Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/12/2024, 22:45 UTC

General

  • Target

    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

  • Size

    186KB

  • MD5

    fd67bacae904767f1a03549b40df8c2b

  • SHA1

    19f9aee4123950ce0479248eebfb664dee965880

  • SHA256

    554b6d86320bcde0116a2295ea88d08204a8954bde3a309292c1899ac089be89

  • SHA512

    02bbb8b80023cb1442896e76121741419035d5c8ddecf8268dc8d1edf5271c0e9f3b22a4cb5dfdf5aae670e74018c948b62255faa37e766ee01a55f15dc7d35a

  • SSDEEP

    3072:AHoD8YbYxBB7n+mD1//Csd/xcVzwllyVE2PdkPEPiLrz3NOJ99fNF9nC4Oien8pm:2Dxj6Y1nCkysRIuPEUOf9ZnUqICS

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2616
    • C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2160

Network

  • flag-us
    DNS
    greenherbalteaonline.com
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    greenherbalteaonline.com
    IN A
    Response
  • flag-us
    DNS
    milkiwals.com
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    milkiwals.com
    IN A
    Response
  • flag-us
    DNS
    kinderjoys.com
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    kinderjoys.com
    IN A
    Response
    kinderjoys.com
    IN A
    3.33.251.168
    kinderjoys.com
    IN A
    15.197.225.128
  • flag-us
    DNS
    zonedg.com
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zonedg.com
    IN A
    Response
    zonedg.com
    IN A
    103.224.212.214
  • flag-us
    DNS
    zonedg.com
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zonedg.com
    IN A
    Response
    zonedg.com
    IN A
    103.224.212.214
  • flag-us
    POST
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    103.224.212.214:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonedg.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 302 Found
    date: Wed, 18 Dec 2024 22:45:30 GMT
    server: Apache
    set-cookie: __tad=1734561930.5327036; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
    location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D&subid1=20241219-0945-303a-9ed3-05fd938bc6df
    content-length: 2
    content-type: text/html; charset=UTF-8
    connection: close
  • flag-us
    GET
    http://kinderjoys.com/blog/images/3521.jpg?v52=93&tq=gKZEtzyMv5rJqxG1J42pzMffBvAi0OjbwvgS917W65rJqlLfgPiWW1cg
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    3.33.251.168:80
    Request
    GET /blog/images/3521.jpg?v52=93&tq=gKZEtzyMv5rJqxG1J42pzMffBvAi0OjbwvgS917W65rJqlLfgPiWW1cg HTTP/1.0
    Connection: close
    Host: kinderjoys.com
    Accept: */*
    User-Agent: mozilla/2.0
    Response
    HTTP/1.1 404 Not Found
    Server: awselb/2.0
    Date: Wed, 18 Dec 2024 22:45:30 GMT
    Content-Length: 0
    Connection: close
    WAFRule: 5
  • flag-us
    POST
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    103.224.212.214:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
    Host: zonedg.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 302 Found
    date: Wed, 18 Dec 2024 22:45:30 GMT
    server: Apache
    set-cookie: __tad=1734561930.7475540; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
    location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D&subid1=20241219-0945-3053-9aec-87ca61af6097
    content-length: 2
    content-type: text/html; charset=UTF-8
    connection: close
  • flag-us
    POST
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    103.224.212.214:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonedg.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 302 Found
    date: Wed, 18 Dec 2024 22:45:30 GMT
    server: Apache
    set-cookie: __tad=1734561930.3748446; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
    location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D&subid1=20241219-0945-303d-8535-0fbe83ff1805
    content-length: 2
    content-type: text/html; charset=UTF-8
    connection: close
  • flag-us
    POST
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    103.224.212.214:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonedg.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 302 Found
    date: Wed, 18 Dec 2024 22:45:30 GMT
    server: Apache
    set-cookie: __tad=1734561930.5182439; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
    location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D&subid1=20241219-0945-30d2-b509-8f4e9ae7109b
    content-length: 2
    content-type: text/html; charset=UTF-8
    connection: close
  • flag-us
    POST
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    103.224.212.214:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonedg.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 302 Found
    date: Wed, 18 Dec 2024 22:45:30 GMT
    server: Apache
    set-cookie: __tad=1734561930.5395299; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
    location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D&subid1=20241219-0945-307d-a258-fc71d742ad07
    content-length: 2
    content-type: text/html; charset=UTF-8
    connection: close
  • flag-us
    DNS
    www.google.com
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    172.217.20.164
  • flag-fr
    GET
    http://www.google.com/
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET / HTTP/1.0
    Connection: close
    Host: www.google.com
    Accept: */*
    Response
    HTTP/1.0 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGK-hjbsGIjDJcjLZOV3BS4fPppfqMnBEhL0j2G9Q3eaF2I-aMjoxKnMA2VN9J9LmkcyNeEqNCHUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIr6GNuwYQpbfQ2AMSBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-QQZO9eWMrmhl8dSRrswEMA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Wed, 18 Dec 2024 22:46:07 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-VtuCQTSJuyAkUmwWJ4apqBGq44OyQlTmGF_IuyYN7XzYhnbWzKDHY; expires=Mon, 16-Jun-2025 22:46:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-us
    POST
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    103.224.212.214:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G HTTP/1.1
    Host: zonedg.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 302 Found
    date: Wed, 18 Dec 2024 22:46:10 GMT
    server: Apache
    set-cookie: __tad=1734561970.3006154; expires=Sat, 16-Dec-2034 22:46:10 GMT; Max-Age=315360000
    location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G&subid1=20241219-0946-10bf-baed-67def1f39522
    content-length: 2
    content-type: text/html; charset=UTF-8
    connection: close
  • flag-fr
    GET
    http://www.google.com/
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET / HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgsIs6GNuwYQlf-CBBIEtdewUw
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-c1cgc53MUobdwEqMksv9ag' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Wed, 18 Dec 2024 22:46:11 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-UX5VwKI1P-RNZN_VQZJkU0apYH8T9aRNVLSLIFcYNvJpWDwEv3zo4; expires=Mon, 16-Jun-2025 22:46:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Connection: close
  • flag-fr
    GET
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Wed, 18 Dec 2024 22:46:23 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Type: text/html
    Server: HTTP server (unknown)
    Content-Length: 3075
    X-XSS-Protection: 0
    Connection: close
  • 103.224.212.214:80
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
    http
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    585 B
    758 B
    5
    5

