Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e78d9e0f45...18.exe

windows7-x64

10

e78d9e0f45...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/12/2024, 17:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe

  • Size

    188KB

  • MD5

    e78d9e0f45c173e095f7ec19217b43c0

  • SHA1

    b6245898afa7279abb1752d4d45630052b5e1d76

  • SHA256

    d31bfbce88b6b689577b88ca13849d722aa675083b87119268bdee3d83ab465e

  • SHA512

    c2817608ad4e1c906d40a79c4afee35b000ea4283d7e3ac863c27ef22e05467688f14b3f23013a45d6790f5157a6fa2834b149f835b28563722a76ae11e0fd27

  • SSDEEP

    3072:vU6YwDTF1jEwy3aWxk/jIZ6S8CgN7+Mm6N8pN31GLKiDS+QxcLr7TdAo:vUcXFFEzCUp8CgAMmU8D1GLhbQM7T

Score
10/10
cycbotbackdoordiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Users\Admin\AppData\Local\Temp\e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2868
    • C:\Users\Admin\AppData\Local\Temp\e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1316

Network

  • flag-us
    DNS
    realsoftwaredevelopment.com
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    realsoftwaredevelopment.com
    IN A
    Response
  • flag-us
    DNS
    realsoftwaredevelopment.com
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    realsoftwaredevelopment.com
    IN A
    Response
  • flag-us
    DNS
    realsoftwaredevelopment.com
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    realsoftwaredevelopment.com
    IN A
    Response
  • flag-us
    DNS
    realsoftwaredevelopment.com
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    realsoftwaredevelopment.com
    IN A
    Response
  • flag-us
    DNS
    zonewl.com
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zonewl.com
    IN A
    Response
  • flag-us
    DNS
    zonetf.com
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zonetf.com
    IN A
    Response
    zonetf.com
    IN A
    76.223.54.146
    zonetf.com
    IN A
    13.248.169.48
  • flag-us
    DNS
    zonetf.com
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zonetf.com
    IN A
    Response
    zonetf.com
    IN A
    13.248.169.48
    zonetf.com
    IN A
    76.223.54.146
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    13.248.169.48:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq5Sr%2Fe%2BV5ZuRg%3D%3D
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq5Sr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    DNS
    www.google.com
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    172.217.20.164
  • flag-fr
    GET
    http://www.google.com/
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET / HTTP/1.0
    Connection: close
    Host: www.google.com
    Accept: */*
    Response
    HTTP/1.0 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGK7E7LoGIjASZ5XAZfn4VmhbR7HS6WP9GlqqfsT468WExE7Zc6LlnepAWbz9guzG4JYT9ioLsbwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgsIr8TsugYQ1MLmFhIEtdewUw
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-Slpgc3B0vL43cQgUOIcoJg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Thu, 12 Dec 2024 17:49:35 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-X63W6fl1LdaKRuUz217ApOz2mgx3OBShyv3iXJx-mI2AzTmgusRiI; expires=Tue, 10-Jun-2025 17:49:35 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-fr
    GET
    http://www.google.com/
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET / HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLHE7LoGIjBUpiWpjMAl98sI_pPFA1Eht5CoyiRjWb4kAIA3qCTyQ3pwA1SnK4LXY_hjWLaM3RcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIscTsugYQ-LzY0AMSBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-pLzprQ2nFtI801NXUWkG4Q' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Thu, 12 Dec 2024 17:49:37 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-Wc7jahKmNB5i-Fka8mdkDks1y1eySo4UQqwn3JkCmPdbxsb9VqbUs; expires=Tue, 10-Jun-2025 17:49:37 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Connection: close
  • flag-fr
    GET
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLHE7LoGIjBUpiWpjMAl98sI_pPFA1Eht5CoyiRjWb4kAIA3qCTyQ3pwA1SnK4LXY_hjWLaM3RcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGLHE7LoGIjBUpiWpjMAl98sI_pPFA1Eht5CoyiRjWb4kAIA3qCTyQ3pwA1SnK4LXY_hjWLaM3RcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Thu, 12 Dec 2024 17:49:38 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Type: text/html
    Server: HTTP server (unknown)
    Content-Length: 3075
    X-XSS-Protection: 0
    Connection: close
  • 13.248.169.48:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D
    http
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    581 B
     245 B
     5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
    http
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    561 B
     245 B
     5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

