Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/12/2024, 20:57 UTC

General

  • Target

    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe

  • Size

    201KB

  • MD5

    de74448b4a398e9df200dcfdc2c6f7e5

  • SHA1

    1065fe6f58880976cfeab0e57d9f35de587a54e4

  • SHA256

    b8417527766e5b64a490cafb0105e6df80dcea8a9c2dca88ce2fcc79a703724a

  • SHA512

    0591178849d17f12227eea866cff806a91fae6ec8cca45fcd45aa51d89aed6adf2c9c3bf8f0b61d92156ef66b0ecf41b5d88c19cb75548bb770826ad46254517

  • SSDEEP

    3072:ptZBDetdPfnhv7o4CbWnHcU3zbjgUznaBVrEOKQz6Mq3TlMg2agNFGvynNE1HJSg:ptZBDebfnhjJfDgUzSEetg2agKveUQF

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 4 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1740
    • C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2192

Network

  • flag-us
    DNS
    rossroadbags.com
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    rossroadbags.com
    IN A
    Response
  • flag-us
    DNS
    zonetf.com
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zonetf.com
    IN A
    Response
    zonetf.com
    IN A
    76.223.54.146
    zonetf.com
    IN A
    13.248.169.48
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAMRu4pVKv975Xlm5G
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAMRu4pVKv975Xlm5G HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    DNS
    offlineservermonitoring.com
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    offlineservermonitoring.com
    IN A
    Response
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    DNS
    zonetk.com
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zonetk.com
    IN A
    Response
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2Bsq5Sr%2Fe%2BV5ZuRg%3D%3D
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2Bsq5Sr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    DNS
    www.google.com
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.187.196
  • flag-gb
    GET
    http://www.google.com/
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    142.250.187.196:80
    Request
    GET / HTTP/1.0
    Connection: close
    Host: www.google.com
    Accept: */*
    Response
    HTTP/1.0 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJTX4roGIjAGxm-UaeVPzjdk_-OA4XpSAfx6hCprKZy8538JFEo89DoXVJmZKGSm7Mi6d_mv01cyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIlNfiugYQz-7glgMSBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-yRr0VwdPngZ15b3yi7v0NQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Tue, 10 Dec 2024 20:59:00 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-UDnVwSyMe3vTLWnJOR1Bozayoj4iNyLftJ5FLrikh4vSE4CnFe7o0; expires=Sun, 08-Jun-2025 20:59:00 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-gb
    GET
    http://www.google.com/
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    142.250.187.196:80
    Request
    GET / HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJfX4roGIjCf9HQcCOBSbcZY631Je-CnypCo7jTeniJ8I4yu-uNJ3wOgsvTwDpngbls9N0Q9OvsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIl9fiugYQp-KAxAISBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-61aLTSR5kyYKw8LxiJ-23w' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Tue, 10 Dec 2024 20:59:03 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-U1oFw_ehwT-fTICYHQbZEQEjQCsg7_8QPtMsFvvrZCczZmbzeL-g; expires=Sun, 08-Jun-2025 20:59:03 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Connection: close
  • flag-gb
    GET
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJfX4roGIjCf9HQcCOBSbcZY631Je-CnypCo7jTeniJ8I4yu-uNJ3wOgsvTwDpngbls9N0Q9OvsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    Remote address:
    142.250.187.196:80
    Request
    GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGJfX4roGIjCf9HQcCOBSbcZY631Je-CnypCo7jTeniJ8I4yu-uNJ3wOgsvTwDpngbls9N0Q9OvsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Tue, 10 Dec 2024 20:59:03 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Type: text/html
    Server: HTTP server (unknown)
    Content-Length: 3075
    X-XSS-Protection: 0
    Connection: close
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAMRu4pVKv975Xlm5G
    http
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    553 B
    245 B
    5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAMRu4pVKv975Xlm5G

    HTTP Response

    405
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
    http
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    635 B
    245 B
    6
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
    http
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    581 B
    245 B
    5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
    http
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    563 B
    245 B
    5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