    HTTP Request

    POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    302
  • 3.33.251.168:80
    http://kinderjoys.com/blog/images/3521.jpg?v52=93&tq=gKZEtzyMv5rJqxG1J42pzMffBvAi0OjbwvgS917W65rJqlLfgPiWW1cg
    http
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    460 B
    385 B
    6
    6

    HTTP Request

    GET http://kinderjoys.com/blog/images/3521.jpg?v52=93&tq=gKZEtzyMv5rJqxG1J42pzMffBvAi0OjbwvgS917W65rJqlLfgPiWW1cg

    HTTP Response

    404
  • 103.224.212.214:80
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
    http
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    567 B
    700 B
    5
    4

    HTTP Request

    POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

    HTTP Response

    302
  • 103.224.212.214:80
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
    http
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    587 B
    720 B
    5
    4

    HTTP Request

    POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    302
  • 103.224.212.214:80
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
    http
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    593 B
    726 B
    5
    4

    HTTP Request

    POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    302
  • 103.224.212.214:80
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
    http
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    587 B
    720 B
    5
    4

    HTTP Request

    POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    302
  • 172.217.20.164:80
    http://www.google.com/
    http
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    302 B
    1.5kB
    5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 127.0.0.1:52101
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
  • 103.224.212.214:80
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G
    http
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    1.0kB
    712 B
    7
    4

    HTTP Request

    POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G

    HTTP Response

    302
  • 172.217.20.164:80
    http://www.google.com/
    http
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    516 B
    1.5kB
    8
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 127.0.0.1:52101
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
  • 172.217.20.164:80
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    http
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    1.2kB
    3.7kB
    10
    8

    HTTP Request

    GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

    HTTP Response

    429
  • 8.8.8.8:53
    greenherbalteaonline.com
    dns
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    70 B
    143 B
    1
    1

    DNS Request

    greenherbalteaonline.com

  • 8.8.8.8:53
    milkiwals.com
    dns
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    59 B
    132 B
    1
    1

    DNS Request

    milkiwals.com

  • 8.8.8.8:53
    kinderjoys.com
    dns
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    60 B
    92 B
    1
    1

    DNS Request

    kinderjoys.com

    DNS Response

    3.33.251.168
    15.197.225.128

  • 8.8.8.8:53
    zonedg.com
    dns
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    56 B
    72 B
    1
    1

    DNS Request

    zonedg.com

    DNS Response

    103.224.212.214

  • 8.8.8.8:53
    zonedg.com
    dns
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    56 B
    72 B
    1
    1

    DNS Request

    zonedg.com

    DNS Response

    103.224.212.214

  • 8.8.8.8:53
    www.google.com
    dns
    fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
    60 B
    76 B
    1
    1

    DNS Request

    www.google.com

    DNS Response

    172.217.20.164

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\A1D5.902

    Filesize

    1KB

    MD5

    1724eac0f357d168b3d4a0c9f009a6b2

    SHA1

    b360af81343395995671a9613b38e01c9e7530bb

    SHA256

    101de1f701d49131a60a2f6abaf4285bd90a283ca6951025ae7c97867288ee21

    SHA512

    a46862e51200a36f0caec516e388f95640c50143e9f24364444ef4a38b02da581d655c75807d75efd4a47e190a700a6252fe1907024905e943a6b626e2cae5c6

  • C:\Users\Admin\AppData\Roaming\A1D5.902

    Filesize

    600B

    MD5

    a94444cc9a5f0167775c357de3ca901c

    SHA1

    60c6ce8718c63ec95bd36715bc045191723877ae

    SHA256

    93dd15748168be9c2a28a8af26bf15a7bd16a87342c5f97e94cbc063f075d2f7

    SHA512

    44cf44925e533d265bebd7b1a7b996cf6155d0a58ea943a1771b918801b03c6fe74946df6c7a5ee696b7650d768e65651043c5b12bc7996158059e451a40408b

  • C:\Users\Admin\AppData\Roaming\A1D5.902

    Filesize

    996B

    MD5

    2397d777eab64ffbf8454f2aa887d60c

    SHA1

    7b1887dc8b1383487fc661562f209c082e2124ca

    SHA256

    f66997d75fe9804c5ff33159025169c27de1f33a2c4091ff45947c21e11969c0

    SHA512

    0aa8af5f7a34561cec9689c33a53778bda1742cb2224d868950a10f655407943fd06e946e9a2d8fb1a71e5d794d95cfe910699d1482bd8bcf95a91f56e34d30c

  • memory/2160-79-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/2160-77-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/2616-12-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/2616-13-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/2756-1-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/2756-2-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/2756-14-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/2756-151-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/2756-188-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.