Overview

overview

10

Static

static

3

840b567a9e...18.exe

windows7-x64

10

840b567a9e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2024, 04:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe

  • Size

    728KB

  • MD5

    840b567a9e2a4b9d9cc93ebb3d2e551e

  • SHA1

    2beb298cbf5c2e85ef0afce25610ecb9a3e07513

  • SHA256

    f9c99819e882b21b76cf3397677ec58d55243ef1852c3105a3e324c4cf60dafd

  • SHA512

    9314e039acaf7003316411980c6bb1916e57e0a908fa8008590caf32d4e5f4328a540e49a77370e7b78d1c39a98d5190a748ed47866b354aee0f5e937051fbc5

  • SSDEEP

    12288:AsUhjs1UvptQgVFyxzrt7uZVbqL6vFzDOFXiWxBkEryJF4W+vHVwamVDc4/9vopU:DkWmqgVF45ayinOFXpk/MReampc4/9v9

Score
10/10
snakekeyloggerdiscoverykeyloggerstealer

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Users\Admin\AppData\Local\Temp\840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe"
      2⤵
        PID:4500
      • C:\Users\Admin\AppData\Local\Temp\840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3412
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 1808
          3⤵
          • Program crash
          PID:3744
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3412 -ip 3412
      1⤵
        PID:4704

