Analysis
-
max time kernel
143s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 19:38
Static task
static1
Behavioral task
behavioral1
Sample
63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
63f484e36e6533bce2a47bd946486c83
-
SHA1
8815f16a19e0f8c29587b241e635ddb66a0d54ea
-
SHA256
7d6908ae43fb741400ac24a976de03ee6e72a8a306e3fdea805aa4257fb93f1b
-
SHA512
a35cc546c2c49dce9441e3888474bb206262915bd7df81395d7085fa99ef7f6092b61f0a1c0a3669abcc8c0d8e6a8c67633475d3e1cec244220263e7c3b0bd62
-
SSDEEP
24576:zlVpguGi7f2lUAa6fUSCl8NOzx6UbW63+sV98VnUE+7nunaIYPrK:zjaGfNA3fUSClpxl53+sV98VqnunaI42
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.coolingsolution.ly - Port:
587 - Username:
info@coolingsolution.ly - Password:
0922126259Gofran - Email To:
issyusa@yandex.com
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/3868-23-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 49 checkip.dyndns.org 51 freegeoip.app 52 freegeoip.app -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 876 set thread context of 1352 876 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 98 PID 1352 set thread context of 3868 1352 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 100 -
Program crash 1 IoCs
pid pid_target Process procid_target 468 3868 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3868 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3868 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 876 wrote to memory of 1352 876 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 98 PID 876 wrote to memory of 1352 876 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 98 PID 876 wrote to memory of 1352 876 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 98 PID 876 wrote to memory of 1352 876 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 98 PID 876 wrote to memory of 1352 876 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 98 PID 876 wrote to memory of 1352 876 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 98 PID 876 wrote to memory of 1352 876 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 98 PID 876 wrote to memory of 1352 876 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 98 PID 1352 wrote to memory of 3868 1352 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 100 PID 1352 wrote to memory of 3868 1352 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 100 PID 1352 wrote to memory of 3868 1352 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 100 PID 1352 wrote to memory of 3868 1352 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 100 PID 1352 wrote to memory of 3868 1352 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 100 PID 1352 wrote to memory of 3868 1352 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 100 PID 1352 wrote to memory of 3868 1352 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 100 PID 1352 wrote to memory of 3868 1352 63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Local\Temp\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 17724⤵
- Program crash
PID:468
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3868 -ip 38681⤵PID:2612
Network
-
Remote address:8.8.8.8:53Request133.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.32.126.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A132.226.247.73checkip.dyndns.comIN A193.122.130.0checkip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A132.226.8.169
-
Remote address:158.101.44.242:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 6ae0e53e6727f5633d522502c531bc08
-
Remote address:158.101.44.242:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 3a128a2b3b3c83eb15f31583e08ca060
-
Remote address:8.8.8.8:53Requestfreegeoip.appIN AResponsefreegeoip.appIN A104.21.73.97freegeoip.appIN A172.67.160.84
-
Remote address:104.21.73.97:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: freegeoip.app
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sun, 20 Oct 2024 20:40:20 GMT
Location: https://ipbase.com/xml/138.199.29.44
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4h41Mq8Tnv4eK05InRknWGZfNLNGPMU51UyA9T442EID1COqx9AJ8uzdMy4LfpOqwdyP%2BzfskgAASc%2BfsPC98OsdMBiekM6xtJya0tOfyG6Q7eFGPU6CTTBVYIeeemsb"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d5b7aa5cdd13da0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48835&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2992&recv_bytes=377&delivery_rate=76776&cwnd=253&unsent_bytes=0&cid=efb57bfddaf52252&ts=138&x=0"
-
Remote address:8.8.8.8:53Request242.44.101.158.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request242.44.101.158.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestipbase.comIN AResponseipbase.comIN A172.67.209.71ipbase.comIN A104.21.85.189
-
Remote address:172.67.209.71:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: ipbase.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Age: 0
Cache-Control: public,max-age=0,must-revalidate
