Analysis

  • max time kernel
    143s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2024 19:38

General

  • Target

    63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    63f484e36e6533bce2a47bd946486c83

  • SHA1

    8815f16a19e0f8c29587b241e635ddb66a0d54ea

  • SHA256

    7d6908ae43fb741400ac24a976de03ee6e72a8a306e3fdea805aa4257fb93f1b

  • SHA512

    a35cc546c2c49dce9441e3888474bb206262915bd7df81395d7085fa99ef7f6092b61f0a1c0a3669abcc8c0d8e6a8c67633475d3e1cec244220263e7c3b0bd62

  • SSDEEP

    24576:zlVpguGi7f2lUAa6fUSCl8NOzx6UbW63+sV98VnUE+7nunaIYPrK:zjaGfNA3fUSClpxl53+sV98VqnunaI42

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.coolingsolution.ly
  • Port:
    587
  • Username:
    info@coolingsolution.ly
  • Password:
    0922126259Gofran
  • Email To:
    issyusa@yandex.com

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Users\Admin\AppData\Local\Temp\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Users\Admin\AppData\Local\Temp\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3868
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1772
          4⤵
          • Program crash
          PID:468
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3868 -ip 3868
    1⤵
      PID:2612

    Network

    • flag-us
      DNS
      133.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.32.126.40.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      0.205.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.205.248.87.in-addr.arpa
      IN PTR
      Response
      0.205.248.87.in-addr.arpa
      IN PTR
      https-87-248-205-0lgwllnwnet
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      43.58.199.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.58.199.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      checkip.dyndns.org
      63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      checkip.dyndns.org
      IN A
      Response
      checkip.dyndns.org
      IN CNAME
      checkip.dyndns.com
      checkip.dyndns.com
      IN A
      158.101.44.242
      checkip.dyndns.com
      IN A
      132.226.247.73
      checkip.dyndns.com
      IN A
      193.122.130.0
      checkip.dyndns.com
      IN A
      193.122.6.168
      checkip.dyndns.com
      IN A
      132.226.8.169
    • flag-us
      GET
      http://checkip.dyndns.org/
      63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      Remote address:
      158.101.44.242:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sun, 20 Oct 2024 19:40:20 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 6ae0e53e6727f5633d522502c531bc08
    • flag-us
      GET
      http://checkip.dyndns.org/
      63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      Remote address:
      158.101.44.242:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Sun, 20 Oct 2024 19:40:20 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 3a128a2b3b3c83eb15f31583e08ca060
    • flag-us
      DNS
      freegeoip.app
      63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      freegeoip.app
      IN A
      Response
      freegeoip.app
      IN A
      104.21.73.97
      freegeoip.app
      IN A
      172.67.160.84
    • flag-us
      GET
      https://freegeoip.app/xml/138.199.29.44
      63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      Remote address:
      104.21.73.97:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: freegeoip.app
      Connection: Keep-Alive
      Response
      HTTP/1.1 301 Moved Permanently
      Date: Sun, 20 Oct 2024 19:40:20 GMT
      Content-Type: text/html
      Content-Length: 167
      Connection: keep-alive
      Cache-Control: max-age=3600
      Expires: Sun, 20 Oct 2024 20:40:20 GMT
      Location: https://ipbase.com/xml/138.199.29.44
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4h41Mq8Tnv4eK05InRknWGZfNLNGPMU51UyA9T442EID1COqx9AJ8uzdMy4LfpOqwdyP%2BzfskgAASc%2BfsPC98OsdMBiekM6xtJya0tOfyG6Q7eFGPU6CTTBVYIeeemsb"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8d5b7aa5cdd13da0-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=48835&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2992&recv_bytes=377&delivery_rate=76776&cwnd=253&unsent_bytes=0&cid=efb57bfddaf52252&ts=138&x=0"
    • flag-us
      DNS
      242.44.101.158.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      242.44.101.158.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      242.44.101.158.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      242.44.101.158.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      ipbase.com
      63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      ipbase.com
      IN A
      Response
      ipbase.com
      IN A
      172.67.209.71
      ipbase.com
      IN A
      104.21.85.189
    • flag-us
      GET
      https://ipbase.com/xml/138.199.29.44
      63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      Remote address:
      172.67.209.71:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: ipbase.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 404 Not Found
      Date: Sun, 20 Oct 2024 19:40:21 GMT
      Content-Type: text/html; charset=utf-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Age: 0
      Cache-Control: public,max-age=0,must-revalidate
      Cache-Status: "Netlify Edge"; fwd=miss
      Vary: Accept-Encoding
      X-Nf-Request-Id: 01JANQ3S75SC4M9YRMATCVQXA8
      cf-cache-status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JGxunRq3qN%2BMI%2Bwk1fB4aBpB1ZrsdZL%2Fru5cV97jX63kA4Q5aCLfC99lQCqApHdJ8vn8pK7kj86tFNdnRG66tHw%2F9AiIre1VE%2FZqwr28Xo5z5tGqmHI0KmYSpEBy"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8d5b7aa798279577-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=47493&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2984&recv_bytes=371&delivery_rate=87991&cwnd=253&unsent_bytes=0&cid=edcf3f6526fb7afd&ts=274&x=0"
    • flag-us
      DNS
      97.73.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.73.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      71.209.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.209.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      29.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388235_1XAV95DEOU0F3NPNY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239339388235_1XAV95DEOU0F3NPNY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 507475
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: F5339237EB254EEAAC2019DDC053420F Ref B: LON601060105025 Ref C: 2024-10-20T19:40:32Z
      date: Sun, 20 Oct 2024 19:40:32 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 761345
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 764D8F9B1C504C199476D8992921C711 Ref B: LON601060105025 Ref C: 2024-10-20T19:40:32Z
      date: Sun, 20 Oct 2024 19:40:32 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 668226
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: C40EFB0F46E54FEBA25188E8B3BF109E Ref B: LON601060105025 Ref C: 2024-10-20T19:40:32Z
      date: Sun, 20 Oct 2024 19:40:32 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418597_1J0EQ8ZTOVJVXHV7G&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239340418597_1J0EQ8ZTOVJVXHV7G&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 374381
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 02395909FE4D4ED6BDF4B6FC0BEB6457 Ref B: LON601060105025 Ref C: 2024-10-20T19:40:32Z
      date: Sun, 20 Oct 2024 19:40:32 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388234_1IFMMONGOM3EIAZ4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239339388234_1IFMMONGOM3EIAZ4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 721420
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 927375F97F424F80BC81C3322CFF0161 Ref B: LON601060105025 Ref C: 2024-10-20T19:40:32Z
      date: Sun, 20 Oct 2024 19:40:32 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418598_1HURUV6S4V3U642BB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239340418598_1HURUV6S4V3U642BB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 492694
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0DE39EF2C6E348F4ADA7F6BE6A7FAB45 Ref B: LON601060105025 Ref C: 2024-10-20T19:40:33Z
      date: Sun, 20 Oct 2024 19:40:32 GMT
    • 158.101.44.242:80
      http://checkip.dyndns.org/
      http
      63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      548 B
      856 B
      6
      5

