Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 23:39 UTC

General

  • Target

    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

  • Size

    314KB

  • MD5

    11fa3d2a79204be85855d65b269533bf

  • SHA1

    4b0d0e9f31cab8d907dd9f0f88e6d5235badbef4

  • SHA256

    77d59c32ed5adbfdc7ced9dd6438bd787af7ad69ac6e6ba53726893d7cdf0a80

  • SHA512

    6e1d3cd65857bb31528b2d8961320b86479e6b02eb633c23ac2ef86add295aa780dbd7cbd5d8ec9375d6d797f3a280f7b012d1a4d97f714a1d2915c2ca8cd90f

  • SSDEEP

    6144:z/L3iwgsfDSMj41UKL6dkONAAFPocl1m0wn83OFLOwLOu:z/ngsrSMkJLtSNFgcl1m0w8+x

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 8 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
  • Pony family
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1624
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe startC:\Users\Admin\AppData\Roaming\923A1\FBEB6.exe%C:\Users\Admin\AppData\Roaming\923A1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:864
    • C:\Program Files (x86)\LP\B669\361E.tmp
      "C:\Program Files (x86)\LP\B669\361E.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1924
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe startC:\Program Files (x86)\A1E2F\lvvm.exe%C:\Program Files (x86)\A1E2F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2612
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:684
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2988