    HTTP Response

    405
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2Bsq5Sr%2Fe%2BV5ZuRg%3D%3D
    http
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    583 B
    245 B
    5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2Bsq5Sr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 142.250.187.196:80
    http://www.google.com/
    http
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    394 B
    1.5kB
    7
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 127.0.0.1:58889
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G
    http
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    627 B
    245 B
    6
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB9C4viw3n%2BGGT7iirfeBfZtPJX90alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G

    HTTP Response

    405
  • 142.250.187.196:80
    http://www.google.com/
    http
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    307 B
    1.5kB
    5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.187.196:80
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJfX4roGIjCf9HQcCOBSbcZY631Je-CnypCo7jTeniJ8I4yu-uNJ3wOgsvTwDpngbls9N0Q9OvsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    http
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    526 B
    3.7kB
    6
    7

    HTTP Request

    GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJfX4roGIjCf9HQcCOBSbcZY631Je-CnypCo7jTeniJ8I4yu-uNJ3wOgsvTwDpngbls9N0Q9OvsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

    HTTP Response

    429
  • 127.0.0.1:58889
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
  • 8.8.8.8:53
    rossroadbags.com
    dns
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    62 B
    135 B
    1
    1

    DNS Request

    rossroadbags.com

  • 8.8.8.8:53
    zonetf.com
    dns
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    56 B
    88 B
    1
    1

    DNS Request

    zonetf.com

    DNS Response

    76.223.54.146
    13.248.169.48

  • 8.8.8.8:53
    offlineservermonitoring.com
    dns
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    73 B
    146 B
    1
    1

    DNS Request

    offlineservermonitoring.com

  • 8.8.8.8:53
    zonetk.com
    dns
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    56 B
    129 B
    1
    1

    DNS Request

    zonetk.com

  • 8.8.8.8:53
    www.google.com
    dns
    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    60 B
    76 B
    1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.187.196

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\1FD6.EB2

    Filesize

    1KB

    MD5

    d88490002a91235ca412d4a15d136e3a

    SHA1

    adb79c01f03740278d72d2298e2164d5098dbf0c

    SHA256

    95f385d1cfa6dbae6f0bd38d48374537cf4f19ccbcc2b148a0138099906e5c57

    SHA512

    262ae8babc77e8c9a6137a057cd5b40d9c729922cfcea6b2a5be8350ae10bf7d646bf5c6ba491fa5021bce33d07c0c99f7cb9bd98bea308875ad198ef3f1db02

  • C:\Users\Admin\AppData\Roaming\1FD6.EB2

    Filesize

    600B

    MD5

    e49874dadf21c071163b0d0aa7c0170c

    SHA1

    7346aba8dc5b2f2f53b3cdfa6c52dea984f8a3b3

    SHA256

    21e86468d221d534b35b2bc982b979c9267ed750e4a95d508bfcc00c61ec8489

    SHA512

    efdb4407b5c0ea6daaea3da93bad3092e9241ba286d57f1c8495f44e5cdf02cbab579d05ae8dc4c36423cc2609998d5c627472d818d622558461d1f95561bd8e

  • C:\Users\Admin\AppData\Roaming\1FD6.EB2

    Filesize

    996B

    MD5

    cc831d3dd9f663401acae75e5796ffe1

    SHA1

    8ab02aedbffef667dc64d01d15003c7cd203e4e8

    SHA256

    a04832cb0288a05edf98d134ff79679bcf72eb93932dda5fd388c68e0f293b64

    SHA512

    852d4ccbd91d5d9996efc783e7733875fe74b0cadbf1db8c05e41b3c59f2c71dbf83f5429dfb143b1b1c70cafa8c61e010287b7251a1744f549f0925831705f2

  • memory/1740-5-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

  • memory/2192-78-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

  • memory/2504-2-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

  • memory/2504-1-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

  • memory/2504-12-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

  • memory/2504-168-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.