Cache-Status: "Netlify Edge"; fwd=miss
Vary: Accept-Encoding
X-Nf-Request-Id: 01JANQ3S75SC4M9YRMATCVQXA8
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JGxunRq3qN%2BMI%2Bwk1fB4aBpB1ZrsdZL%2Fru5cV97jX63kA4Q5aCLfC99lQCqApHdJ8vn8pK7kj86tFNdnRG66tHw%2F9AiIre1VE%2FZqwr28Xo5z5tGqmHI0KmYSpEBy"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d5b7aa798279577-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47493&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2984&recv_bytes=371&delivery_rate=87991&cwnd=253&unsent_bytes=0&cid=edcf3f6526fb7afd&ts=274&x=0"
-
Remote address:8.8.8.8:53Request97.73.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.209.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388235_1XAV95DEOU0F3NPNY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239339388235_1XAV95DEOU0F3NPNY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 507475
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F5339237EB254EEAAC2019DDC053420F Ref B: LON601060105025 Ref C: 2024-10-20T19:40:32Z
date: Sun, 20 Oct 2024 19:40:32 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 761345
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 764D8F9B1C504C199476D8992921C711 Ref B: LON601060105025 Ref C: 2024-10-20T19:40:32Z
date: Sun, 20 Oct 2024 19:40:32 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 668226
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C40EFB0F46E54FEBA25188E8B3BF109E Ref B: LON601060105025 Ref C: 2024-10-20T19:40:32Z
date: Sun, 20 Oct 2024 19:40:32 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418597_1J0EQ8ZTOVJVXHV7G&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418597_1J0EQ8ZTOVJVXHV7G&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 374381
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 02395909FE4D4ED6BDF4B6FC0BEB6457 Ref B: LON601060105025 Ref C: 2024-10-20T19:40:32Z
date: Sun, 20 Oct 2024 19:40:32 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388234_1IFMMONGOM3EIAZ4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239339388234_1IFMMONGOM3EIAZ4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 721420
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 927375F97F424F80BC81C3322CFF0161 Ref B: LON601060105025 Ref C: 2024-10-20T19:40:32Z
date: Sun, 20 Oct 2024 19:40:32 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418598_1HURUV6S4V3U642BB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418598_1HURUV6S4V3U642BB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 492694
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0DE39EF2C6E348F4ADA7F6BE6A7FAB45 Ref B: LON601060105025 Ref C: 2024-10-20T19:40:33Z
date: Sun, 20 Oct 2024 19:40:32 GMT
-
158.101.44.242:80http://checkip.dyndns.org/http63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe548 B 856 B 6 5
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
104.21.73.97:443https://freegeoip.app/xml/138.199.29.44tls, http63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe733 B 4.3kB 8 7
HTTP Request
GET https://freegeoip.app/xml/138.199.29.44HTTP Response
301 -
172.67.209.71:443https://ipbase.com/xml/138.199.29.44tls, http63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe819 B 7.7kB 10 13
HTTP Request
GET https://ipbase.com/xml/138.199.29.44HTTP Response
404 -
150.171.28.10:443https://tse1.mm.bing.net/th?id=OADD2.10239340418598_1HURUV6S4V3U642BB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90tls, http2128.8kB 3.7MB 2659 2654
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388235_1XAV95DEOU0F3NPNY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418597_1J0EQ8ZTOVJVXHV7G&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388234_1IFMMONGOM3EIAZ4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418598_1HURUV6S4V3U642BB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200 -
1.2kB 7.8kB 15 13
-
1.2kB 7.0kB 16 13
-
1.2kB 6.9kB 15 13
-
1.1kB 6.9kB 13 11
-
144 B 158 B 2 1
DNS Request
133.32.126.40.in-addr.arpa
DNS Request
133.32.126.40.in-addr.arpa
-
144 B 158 B 2 1
DNS Request
241.150.49.20.in-addr.arpa
DNS Request
241.150.49.20.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
64 B 176 B 1 1
DNS Request
checkip.dyndns.org
DNS Response
158.101.44.242132.226.247.73193.122.130.0193.122.6.168132.226.8.169
-
59 B 91 B 1 1
DNS Request
freegeoip.app
DNS Response
104.21.73.97172.67.160.84
-
146 B 147 B 2 1
DNS Request
242.44.101.158.in-addr.arpa
DNS Request
242.44.101.158.in-addr.arpa
-
56 B 88 B 1 1
DNS Request
ipbase.com
DNS Response
172.67.209.71104.21.85.189
-
71 B 133 B 1 1
DNS Request
97.73.21.104.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
71.209.67.172.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.28.10150.171.27.10
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\63f484e36e6533bce2a47bd946486c83_JaffaCakes118.exe.log
Filesize1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691