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.ax-0001.ax-msedge.net
        g-bing-com.ax-0001.ax-msedge.net
        IN CNAME
        ax-0001.ax-msedge.net
        ax-0001.ax-msedge.net
        IN A
        150.171.27.10
        ax-0001.ax-msedge.net
        IN A
        150.171.28.10
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55ad6e95083e404795f6850956aa9ba1&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=
        Remote address:
        150.171.27.10:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55ad6e95083e404795f6850956aa9ba1&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=1DF4BD2BF8DB6CC82238A801F9446D23; domain=.bing.com; expires=Wed, 26-Nov-2025 04:21:12 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 67D51E6BA21A45EB99145821A7DD8EA7 Ref B: LON601060103036 Ref C: 2024-11-01T04:21:12Z
        date: Fri, 01 Nov 2024 04:21:11 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=55ad6e95083e404795f6850956aa9ba1&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=
        Remote address:
        150.171.27.10:443
        Request
        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=55ad6e95083e404795f6850956aa9ba1&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=1DF4BD2BF8DB6CC82238A801F9446D23
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=pqBQUjOt4XQwd0B6_RC-0c46CzYpXzQPzaWLeorpHpY; domain=.bing.com; expires=Wed, 26-Nov-2025 04:21:12 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 989C542889254B6F80DB06714D3FA592 Ref B: LON601060103036 Ref C: 2024-11-01T04:21:12Z
        date: Fri, 01 Nov 2024 04:21:11 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55ad6e95083e404795f6850956aa9ba1&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=
        Remote address:
        150.171.27.10:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55ad6e95083e404795f6850956aa9ba1&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=1DF4BD2BF8DB6CC82238A801F9446D23; MSPTC=pqBQUjOt4XQwd0B6_RC-0c46CzYpXzQPzaWLeorpHpY
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: E3AC4CA629FA485A8E7101FEE3643AD3 Ref B: LON601060103036 Ref C: 2024-11-01T04:21:12Z
        date: Fri, 01 Nov 2024 04:21:11 GMT
      • flag-us
        DNS
        28.118.140.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        28.118.140.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        83.210.23.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        83.210.23.2.in-addr.arpa
        IN PTR
        Response
        83.210.23.2.in-addr.arpa
        IN PTR
        a2-23-210-83deploystaticakamaitechnologiescom
      • flag-us
        DNS
        10.27.171.150.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        10.27.171.150.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        73.31.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        73.31.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        55.36.223.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        55.36.223.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        133.211.185.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.211.185.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        13.86.106.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        13.86.106.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.214.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.214.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        checkip.dyndns.org
        840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        checkip.dyndns.org
        IN A
        Response
        checkip.dyndns.org
        IN CNAME
        checkip.dyndns.com
        checkip.dyndns.com
        IN A
        193.122.6.168
        checkip.dyndns.com
        IN A
        132.226.8.169
        checkip.dyndns.com
        IN A
        193.122.130.0
        checkip.dyndns.com
        IN A
        158.101.44.242
        checkip.dyndns.com
        IN A
        132.226.247.73
      • flag-de
        GET
        http://checkip.dyndns.org/
        840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        Remote address:
        193.122.6.168:80
        Request
        GET / HTTP/1.1
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
        Host: checkip.dyndns.org
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Fri, 01 Nov 2024 04:21:54 GMT
        Content-Type: text/html
        Content-Length: 105
        Connection: keep-alive
        Cache-Control: no-cache
        Pragma: no-cache
        X-Request-ID: 712fefbccba5b4ce28bef880663526c4
      • flag-de
        GET
        http://checkip.dyndns.org/
        840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        Remote address:
        193.122.6.168:80
        Request
        GET / HTTP/1.1
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
        Host: checkip.dyndns.org
        Response
        HTTP/1.1 200 OK
        Date: Fri, 01 Nov 2024 04:21:54 GMT
        Content-Type: text/html
        Content-Length: 105
        Connection: keep-alive
        Cache-Control: no-cache
        Pragma: no-cache
        X-Request-ID: 4be32e0c70357fc6883fda50fefc7445
      • flag-us
        DNS
        freegeoip.app
        840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        freegeoip.app
        IN A
        Response
        freegeoip.app
        IN A
        172.67.160.84
        freegeoip.app
        IN A
        104.21.73.97
      • flag-us
        GET
        https://freegeoip.app/xml/138.199.29.44
        840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        Remote address:
        172.67.160.84:443
        Request
        GET /xml/138.199.29.44 HTTP/1.1
        Host: freegeoip.app
        Connection: Keep-Alive
        Response
        HTTP/1.1 301 Moved Permanently
        Date: Fri, 01 Nov 2024 04:21:55 GMT
        Content-Type: text/html
        Content-Length: 167
        Connection: keep-alive
        Cache-Control: max-age=3600
        Expires: Fri, 01 Nov 2024 05:21:55 GMT
        Location: https://ipbase.com/xml/138.199.29.44
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZbVe3fK3WVP6a%2F2mXAZEyp9g7gVUQR1OS%2FHI0bXJPFiiDHh0%2FWMb5jG1%2BSQCtJvsU727Ac8v15YpeBpFOq8oJmEWrpzULF9BfSl7IQAqmO6Q3efkgBtV3aPZXJjSdnjo"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8db919cbbd8c88bc-LHR
        alt-svc: h3=":443"; ma=86400
        server-timing: cfL4;desc="?proto=TCP&rtt=44265&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2992&recv_bytes=377&delivery_rate=87563&cwnd=253&unsent_bytes=0&cid=9b38f5b52638ca1a&ts=114&x=0"
      • flag-us
        DNS
        ipbase.com
        840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        ipbase.com
        IN A
        Response
        ipbase.com
        IN A
        104.21.85.189
        ipbase.com
        IN A
        172.67.209.71
      • flag-us
        GET
        https://ipbase.com/xml/138.199.29.44
        840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        Remote address:
        104.21.85.189:443
        Request
        GET /xml/138.199.29.44 HTTP/1.1
        Host: ipbase.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 404 Not Found
        Date: Fri, 01 Nov 2024 04:21:55 GMT
        Content-Type: text/html; charset=utf-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Age: 40596
        Cache-Control: public,max-age=0,must-revalidate
        Cache-Status: "Netlify Edge"; hit
        Vary: Accept-Encoding
        X-Nf-Request-Id: 01JBJZAQ376X0AHTEC0J02Q6BD
        cf-cache-status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vul4UAY7g1fOL5mvClKkFmH5JN%2F9H75zzcH9WNLLfWQDQbRH3yUtGc0YYuKpaTrrD3%2BngX9aiVImZEyK8%2Fsjo5RZ5JcPCd4kquDxVPS0FMk7hQmfe%2BFWzHI4tHq0"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8db919cd392f6347-LHR
        alt-svc: h3=":443"; ma=86400
        server-timing: cfL4;desc="?proto=TCP&rtt=43851&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2984&recv_bytes=371&delivery_rate=76896&cwnd=253&unsent_bytes=0&cid=9e022cea09105c75&ts=150&x=0"
      • flag-us
        DNS
        84.160.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        84.160.67.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        84.160.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        84.160.67.172.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        168.6.122.193.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        168.6.122.193.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        168.6.122.193.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        168.6.122.193.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        189.85.21.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        189.85.21.104.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        73.209.201.84.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        73.209.201.84.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        43.58.199.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        43.58.199.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        31.243.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        31.243.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        tse1.mm.bing.net
        Remote address:
        8.8.8.8:53
        Request
        tse1.mm.bing.net
        IN A
        Response
        tse1.mm.bing.net
        IN CNAME
        mm-mm.bing.net.trafficmanager.net
        mm-mm.bing.net.trafficmanager.net
        IN CNAME
        ax-0001.ax-msedge.net
        ax-0001.ax-msedge.net
        IN A
        150.171.28.10
        ax-0001.ax-msedge.net
        IN A
        150.171.27.10
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239339388237_16CFOYO7VUY1K6DRH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        150.171.28.10:443
        Request
        GET /th?id=OADD2.10239339388237_16CFOYO7VUY1K6DRH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 443021
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 5C36BF2ACB5541CCA355411A5939756F Ref B: LON601060108034 Ref C: 2024-11-01T04:22:49Z
        date: Fri, 01 Nov 2024 04:22:48 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239339388236_1HL4SRJ7X21NUOQZ9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        150.171.28.10:443
        Request
        GET /th?id=OADD2.10239339388236_1HL4SRJ7X21NUOQZ9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 657438
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 4D6B44AF9D2640F1A50716ABEBD3EA22 Ref B: LON601060108034 Ref C: 2024-11-01T04:22:49Z
        date: Fri, 01 Nov 2024 04:22:48 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        150.171.28.10:443
        Request
        GET /th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 585469
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: B4E5A9B02A264CD3856FAF7A5FCAC0EF Ref B: LON601060108034 Ref C: 2024-11-01T04:22:49Z
        date: Fri, 01 Nov 2024 04:22:48 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239360265013_1UVY69FM05I7V26BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        150.171.28.10:443
        Request
        GET /th?id=OADD2.10239360265013_1UVY69FM05I7V26BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 193575
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: E12A13528AB346EBACB4838E91AD5AFE Ref B: LON601060108034 Ref C: 2024-11-01T04:22:49Z
        date: Fri, 01 Nov 2024 04:22:48 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        150.171.28.10:443
        Request
        GET /th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 746576
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 9B143E6E92634BF0AD81C650FD68CA63 Ref B: LON601060108034 Ref C: 2024-11-01T04:22:49Z
        date: Fri, 01 Nov 2024 04:22:48 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        150.171.28.10:443
        Request
        GET /th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      • flag-us
        DNS
        88.156.103.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        88.156.103.20.in-addr.arpa
        IN PTR
        Response
      • 150.171.27.10:443
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55ad6e95083e404795f6850956aa9ba1&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=
        tls, http2
        2.0kB
         9.4kB
         22
        19