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200
    • 104.21.73.97:443
      https://freegeoip.app/xml/138.199.29.44
      tls, http
      63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      733 B
      4.3kB
      8
      7

      HTTP Request

      GET https://freegeoip.app/xml/138.199.29.44

      HTTP Response

      301
    • 172.67.209.71:443
      https://ipbase.com/xml/138.199.29.44
      tls, http
      63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      819 B
      7.7kB
      10
      13

      HTTP Request

      GET https://ipbase.com/xml/138.199.29.44

      HTTP Response

      404
    • 150.171.28.10:443
      https://tse1.mm.bing.net/th?id=OADD2.10239340418598_1HURUV6S4V3U642BB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      tls, http2
      128.8kB
      3.7MB
      2659
      2654

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388235_1XAV95DEOU0F3NPNY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418597_1J0EQ8ZTOVJVXHV7G&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388234_1IFMMONGOM3EIAZ4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418598_1HURUV6S4V3U642BB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      7.8kB
      15
      13
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      7.0kB
      16
      13
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.1kB
      6.9kB
      13
      11
    • 8.8.8.8:53
      133.32.126.40.in-addr.arpa
      dns
      144 B
      158 B
      2
      1

      DNS Request

      133.32.126.40.in-addr.arpa

      DNS Request

      133.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      144 B
      158 B
      2
      1

      DNS Request

      241.150.49.20.in-addr.arpa

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      0.205.248.87.in-addr.arpa
      dns
      71 B
      116 B
      1
      1

      DNS Request

      0.205.248.87.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      43.58.199.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      43.58.199.20.in-addr.arpa

    • 8.8.8.8:53
      checkip.dyndns.org
      dns
      63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      64 B
      176 B
      1
      1

      DNS Request

      checkip.dyndns.org

      DNS Response

      158.101.44.242
      132.226.247.73
      193.122.130.0
      193.122.6.168
      132.226.8.169

