darkcomet | 09c7b436a16f19b59bbd78df98ac65790d34b8d1d70cf68209f3853787639086

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2024, 20:00 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Size

783KB
MD5

876f0cbd348a84a07460fccdaa67e0ab
SHA1

8504f842d8479f0260d24b97b0756e1f40e9994f
SHA256

09c7b436a16f19b59bbd78df98ac65790d34b8d1d70cf68209f3853787639086
SHA512

e900f572b99144d50404dda06166c5bde9db54b507fd23a9a238690425dbb47842e16c3a609cb924e43e122cc1ddc1aa4818b3f8f6cde3ecb500fdfaaa35dba3
SSDEEP

12288:qEyrUptexuIZjd0Sl8EGnMPZyFAWTB1HBfS5Ho1ar8/OpDlMssjFRxgJUT/nf:qEf8xuI70SOE7PwG21hfS9aarx9l277T

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 436 set thread context of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeSecurityPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeBackupPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeRestorePrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeShutdownPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeDebugPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeUndockPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: 33	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: 34	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: 35	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
Token: 36	2864	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87
PID 436 wrote to memory of 2864	436	876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2864

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

90.160.77.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.160.77.104.in-addr.arpa

IN PTR

Response

90.160.77.104.in-addr.arpa

IN PTR

a104-77-160-90deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

68.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.32.126.40.in-addr.arpa

IN PTR

Response
DNS

138.201.86.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.201.86.20.in-addr.arpa

IN PTR

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

101.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

101.209.201.84.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418535_1J3FI1BHYFKNLDX7C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418535_1J3FI1BHYFKNLDX7C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 383560
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4F6BE94BD38A4AF6808B0990C2FE2E2F Ref B: LON601060101062 Ref C: 2024-11-02T20:34:11Z
date: Sat, 02 Nov 2024 20:34:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418536_1RXQC5FWNJZBHVB3M&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418536_1RXQC5FWNJZBHVB3M&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 248362
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 09FD4A3893DB49968BDC37A0F8586428 Ref B: LON601060101062 Ref C: 2024-11-02T20:34:11Z
date: Sat, 02 Nov 2024 20:34:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239359748010_1Q8ARU8JIAMP3E64P&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239359748010_1Q8ARU8JIAMP3E64P&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 629947
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6904D52097824A16AB29D66CDA9680C1 Ref B: LON601060101062 Ref C: 2024-11-02T20:34:11Z
date: Sat, 02 Nov 2024 20:34:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 356644
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9143BBCF2F5C47EFB9FE72C5D894F20B Ref B: LON601060101062 Ref C: 2024-11-02T20:34:11Z
date: Sat, 02 Nov 2024 20:34:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360504960_1PLAHYZB4JQO28JRC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360504960_1PLAHYZB4JQO28JRC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 540156
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 91DE99AC40B046059F6EE490F47E1993 Ref B: LON601060101062 Ref C: 2024-11-02T20:34:11Z
date: Sat, 02 Nov 2024 20:34:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239359748018_19NTYSZS66ZTQP557&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239359748018_19NTYSZS66ZTQP557&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 561393
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E94AAA68C8794334AF335D68CBB6EFC7 Ref B: LON601060101062 Ref C: 2024-11-02T20:34:11Z
date: Sat, 02 Nov 2024 20:34:10 GMT
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

10.73.50.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.73.50.20.in-addr.arpa

IN PTR

Response

127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239359748018_19NTYSZS66ZTQP557&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

116.6kB
2.8MB
2073
2069

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418535_1J3FI1BHYFKNLDX7C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418536_1RXQC5FWNJZBHVB3M&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239359748010_1Q8ARU8JIAMP3E64P&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360504960_1PLAHYZB4JQO28JRC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239359748018_19NTYSZS66ZTQP557&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe
127.0.0.1:1604

876f0cbd348a84a07460fccdaa67e0ab_JaffaCakes118.exe

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

90.160.77.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

90.160.77.104.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

68.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

68.32.126.40.in-addr.arpa
8.8.8.8:53

138.201.86.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.201.86.20.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

101.209.201.84.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

101.209.201.84.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

10.73.50.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

10.73.50.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2864-2-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-3-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-4-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-5-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-7-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-6-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-8-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-9-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-10-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-12-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-13-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-14-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-15-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-16-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-17-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-18-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-19-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-20-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-21-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-22-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-23-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-24-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.