Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/12/2024, 03:18 UTC

General

  • Target

    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe

  • Size

    158KB

  • MD5

    dfaff61cc52fd8046155a25223c445d7

  • SHA1

    c21d9d718a42e3f1714da040967996a29dbc2fff

  • SHA256

    fde118339d2df0a5ce48cd13eb7d352241530ab209d98527175e62549b2149b2

  • SHA512

    58a8ca7dadb7c6fee9de8be91fa0d97740d6ff49caba96dd4d5580602ff46a48d5885ba6d5db1d5a6b0f4290f184c95cc227039a4aaf0b83e23eaafb3cfa8015

  • SSDEEP

    3072:qc9iaVVscs9CVQ/6OPSINZLSGu9XoEKfUeRv1QqSOXCaj2L9rKZVaHUZK2TeuLt4:N9igscs9nNVuMceDQ9GsK3yUeOW

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2408
    • C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1292

Network

  • flag-us
    DNS
    psfk.com
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    psfk.com
    IN A
    Response
    psfk.com
    IN A
    35.158.87.123
  • flag-de
    GET
    http://psfk.com/img/icons/twitter.png?v75=46&tq=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    35.158.87.123:80
    Request
    GET /img/icons/twitter.png?v75=46&tq=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D HTTP/1.0
    Connection: close
    Host: psfk.com
    Accept: */*
    User-Agent: mozilla/2.0
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 11 Dec 2024 03:18:47 GMT
    Content-Type: text/html
    Content-Length: 175
    Connection: close
    Location: https://psfk.com/img/icons/twitter.png?v75=46&tq=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D
    Server: my-server
  • flag-us
    DNS
    zonetf.com
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zonetf.com
    IN A
    Response
    zonetf.com
    IN A
    13.248.169.48
    zonetf.com
    IN A
    76.223.54.146
  • flag-us
    DNS
    zonetf.com
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zonetf.com
    IN A
    Response
    zonetf.com
    IN A
    76.223.54.146
    zonetf.com
    IN A
    13.248.169.48
  • flag-us
    DNS
    pdadatarestore.com
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    pdadatarestore.com
    IN A
    Response
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    13.248.169.48:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    13.248.169.48:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    13.248.169.48:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    13.248.169.48:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    13.248.169.48:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    DNS
    searchmobilecode.com
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    searchmobilecode.com
    IN A
    Response
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    13.248.169.48:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq1Sr%2Fe%2BV5ZuRg%3D%3D
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    13.248.169.48:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq1Sr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqli8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    13.248.169.48:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqli8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    DNS
    www.google.com
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    172.217.20.164
  • flag-fr
    GET
    http://www.google.com/
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET / HTTP/1.0
    Connection: close
    Host: www.google.com
    Accept: */*
    Response
    HTTP/1.0 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNWJ5LoGIjCVyp5t2t7BDdLyG7NkgyzoYiDStyEUyHsXYZsmIR1KfCDCTS_bcWdeaIHbMD-InPEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwI1YnkugYQ49nX3QESBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-350sGIWzxg2_uQtQgv_M7g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Wed, 11 Dec 2024 03:19:49 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-V3agWwfBT01hIs9NH4ZJyIvVy71KF9yJ-Zul_Y6r5VflXvsXzXgQ; expires=Mon, 09-Jun-2025 03:19:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-us
    DNS
    hostinganddedic.com
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    hostinganddedic.com
    IN A
    Response
  • flag-fr
    GET
    http://www.google.com/
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET / HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNWJ5LoGIjCVyp5t2t7BDdLyG7NkgyzoYiDStyEUyHsXYZsmIR1KfCDCTS_bcWdeaIHbMD-InPEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwI1YnkugYQ5vOEsgMSBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-8HphMWZ7GsAWM9iY1_qERw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Wed, 11 Dec 2024 03:19:49 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-U7kZtFHywSE9-fd2NYH5Eg2ohtz03vyRdwvTx43j1mPYnqLcyxFw; expires=Mon, 09-Jun-2025 03:19:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Connection: close
  • flag-fr
    GET
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNWJ5LoGIjCVyp5t2t7BDdLyG7NkgyzoYiDStyEUyHsXYZsmIR1KfCDCTS_bcWdeaIHbMD-InPEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGNWJ5LoGIjCVyp5t2t7BDdLyG7NkgyzoYiDStyEUyHsXYZsmIR1KfCDCTS_bcWdeaIHbMD-InPEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Wed, 11 Dec 2024 03:19:50 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Type: text/html
    Server: HTTP server (unknown)
    Content-Length: 3075
    X-XSS-Protection: 0
    Connection: close
  • 35.158.87.123:80
    http://psfk.com/img/icons/twitter.png?v75=46&tq=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D
    http
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    395 B
    645 B
    5
    5