    • 8.8.8.8:53
      freegeoip.app
      dns
      63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      59 B
      91 B
      1
      1

      DNS Request

      freegeoip.app

      DNS Response

      104.21.73.97
      172.67.160.84

    • 8.8.8.8:53
      242.44.101.158.in-addr.arpa
      dns
      146 B
      147 B
      2
      1

      DNS Request

      242.44.101.158.in-addr.arpa

      DNS Request

      242.44.101.158.in-addr.arpa

    • 8.8.8.8:53
      ipbase.com
      dns
      63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
      56 B
      88 B
      1
      1

      DNS Request

      ipbase.com

      DNS Response

      172.67.209.71
      104.21.85.189

    • 8.8.8.8:53
      97.73.21.104.in-addr.arpa
      dns
      71 B
      133 B
      1
      1

      DNS Request

      97.73.21.104.in-addr.arpa

    • 8.8.8.8:53
      71.209.67.172.in-addr.arpa
      dns
      72 B
      134 B
      1
      1

      DNS Request

      71.209.67.172.in-addr.arpa

    • 8.8.8.8:53
      29.243.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      29.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
      170 B
      1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.28.10
      150.171.27.10

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe.log

      Filesize

      1KB

      MD5

      84e77a587d94307c0ac1357eb4d3d46f

      SHA1

      83cc900f9401f43d181207d64c5adba7a85edc1e

      SHA256

      e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

      SHA512

      aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

    • memory/876-6-0x0000000005C00000-0x0000000005C0A000-memory.dmp

      Filesize

      40KB

    • memory/876-2-0x0000000006030000-0x00000000065D4000-memory.dmp

      Filesize

      5.6MB

    • memory/876-3-0x0000000005A80000-0x0000000005B12000-memory.dmp

      Filesize

      584KB

    • memory/876-4-0x0000000005B20000-0x0000000005BBC000-memory.dmp

      Filesize

      624KB

    • memory/876-5-0x00000000753A0000-0x0000000075B50000-memory.dmp

      Filesize

      7.7MB

    • memory/876-16-0x00000000753A0000-0x0000000075B50000-memory.dmp

      Filesize

      7.7MB

    • memory/876-7-0x0000000006CF0000-0x0000000006D06000-memory.dmp

      Filesize

      88KB

    • memory/876-8-0x00000000753AE000-0x00000000753AF000-memory.dmp

      Filesize

      4KB

    • memory/876-9-0x00000000753A0000-0x0000000075B50000-memory.dmp

      Filesize

      7.7MB

    • memory/876-10-0x0000000007710000-0x0000000007832000-memory.dmp

      Filesize

      1.1MB

    • memory/876-11-0x0000000009DA0000-0x0000000009E5E000-memory.dmp

      Filesize

      760KB

    • memory/876-0-0x00000000753AE000-0x00000000753AF000-memory.dmp

      Filesize

      4KB

    • memory/876-1-0x0000000000EB0000-0x0000000001010000-memory.dmp

      Filesize

      1.4MB

    • memory/1352-12-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

    • memory/1352-15-0x00000000753A0000-0x0000000075B50000-memory.dmp

      Filesize

      7.7MB

    • memory/1352-17-0x0000000005870000-0x00000000058F4000-memory.dmp

      Filesize

      528KB

    • memory/1352-18-0x0000000005BD0000-0x0000000005C26000-memory.dmp

      Filesize

      344KB

    • memory/1352-19-0x00000000753A0000-0x0000000075B50000-memory.dmp

      Filesize

      7.7MB

    • memory/1352-20-0x00000000753A0000-0x0000000075B50000-memory.dmp

      Filesize

      7.7MB

    • memory/1352-21-0x0000000006D50000-0x0000000006DDE000-memory.dmp

      Filesize

      568KB

    • memory/1352-22-0x0000000006980000-0x00000000069A4000-memory.dmp

      Filesize

      144KB

    • memory/1352-25-0x00000000753A0000-0x0000000075B50000-memory.dmp

      Filesize

      7.7MB

    • memory/3868-23-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/3868-24-0x00000000753A0000-0x0000000075B50000-memory.dmp

      Filesize

      7.7MB

    • memory/3868-26-0x00000000753A0000-0x0000000075B50000-memory.dmp

      Filesize

      7.7MB

    • memory/3868-27-0x00000000753A0000-0x0000000075B50000-memory.dmp

      Filesize

      7.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.