Network

  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    2.18.121.28
    a1363.dscg.akamai.net
    IN A
    2.18.121.20
  • flag-nl
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    2.18.121.28:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 26 Sep 2024 02:21:11 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
    Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
    ETag: 0x8DD1A40E476D877
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 69a1d30e-d01e-004b-02fe-56abb9000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Wed, 22 Jan 2025 23:39:30 GMT
    Connection: keep-alive
  • flag-us
    DNS
    www.microsoft.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    23.200.189.225
  • flag-us
    DNS
    www.microsoft.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
  • flag-us
    DNS
    www.microsoft.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
  • flag-nl
    GET
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    Remote address:
    23.200.189.225:80
    Request
    GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1078
    Content-Type: application/octet-stream
    Content-MD5: HqJzZuA065RHozzmOcAUiQ==
    Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
    ETag: 0x8DD34DBD43549F4
    x-ms-request-id: 32c10f85-101e-0044-1fcc-66ddd5000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Wed, 22 Jan 2025 23:39:37 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV403d0778.0
    ms-cv-esi: CASMicrosoftCV403d0778.0
    X-RTag: RT
  • flag-us
    DNS
    3-j48.regremotehelper.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    3-j48.regremotehelper.com
    IN A
    Response
  • flag-us
    DNS
    3-j48.regremotehelper.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    3-j48.regremotehelper.com
    IN A
  • flag-us
    DNS
    cdn.adventofdeception.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    cdn.adventofdeception.com
    IN A
    Response
    cdn.adventofdeception.com
    IN A
    199.59.243.228
  • flag-us
    DNS
    cdn.adventofdeception.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    cdn.adventofdeception.com
    IN A
  • flag-us
    GET
    http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png?sv=47&tq=gwY92w4ACTZIjMVdNVnhYzPhqG9hHOC%2FrtFUWv3boHJVtbcs6D4W5OC8BHocq2frfpP%2F00Mt62JuReII%2BuVq9%2F0XZFYG5VWJ9kYuKSWjhnCd3cD6BdllONP6ZL1qf0OhuoJn%2FR8EFidoGd0JqYQORA5sqenPCZx7Z9Iz76laNwAYnqD%2Fho%2Bvxhc20IW8KPmfnp%2Fa
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    199.59.243.228:80
    Request
    GET /wp-content/uploads/2011/06/frame6.png?sv=47&tq=gwY92w4ACTZIjMVdNVnhYzPhqG9hHOC%2FrtFUWv3boHJVtbcs6D4W5OC8BHocq2frfpP%2F00Mt62JuReII%2BuVq9%2F0XZFYG5VWJ9kYuKSWjhnCd3cD6BdllONP6ZL1qf0OhuoJn%2FR8EFidoGd0JqYQORA5sqenPCZx7Z9Iz76laNwAYnqD%2Fho%2Bvxhc20IW8KPmfnp%2Fa HTTP/1.0
    Connection: close
    Host: cdn.adventofdeception.com
    Accept: */*
    User-Agent: chrome/9.0
    Response
    HTTP/1.1 200 OK
    date: Wed, 22 Jan 2025 23:39:47 GMT
    content-type: text/html; charset=utf-8
    content-length: 1734
    x-request-id: 9e95b77c-e450-427b-a011-25a7a661ecde
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_gRBH9KswfkxIznIKGXMFqtYKmvLjgHiRIcdVdXj+AR57t/K7fHOifQ+Qe9eFbmluBGM1bo6mWoL4eu+s3HUzSA==
    set-cookie: parking_session=9e95b77c-e450-427b-a011-25a7a661ecde; expires=Wed, 22 Jan 2025 23:54:47 GMT; path=/
    connection: close
  • flag-us
    DNS
    g61n5dh2.faststorageonline.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    g61n5dh2.faststorageonline.com
    IN A
    Response
  • flag-us
    DNS
    3x8g7zpy.regremotehelper.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    3x8g7zpy.regremotehelper.com
    IN A
    Response
  • flag-us
    DNS
    www.microsoft.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    23.200.189.225
  • flag-us
    DNS
    www.microsoft.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
  • flag-us
    DNS
    www.microsoft.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
  • flag-us
    DNS
    www.microsoft.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
  • flag-us
    DNS
    TRANSERSDATAFORME.COM
    361E.tmp
    Remote address:
    8.8.8.8:53
    Request
    TRANSERSDATAFORME.COM
    IN A
    Response
  • flag-us
    DNS
    tx3a.regremotehelper.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    tx3a.regremotehelper.com
    IN A
    Response
  • flag-us
    DNS
    tx3a.regremotehelper.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    tx3a.regremotehelper.com
    IN A
  • flag-us
    DNS
    tx3a.regremotehelper.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    tx3a.regremotehelper.com
    IN A
  • flag-us
    DNS
    csc3-2004-crl.verisign.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    csc3-2004-crl.verisign.com
    IN A
    Response
  • flag-us
    DNS
    www.google.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.179.228
  • flag-us
    DNS
    www.google.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
  • flag-us
    DNS
    www.google.com
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
  • flag-gb
    GET
    http://www.google.com/
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    142.250.179.228:80
    Request
    GET / HTTP/1.0
    Connection: close
    Host: www.google.com
    Accept: */*
    Response
    HTTP/1.0 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGICExrwGIjAU0UXpMdPvS38zW1Hq80iqGg-bgTcrN0PtThS5Z4qBQ161XAshBlwPpFfU1ywBxHwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgsIgYTGvAYQ2oXrWBIEtdewUw
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-8QWRPt-9kVKMVdA2XBZXKw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Wed, 22 Jan 2025 23:40:49 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-VArZT3M0OjOK6Tet5-UOc9y638uc2EHkMflkH7gZbf0DRPXvU_FQ; expires=Mon, 21-Jul-2025 23:40:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-gb
    GET
    http://www.google.com/
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    142.250.179.228:80
    Request
    GET / HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIKExrwGIjDtuISHlPdz3sRWXHTEtQWbo2c6BGKvYykwD6xGBkq2hkeLhvdITOp91GdHfQ7nYhsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgsIg4TGvAYQqIjfKBIEtdewUw
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-wICvN96waEZGEdySlIh0oA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Wed, 22 Jan 2025 23:40:51 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-V0xt6OMGRMoHz46DQxdZual6k79WE0GIFCjPqrGtPY2gwEccWRVQ; expires=Mon, 21-Jul-2025 23:40:51 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Connection: close
  • flag-gb
    GET
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIKExrwGIjDtuISHlPdz3sRWXHTEtQWbo2c6BGKvYykwD6xGBkq2hkeLhvdITOp91GdHfQ7nYhsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    Remote address:
    142.250.179.228:80
    Request
    GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGIKExrwGIjDtuISHlPdz3sRWXHTEtQWbo2c6BGKvYykwD6xGBkq2hkeLhvdITOp91GdHfQ7nYhsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Wed, 22 Jan 2025 23:40:51 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Type: text/html
    Server: HTTP server (unknown)
    Content-Length: 3086
    X-XSS-Protection: 0
    Connection: close
  • 2.18.121.28:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    543 B
    1.6kB
    7
    3

