cycbot | 554b6d86320bcde0116a2295ea88d08204a8954bde3a309292c1899ac089be89

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/12/2024, 22:45 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
Size

186KB
MD5

fd67bacae904767f1a03549b40df8c2b
SHA1

19f9aee4123950ce0479248eebfb664dee965880
SHA256

554b6d86320bcde0116a2295ea88d08204a8954bde3a309292c1899ac089be89
SHA512

02bbb8b80023cb1442896e76121741419035d5c8ddecf8268dc8d1edf5271c0e9f3b22a4cb5dfdf5aae670e74018c948b62255faa37e766ee01a55f15dc7d35a
SSDEEP

3072:AHoD8YbYxBB7n+mD1//Csd/xcVzwllyVE2PdkPEPiLrz3NOJ99fNF9nC4Oien8pm:2Dxj6Y1nCkysRIuPEUOf9ZnUqICS

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2616-13-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2756-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2160-79-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2756-151-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2756-188-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2756-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2616-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2616-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2756-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2160-79-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2160-77-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2756-151-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2756-188-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2616	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2616	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2616	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2616	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2160	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2160	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2160	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2160	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160

Network

DNS

greenherbalteaonline.com

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

greenherbalteaonline.com

IN A

Response
DNS

milkiwals.com

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

milkiwals.com

IN A

Response
DNS

kinderjoys.com

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

kinderjoys.com

IN A

Response

kinderjoys.com

IN A

3.33.251.168

kinderjoys.com

IN A

15.197.225.128
DNS

zonedg.com

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

zonedg.com

IN A

Response

zonedg.com

IN A

103.224.212.214
DNS

zonedg.com

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

zonedg.com

IN A

Response

zonedg.com

IN A

103.224.212.214
POST

http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

103.224.212.214:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

Response

HTTP/1.1 302 Found

date: Wed, 18 Dec 2024 22:45:30 GMT
server: Apache
set-cookie: __tad=1734561930.5327036; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D&subid1=20241219-0945-303a-9ed3-05fd938bc6df
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
GET

http://kinderjoys.com/blog/images/3521.jpg?v52=93&tq=gKZEtzyMv5rJqxG1J42pzMffBvAi0OjbwvgS917W65rJqlLfgPiWW1cg

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

3.33.251.168:80

Request

GET /blog/images/3521.jpg?v52=93&tq=gKZEtzyMv5rJqxG1J42pzMffBvAi0OjbwvgS917W65rJqlLfgPiWW1cg HTTP/1.0
Connection: close
Host: kinderjoys.com
Accept: */*
User-Agent: mozilla/2.0

Response

HTTP/1.1 404 Not Found

Server: awselb/2.0
Date: Wed, 18 Dec 2024 22:45:30 GMT
Content-Length: 0
Connection: close
WAFRule: 5
POST

http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

103.224.212.214:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

Response

HTTP/1.1 302 Found

date: Wed, 18 Dec 2024 22:45:30 GMT
server: Apache
set-cookie: __tad=1734561930.7475540; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D&subid1=20241219-0945-3053-9aec-87ca61af6097
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
POST

http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

103.224.212.214:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

Response

HTTP/1.1 302 Found

date: Wed, 18 Dec 2024 22:45:30 GMT
server: Apache
set-cookie: __tad=1734561930.3748446; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D&subid1=20241219-0945-303d-8535-0fbe83ff1805
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
POST

http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

103.224.212.214:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

Response

HTTP/1.1 302 Found

date: Wed, 18 Dec 2024 22:45:30 GMT
server: Apache
set-cookie: __tad=1734561930.5182439; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D&subid1=20241219-0945-30d2-b509-8f4e9ae7109b
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
POST

http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

103.224.212.214:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

Response

HTTP/1.1 302 Found

date: Wed, 18 Dec 2024 22:45:30 GMT
server: Apache
set-cookie: __tad=1734561930.5395299; expires=Sat, 16-Dec-2034 22:45:30 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D&subid1=20241219-0945-307d-a258-fc71d742ad07
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
DNS

www.google.com

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

172.217.20.164
GET

http://www.google.com/

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

172.217.20.164:80

Request

GET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*

Response

HTTP/1.0 302 Found

Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGK-hjbsGIjDJcjLZOV3BS4fPppfqMnBEhL0j2G9Q3eaF2I-aMjoxKnMA2VN9J9LmkcyNeEqNCHUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwIr6GNuwYQpbfQ2AMSBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-QQZO9eWMrmhl8dSRrswEMA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Wed, 18 Dec 2024 22:46:07 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-VtuCQTSJuyAkUmwWJ4apqBGq44OyQlTmGF_IuyYN7XzYhnbWzKDHY; expires=Mon, 16-Jun-2025 22:46:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
POST

http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

103.224.212.214:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

Response

HTTP/1.1 302 Found

date: Wed, 18 Dec 2024 22:46:10 GMT
server: Apache
set-cookie: __tad=1734561970.3006154; expires=Sat, 16-Dec-2034 22:46:10 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G&subid1=20241219-0946-10bf-baed-67def1f39522
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
GET

http://www.google.com/

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

172.217.20.164:80

Request

GET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com

Response

HTTP/1.1 302 Found

Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgsIs6GNuwYQlf-CBBIEtdewUw
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-c1cgc53MUobdwEqMksv9ag' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Wed, 18 Dec 2024 22:46:11 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-UX5VwKI1P-RNZN_VQZJkU0apYH8T9aRNVLSLIFcYNvJpWDwEv3zo4; expires=Mon, 16-Jun-2025 22:46:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
GET

http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Remote address:

172.217.20.164:80

Request

GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com

Response

HTTP/1.1 429 Too Many Requests

Date: Wed, 18 Dec 2024 22:46:23 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3075
X-XSS-Protection: 0
Connection: close

103.224.212.214:80

http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D

http

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

585 B
758 B
5
5

HTTP Request

POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D

HTTP Response

302
3.33.251.168:80

http://kinderjoys.com/blog/images/3521.jpg?v52=93&tq=gKZEtzyMv5rJqxG1J42pzMffBvAi0OjbwvgS917W65rJqlLfgPiWW1cg

http

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

460 B
385 B
6
6

HTTP Request

GET http://kinderjoys.com/blog/images/3521.jpg?v52=93&tq=gKZEtzyMv5rJqxG1J42pzMffBvAi0OjbwvgS917W65rJqlLfgPiWW1cg

HTTP Response

404
103.224.212.214:80

http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

http

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

567 B
700 B
5
4

HTTP Request

POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

HTTP Response

302
103.224.212.214:80

http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D

http

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

587 B
720 B
5
4

HTTP Request

POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D

HTTP Response

302
103.224.212.214:80

http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D

http

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

593 B
726 B
5
4

HTTP Request

POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D

HTTP Response

302
103.224.212.214:80

http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

http

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

587 B
720 B
5
4

HTTP Request

POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

HTTP Response

302
172.217.20.164:80

http://www.google.com/

http

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

302 B
1.5kB
5
5

HTTP Request

GET http://www.google.com/

HTTP Response

302
127.0.0.1:52101

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
103.224.212.214:80

http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G

http

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

1.0kB
712 B
7
4

HTTP Request

POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB846Y%2FC3gWHGT7iirKid%2FYdS5X%2B0alxtygbpb6HvnSAOQij%2B82oYvEaTuLuwd129WxK5VKv975Xlm5G

HTTP Response

302
172.217.20.164:80

http://www.google.com/

http

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

516 B
1.5kB
8
5

HTTP Request

GET http://www.google.com/

HTTP Response

302
127.0.0.1:52101

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
172.217.20.164:80

http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

http

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

1.2kB
3.7kB
10
8

HTTP Request

GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLKhjbsGIjDIGYFe_2OcpQAh-SG_rKAQa8Ve9BVoCxawSvv9sh3Fh-RwAe_Im_fMWWhhgg4jscAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Response

429

8.8.8.8:53

greenherbalteaonline.com

dns

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

70 B
143 B
1
1

DNS Request

greenherbalteaonline.com
8.8.8.8:53

milkiwals.com

dns

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

59 B
132 B
1
1

DNS Request

milkiwals.com
8.8.8.8:53

kinderjoys.com

dns

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

60 B
92 B
1
1

DNS Request

kinderjoys.com

DNS Response

3.33.251.168

15.197.225.128
8.8.8.8:53

zonedg.com

dns

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

56 B
72 B
1
1

DNS Request

zonedg.com

DNS Response

103.224.212.214
8.8.8.8:53

zonedg.com

dns

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

56 B
72 B
1
1

DNS Request

zonedg.com

DNS Response

103.224.212.214
8.8.8.8:53

www.google.com

dns

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

172.217.20.164

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A1D5.902

Filesize
1KB

MD5
1724eac0f357d168b3d4a0c9f009a6b2

SHA1
b360af81343395995671a9613b38e01c9e7530bb

SHA256
101de1f701d49131a60a2f6abaf4285bd90a283ca6951025ae7c97867288ee21

SHA512
a46862e51200a36f0caec516e388f95640c50143e9f24364444ef4a38b02da581d655c75807d75efd4a47e190a700a6252fe1907024905e943a6b626e2cae5c6

Download Submit
C:\Users\Admin\AppData\Roaming\A1D5.902

Filesize
600B

MD5
a94444cc9a5f0167775c357de3ca901c

SHA1
60c6ce8718c63ec95bd36715bc045191723877ae

SHA256
93dd15748168be9c2a28a8af26bf15a7bd16a87342c5f97e94cbc063f075d2f7

SHA512
44cf44925e533d265bebd7b1a7b996cf6155d0a58ea943a1771b918801b03c6fe74946df6c7a5ee696b7650d768e65651043c5b12bc7996158059e451a40408b

Download Submit
C:\Users\Admin\AppData\Roaming\A1D5.902

Filesize
996B

MD5
2397d777eab64ffbf8454f2aa887d60c

SHA1
7b1887dc8b1383487fc661562f209c082e2124ca

SHA256
f66997d75fe9804c5ff33159025169c27de1f33a2c4091ff45947c21e11969c0

SHA512
0aa8af5f7a34561cec9689c33a53778bda1742cb2224d868950a10f655407943fd06e946e9a2d8fb1a71e5d794d95cfe910699d1482bd8bcf95a91f56e34d30c

Download Submit
memory/2160-79-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2160-77-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2616-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2616-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-151-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-188-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.