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55ad6e95083e404795f6850956aa9ba1&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=55ad6e95083e404795f6850956aa9ba1&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55ad6e95083e404795f6850956aa9ba1&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=

        HTTP Response

        204
      • 193.122.6.168:80
        http://checkip.dyndns.org/
        http
        840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        548 B
         816 B
         6
        4

        HTTP Request

        GET http://checkip.dyndns.org/

        HTTP Response

        200

        HTTP Request

        GET http://checkip.dyndns.org/

        HTTP Response

        200
      • 172.67.160.84:443
        https://freegeoip.app/xml/138.199.29.44
        tls, http
        840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        733 B
         4.3kB
         8
        7

        HTTP Request

        GET https://freegeoip.app/xml/138.199.29.44

        HTTP Response

        301
      • 104.21.85.189:443
        https://ipbase.com/xml/138.199.29.44
        tls, http
        840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        819 B
         7.6kB
         10
        12

        HTTP Request

        GET https://ipbase.com/xml/138.199.29.44

        HTTP Response

        404
      • 150.171.28.10:443
        tse1.mm.bing.net
        tls, http2
        1.1kB
         6.9kB
         14
        13
      • 150.171.28.10:443
        https://tse1.mm.bing.net/th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        tls, http2
        60.1kB
         1.7MB
         1208
        1211

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239339388237_16CFOYO7VUY1K6DRH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239339388236_1HL4SRJ7X21NUOQZ9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239360265013_1UVY69FM05I7V26BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      • 150.171.28.10:443
        tse1.mm.bing.net
        tls, http2
        1.1kB
         6.9kB
         14
        13
      • 150.171.28.10:443
        tse1.mm.bing.net
        tls, http2
        1.1kB
         6.9kB
         14
        13
      • 150.171.28.10:443
        tse1.mm.bing.net
        tls, http2
        1.1kB
         6.9kB
         14
        13
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
         148 B
         1
        1