    HTTP Request

    GET http://psfk.com/img/icons/twitter.png?v75=46&tq=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D

    HTTP Response

    301
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
    http
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    581 B
    245 B
    5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 13.248.169.48:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
    http
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    629 B
    325 B
    6
    6

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 13.248.169.48:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
    http
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    563 B
    245 B
    5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

    HTTP Response

    405
  • 13.248.169.48:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
    http
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    629 B
    325 B
    6
    6

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 13.248.169.48:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
    http
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    581 B
    245 B
    5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 13.248.169.48:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
    http
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    581 B
    245 B
    5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 13.248.169.48:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
    http
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    609 B
    325 B
    6
    6

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

    HTTP Response

    405
  • 13.248.169.48:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq1Sr%2Fe%2BV5ZuRg%3D%3D
    http
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    581 B
    245 B
    5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq1Sr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 13.248.169.48:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqli8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
    http
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    641 B
    245 B
    6
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqli8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 172.217.20.164:80
    http://www.google.com/
    http
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    302 B
    1.5kB
    5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 172.217.20.164:80
    http://www.google.com/
    http
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    307 B
    1.5kB
    5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 172.217.20.164:80
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNWJ5LoGIjCVyp5t2t7BDdLyG7NkgyzoYiDStyEUyHsXYZsmIR1KfCDCTS_bcWdeaIHbMD-InPEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    http
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    526 B
    3.7kB
    6
    7

    HTTP Request

    GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNWJ5LoGIjCVyp5t2t7BDdLyG7NkgyzoYiDStyEUyHsXYZsmIR1KfCDCTS_bcWdeaIHbMD-InPEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

    HTTP Response

    429
  • 127.0.0.1:59515
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
  • 127.0.0.1:59515
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
  • 8.8.8.8:53
    psfk.com
    dns
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    54 B
    70 B
    1
    1

    DNS Request

    psfk.com

    DNS Response

    35.158.87.123

  • 8.8.8.8:53
    zonetf.com
    dns
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    56 B
    88 B
    1
    1

    DNS Request

    zonetf.com

    DNS Response

    13.248.169.48
    76.223.54.146

  • 8.8.8.8:53
    zonetf.com
    dns
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    56 B
    88 B
    1
    1

    DNS Request

    zonetf.com

    DNS Response

    76.223.54.146
    13.248.169.48

  • 8.8.8.8:53
    pdadatarestore.com
    dns
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    64 B
    137 B
    1
    1

    DNS Request

    pdadatarestore.com

  • 8.8.8.8:53
    searchmobilecode.com
    dns
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    66 B
    139 B
    1
    1

    DNS Request

    searchmobilecode.com

  • 8.8.8.8:53
    www.google.com
    dns
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    60 B
    76 B
    1
    1

    DNS Request

    www.google.com

    DNS Response

    172.217.20.164

  • 8.8.8.8:53
    hostinganddedic.com
    dns
    dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
    65 B
    138 B
    1
    1

    DNS Request

    hostinganddedic.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\6241.2CD

    Filesize

    1KB

    MD5

    4f85045902fc1e4d898a8864cc6c38d3

    SHA1

    e3b54b6a8838cb2e78972859c330b0ff9f2889ad

    SHA256

    ef31805553070d85e91ba748a557204767648bc2154c9c3f9f72c427d1780059

    SHA512

    792d91f0b161dec31edcc538e98ab8171cd7bda09ee1052e96fade543c1c13c8746e3af55b7180293101c4407b9e3a64e938cc14e925cde9dfa647d408fee024

  • C:\Users\Admin\AppData\Roaming\6241.2CD

    Filesize

    600B

    MD5

    94e96cc4183ddb53e7c7369e2dc4ab17

    SHA1

    b96fd40febbd4ad79570ec755b93992d896fe51b

    SHA256

    df9e66eb3fcf2ab376506ff78042bb9599613922b1b1cdb068a0fe82b1c2e8ea

    SHA512

    413740bf628e5ce91a2e917a27d69b01686bb63d9a381038bd6f984ac97f82cac01b84a910b42d56b5806251c8a2397c1a25d70698c33d9c6d4ee10c3519a164

  • C:\Users\Admin\AppData\Roaming\6241.2CD

    Filesize

    996B

    MD5

    b029aadffc8a096c9f4a02c28ef47259

    SHA1

    5439b6f258002a50470f285981f6cc303de4dde5

    SHA256

    318131d40883d297c29c84065a19abac59c9e033082240828a741bb62eaae567

    SHA512

    35b28a4f0d440f3ebd7f94689db8bb0183310cefbf9bd44d93188f2cd894dcf25192cba815117ef58bc44ea4fd282b97c3dcf66734224a3a8f28f3a2bdd823c4

  • memory/1292-75-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2308-1-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2308-2-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2308-14-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2308-72-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2308-180-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2408-5-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2408-6-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.