    HTTP Response

    405
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
    http
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    625 B
     325 B
     6
    6

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
    http
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    625 B
     325 B
     6
    6

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
    http
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    561 B
     245 B
     5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

    HTTP Response

    405
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq5Sr%2Fe%2BV5ZuRg%3D%3D
    http
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    533 B
     245 B
     4
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2Bsq5Sr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
    http
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    633 B
     325 B
     6
    6

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk56fiy3wKFGT7iirXdfvUdPJf50alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 172.217.20.164:80
    http://www.google.com/
    http
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    348 B
     1.5kB
     6
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 127.0.0.1:52990
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
  • 172.217.20.164:80
    http://www.google.com/
    http
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    307 B
     1.5kB
     5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 127.0.0.1:52990
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
  • 172.217.20.164:80
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLHE7LoGIjBUpiWpjMAl98sI_pPFA1Eht5CoyiRjWb4kAIA3qCTyQ3pwA1SnK4LXY_hjWLaM3RcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    http
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    526 B
     3.7kB
     6
    7

    HTTP Request

    GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLHE7LoGIjBUpiWpjMAl98sI_pPFA1Eht5CoyiRjWb4kAIA3qCTyQ3pwA1SnK4LXY_hjWLaM3RcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

    HTTP Response

    429
  • 8.8.8.8:53
    realsoftwaredevelopment.com
    dns
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    292 B
     292 B
     4
    4

    DNS Request

    realsoftwaredevelopment.com

    DNS Request

    realsoftwaredevelopment.com

    DNS Request

    realsoftwaredevelopment.com

    DNS Request

    realsoftwaredevelopment.com

  • 8.8.8.8:53
    zonewl.com
    dns
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    56 B
     129 B
     1
    1

    DNS Request

    zonewl.com

  • 8.8.8.8:53
    zonetf.com
    dns
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    56 B
     88 B
     1
    1

    DNS Request

    zonetf.com

    DNS Response

    76.223.54.146
    13.248.169.48

  • 8.8.8.8:53
    zonetf.com
    dns
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    56 B
     88 B
     1
    1

    DNS Request

    zonetf.com

    DNS Response

    13.248.169.48
    76.223.54.146

  • 8.8.8.8:53
    www.google.com
    dns
    e78d9e0f45c173e095f7ec19217b43c0_JaffaCakes118.exe
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    172.217.20.164

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AFF2.F91
    Filesize

    1KB

    MD5

    b7130f209c7d32dc207a1b3284c381fa

    SHA1

    4e03007d6aa43a1521ed76475b687d44d75c742a

    SHA256

    bdcebed47604cdf44114a48d689d991658b686f135b0d6b5035a3c6c3790c72c

    SHA512

    f8a5cb901755b26b642767fd3a0daf905203f75ced69d37840beb49ecb7c24f0180c1e81a84473095180c724560d3bb2da36d99c0486d0e598caa3b2d99f2ad3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AFF2.F91
    Filesize

    600B

    MD5

    f66057116ba0dba266cec9a2e80bbca1

    SHA1

    dbf47ca3f21007d26cefa8ee2bc1fa6f8181a6d9

    SHA256

    d4acd099312ff048d75e755a59622f0b60bbacc5dddecc698b3320d41b570124

    SHA512

    7eec1c1d771650ee2d5c58c8f9e9222e411d1de703e98f8c8556d5c56bd3152fc3d10c78c2cd02c6d25033eae813e811dd1ce327f74c137fd216cfc06a91b97a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AFF2.F91
    Filesize

    996B

    MD5

    905266398213e251f733e6fb0639ac37

    SHA1

    aca1e100c48b3bb56b5c11ac9ddefbcca90cde65

    SHA256

    93d5abd757c243c407a9f523b55b398c8f0c0711b56779c53edb3f95ca0c849f

    SHA512

    38ea50209914ddbb6c7645c16d995b5006e8fc810d3eb74bd4550d2d3e6509d524aa0241c5dee3a6f837e9343af76f7cee06055ebe10fa4e635f967b486bebc2

    Download Submit

  • memory/1316-81-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2068-1-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2068-2-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2068-14-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2068-82-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2068-185-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2868-5-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2868-6-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.