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 23.200.189.225:80
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    http
    792 B
    1.8kB
    8
    5

    HTTP Request

    GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

    HTTP Response

    200
  • 199.59.243.228:80
    http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png?sv=47&tq=gwY92w4ACTZIjMVdNVnhYzPhqG9hHOC%2FrtFUWv3boHJVtbcs6D4W5OC8BHocq2frfpP%2F00Mt62JuReII%2BuVq9%2F0XZFYG5VWJ9kYuKSWjhnCd3cD6BdllONP6ZL1qf0OhuoJn%2FR8EFidoGd0JqYQORA5sqenPCZx7Z9Iz76laNwAYnqD%2Fho%2Bvxhc20IW8KPmfnp%2Fa
    http
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    1.1kB
    2.7kB
    8
    7

    HTTP Request

    GET http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png?sv=47&tq=gwY92w4ACTZIjMVdNVnhYzPhqG9hHOC%2FrtFUWv3boHJVtbcs6D4W5OC8BHocq2frfpP%2F00Mt62JuReII%2BuVq9%2F0XZFYG5VWJ9kYuKSWjhnCd3cD6BdllONP6ZL1qf0OhuoJn%2FR8EFidoGd0JqYQORA5sqenPCZx7Z9Iz76laNwAYnqD%2Fho%2Bvxhc20IW8KPmfnp%2Fa

    HTTP Response

    200
  • 127.0.0.1:63192
  • 127.0.0.1:63192
  • 127.0.0.1:63192
  • 127.0.0.1:63192
  • 127.0.0.1:63192
  • 127.0.0.1:63192
  • 127.0.0.1:63192
  • 127.0.0.1:63192
  • 127.0.0.1:63192
  • 127.0.0.1:63192
  • 127.0.0.1:63192
  • 127.0.0.1:63192
  • 127.0.0.1:63192
  • 127.0.0.1:63192
  • 142.250.179.228:80
    http://www.google.com/
    http
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    512 B
    1.5kB
    8
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.179.228:80
    http://www.google.com/
    http
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    522 B
    1.5kB
    8
    6

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 127.0.0.1:63192
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
  • 127.0.0.1:63192
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
  • 142.250.179.228:80
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIKExrwGIjDtuISHlPdz3sRWXHTEtQWbo2c6BGKvYykwD6xGBkq2hkeLhvdITOp91GdHfQ7nYhsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    http
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    868 B
    3.7kB
    8
    8

    HTTP Request

    GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIKExrwGIjDtuISHlPdz3sRWXHTEtQWbo2c6BGKvYykwD6xGBkq2hkeLhvdITOp91GdHfQ7nYhsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

    HTTP Response

    429
  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
    162 B
    1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    2.18.121.28
    2.18.121.20

  • 8.8.8.8:53
    www.microsoft.com
    dns
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    189 B
    230 B
    3
    1

    DNS Request

    www.microsoft.com

    DNS Request

    www.microsoft.com

    DNS Request

    www.microsoft.com

    DNS Response

    23.200.189.225

  • 8.8.8.8:53
    3-j48.regremotehelper.com
    dns
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    142 B
    144 B
    2
    1

    DNS Request

    3-j48.regremotehelper.com

    DNS Request

    3-j48.regremotehelper.com

  • 8.8.8.8:53
    cdn.adventofdeception.com
    dns
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    142 B
    87 B
    2
    1

    DNS Request

    cdn.adventofdeception.com

    DNS Request

    cdn.adventofdeception.com

    DNS Response

    199.59.243.228

  • 8.8.8.8:53
    g61n5dh2.faststorageonline.com
    dns
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    76 B
    149 B
    1
    1

    DNS Request

    g61n5dh2.faststorageonline.com

  • 8.8.8.8:53
    3x8g7zpy.regremotehelper.com
    dns
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    74 B
    147 B
    1
    1

    DNS Request

    3x8g7zpy.regremotehelper.com

  • 8.8.8.8:53
    www.microsoft.com
    dns
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    252 B
    230 B
    4
    1