        DNS Request

        g.bing.com

        DNS Response

        150.171.27.10
        150.171.28.10

      • 8.8.8.8:53
        28.118.140.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        28.118.140.52.in-addr.arpa

      • 8.8.8.8:53
        83.210.23.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        83.210.23.2.in-addr.arpa

      • 8.8.8.8:53
        10.27.171.150.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        10.27.171.150.in-addr.arpa

      • 8.8.8.8:53
        73.31.126.40.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        73.31.126.40.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        55.36.223.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        55.36.223.20.in-addr.arpa

      • 8.8.8.8:53
        133.211.185.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        133.211.185.52.in-addr.arpa

      • 8.8.8.8:53
        13.86.106.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        13.86.106.20.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        206.23.85.13.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        206.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        172.214.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.214.232.199.in-addr.arpa

      • 8.8.8.8:53
        checkip.dyndns.org
        dns
        840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        64 B
         176 B
         1
        1

        DNS Request

        checkip.dyndns.org

        DNS Response

        193.122.6.168
        132.226.8.169
        193.122.130.0
        158.101.44.242
        132.226.247.73

      • 8.8.8.8:53
        freegeoip.app
        dns
        840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        59 B
         91 B
         1
        1

        DNS Request

        freegeoip.app

        DNS Response

        172.67.160.84
        104.21.73.97

      • 8.8.8.8:53
        ipbase.com
        dns
        840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe
        56 B
         88 B
         1
        1

        DNS Request

        ipbase.com

        DNS Response

        104.21.85.189
        172.67.209.71

      • 8.8.8.8:53
        84.160.67.172.in-addr.arpa
        dns
        144 B
         134 B
         2
        1

        DNS Request

        84.160.67.172.in-addr.arpa

        DNS Request

        84.160.67.172.in-addr.arpa

      • 8.8.8.8:53
        168.6.122.193.in-addr.arpa
        dns
        144 B
         146 B
         2
        1

        DNS Request

        168.6.122.193.in-addr.arpa

        DNS Request

        168.6.122.193.in-addr.arpa

      • 8.8.8.8:53
        189.85.21.104.in-addr.arpa
        dns
        72 B
         134 B
         1
        1

        DNS Request

        189.85.21.104.in-addr.arpa

      • 8.8.8.8:53
        73.209.201.84.in-addr.arpa
        dns
        72 B
         132 B
         1
        1

        DNS Request

        73.209.201.84.in-addr.arpa

      • 8.8.8.8:53
        43.58.199.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        43.58.199.20.in-addr.arpa

      • 8.8.8.8:53
        31.243.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        31.243.111.52.in-addr.arpa

      • 8.8.8.8:53
        tse1.mm.bing.net
        dns
        62 B
         170 B
         1
        1

        DNS Request

        tse1.mm.bing.net

        DNS Response

        150.171.28.10
        150.171.27.10

      • 8.8.8.8:53
        88.156.103.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        88.156.103.20.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\840b567a9e2a4b9d9cc93ebb3d2e551e_JaffaCakes118.exe.log
        Filesize

        1KB

        MD5

        17573558c4e714f606f997e5157afaac

        SHA1

        13e16e9415ceef429aaf124139671ebeca09ed23

        SHA256

        c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

        SHA512

        f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

        Download Submit

      • memory/3412-20-0x0000000074DE0000-0x0000000075590000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3412-14-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/3412-17-0x0000000074DE0000-0x0000000075590000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3412-19-0x0000000074DE0000-0x0000000075590000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4800-10-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4800-12-0x00000000061D0000-0x000000000625A000-memory.dmp

        Filesize

        552KB

        Download

      • memory/4800-6-0x0000000004AA0000-0x0000000004AAA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4800-2-0x0000000006FB0000-0x0000000007032000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4800-9-0x0000000005DE0000-0x0000000005DF6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4800-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4800-11-0x0000000074DE0000-0x0000000075590000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4800-7-0x0000000074DE0000-0x0000000075590000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4800-13-0x0000000006830000-0x0000000006854000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4800-8-0x0000000004DD0000-0x0000000004E26000-memory.dmp

        Filesize

        344KB

        Download

      • memory/4800-18-0x0000000074DE0000-0x0000000075590000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4800-5-0x000000000A210000-0x000000000A2A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4800-4-0x000000000A720000-0x000000000ACC4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4800-3-0x000000000A0D0000-0x000000000A16C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4800-1-0x0000000000120000-0x00000000001DC000-memory.dmp

        Filesize

        752KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.