc5ded9aade7cadd6421

SHA256
bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e

SHA512
5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB76A.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB76A.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB76A.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB76A.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB76A.tmp\UAC.dll

Filesize
17KB

MD5
09caf01bc8d88eeb733abc161acff659

SHA1
b8c2126d641f88628c632dd2259686da3776a6da

SHA256
3555afe95e8bb269240a21520361677b280562b802978fccfb27490c79b9a478

SHA512
ef1e8fc4fc8f5609483b2c459d00a47036699dfb70b6be6f10a30c5d2fc66bae174345bffa9a44abd9ca029e609ff834d701ff6a769cca09fe5562365d5010fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB76A.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB76A.tmp\ioSpecial.ini

Filesize
405B

MD5
6102a95dda39b7254c56e5eced737c8d

SHA1
8c9baa8dc152d41537bd77fa18d71b7a2da8b46b

SHA256
d653e3873a741cafea40a212db04a3868acb7bc62c2f2e097cf769b7cf63903e

SHA512
589aec503c18cd389385d30d0b6b3f75f45e3fccb4611913031171166087c1d66d52158772c67c4409777f5df40a3e0dd249f14431b403a847a1c09f9c939c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB76A.tmp\ioSpecial.ini

Filesize
1KB

MD5
ec7fcf8b33c36ecfba9bb78cead61cac

SHA1
84912c495611d643c304cadf969a0e9f68bd08cf

SHA256
c4dc228002490791b3bf611966950e670d8c5a36dd867b0d1dad2640d5655cb6

SHA512
e8d1b625013e2a0aff901f4c94b42698cf0b9fd6e729bcc698fcaf6ed680a9c5780ae3459317043a18cb29aff3a576af39c23b84f402f57d1d5be3375390983d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB76A.tmp\show_page_toolbar

Filesize
1016B

MD5
de86f93cee23f29c4146d0490847826f

SHA1
cd01e4525e6b2cb3e6ced0589af4be9c2d0a0826

SHA256
b7b742ad61715e695a56cd0d1735d969bc7fc2c68899d823fb3ccc677a966ceb

SHA512
3b00c9aa5f3286e963c0ab8e3a827d7382d847ec68313f1a40088d68d0f6eeee61d6a56edc8c45f0a963c80afc9233acaa6fe75123887647ea88ba1aa9222565

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.