    DNS Request

    www.microsoft.com

    DNS Request

    www.microsoft.com

    DNS Request

    www.microsoft.com

    DNS Request

    www.microsoft.com

    DNS Response

    23.200.189.225

  • 8.8.8.8:53
    TRANSERSDATAFORME.COM
    dns
    361E.tmp
    67 B
    140 B
    1
    1

    DNS Request

    TRANSERSDATAFORME.COM

  • 8.8.8.8:53
    tx3a.regremotehelper.com
    dns
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    210 B
    143 B
    3
    1

    DNS Request

    tx3a.regremotehelper.com

    DNS Request

    tx3a.regremotehelper.com

    DNS Request

    tx3a.regremotehelper.com

  • 8.8.8.8:53
    csc3-2004-crl.verisign.com
    dns
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    72 B
    127 B
    1
    1

    DNS Request

    csc3-2004-crl.verisign.com

  • 8.8.8.8:53
    www.google.com
    dns
    JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
    180 B
    76 B
    3
    1

    DNS Request

    www.google.com

    DNS Request

    www.google.com

    DNS Request

    www.google.com

    DNS Response

    142.250.179.228

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\923A1\1E2F.23A

    Filesize

    1KB

    MD5

    0cabe0edff7028ef1ef6ec2769a7fa4f

    SHA1

    e381f7bda44a3274eeffc363b1a18ef54f8b5f2b

    SHA256

    f13d1390b04e05b926f6790f47974fe8e360c3e2ff1008f2509e52f49f141554

    SHA512

    1e350b4c4f4571640c93052ed6ddbecd5cb8024015c4477bcc124b7e9dda3d151b47dec43e0ee749d30fedc6999ac14ef74aead947115c69049f3689522a1869

  • C:\Users\Admin\AppData\Roaming\923A1\1E2F.23A

    Filesize

    600B

    MD5

    49643fc97c84f88bffe0ad040f953fd9

    SHA1

    ecc019987b13b5b87dc433d34bb91d2babff1a95

    SHA256

    ee0aa3c9b7baff907c9d3336366e04f0e4b7f63bc4bd0025472005e46d2fdf8c

    SHA512

    4d12d026d682cbedf81180770e211090d71d40a56491922273b0da307687cae9d18befbfee811da357407fdfc9562a92e1a26ed65d452349303677d92dd6fee0

  • C:\Users\Admin\AppData\Roaming\923A1\1E2F.23A

    Filesize

    1KB

    MD5

    75a67549735b9d85f07e36a74e20eee4

    SHA1

    0d68f11c98ecdf3b1e058eed28970b84751410e7

    SHA256

    42c43f43c2ab756449aaced2dceb470f26d80af7ce1c023f7ab37e4bf3a52270

    SHA512

    d36132f02f95e7955128f91e23f60ed130054b728f31a432a94653cfa7890d39e5a645d99339d49da9de7d07f1a26c4a33cf5f28a7b7c577b4a56d14b10cc95d

  • C:\Users\Admin\AppData\Roaming\923A1\1E2F.23A

    Filesize

    897B

    MD5

    1b93e829ad58df01247545d3bbcba237

    SHA1

    20199f3afa00e4521de5d7cabde4d5474379e2be

    SHA256

    417726a2a2ade76749bccbebf5a1f1544a2566c4c61ed19a7af376638204c55b

    SHA512

    c8a23c9bda734d5714e1d3a8f3c62d1835859bb46e2e5b48b23a46dcffa4f00cb43b03b205e12a63ad5d318554c6f14850c80c82d7598b021cd26b2cdf4096eb

  • \Program Files (x86)\LP\B669\361E.tmp

    Filesize

    107KB

    MD5

    ebec172b21c1a8032a34cbaee1517f52

    SHA1

    a34b5c4cded0d80e9ced4fb9b33ecb142060de55

    SHA256

    4972245901de570e2f6db848ac371d3aa85676596698611f2349758cd9765353

    SHA512

    e8517f20a836d95815e4d4fe7100cc9ae8cc13e8ab23f7b3f44525742b9552aff5a24948c05ff95cf232c854bd05756271211685583a9e01451d12e256951ff9

  • memory/864-18-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/1624-5-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/1624-19-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/1624-0-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/1624-4-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/1624-3-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/1624-183-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/1624-2-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/1624-292-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/1624-294-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/1924-184-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2612-181-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.