glupteba | 803f140bd2b1a74fe2334a0f68337fbd85adc6074dff8fc6bea58b6f2a5ab457

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Size

3.8MB
MD5

468dcdb06c6733d0048a75360d52e1a4
SHA1

eb1ad2cb3ddb7ac6560cf30cc7c286bd31989b1d
SHA256

803f140bd2b1a74fe2334a0f68337fbd85adc6074dff8fc6bea58b6f2a5ab457
SHA512

b78b6e303b4264727e157e559fcb947c7016087e453d4449001a5378297fc6306cec59aabec418f4a08e32101d7e74eca689a8801de451dbb76c5e696f4b0909
SSDEEP

49152:ARuPPnhH53LFZLGbPG/mvDI7ZpZGyip8QCW3c7DfjqcPm93gBmXjKozboyujkXOa:AebSqmvkd6y/WcHjlm93kKKglWVJM

Score

10^/10

glupteba dropper evasion loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 14 IoCs

resource	yara_rule
behavioral2/memory/3364-2-0x0000000002DA0000-0x0000000003491000-memory.dmp	family_glupteba
behavioral2/memory/3364-3-0x0000000000400000-0x0000000000B0B000-memory.dmp	family_glupteba
behavioral2/memory/3364-4-0x0000000000400000-0x0000000000B0B000-memory.dmp	family_glupteba
behavioral2/memory/3364-5-0x0000000002DA0000-0x0000000003491000-memory.dmp	family_glupteba
behavioral2/memory/864-9-0x0000000000400000-0x0000000000B0B000-memory.dmp	family_glupteba
behavioral2/memory/864-15-0x0000000000400000-0x0000000000B0B000-memory.dmp	family_glupteba
behavioral2/memory/2620-17-0x0000000000400000-0x0000000000B0B000-memory.dmp	family_glupteba
behavioral2/memory/2620-18-0x0000000000400000-0x0000000000B0B000-memory.dmp	family_glupteba
behavioral2/memory/2620-19-0x0000000000400000-0x0000000000B0B000-memory.dmp	family_glupteba
behavioral2/memory/2620-20-0x0000000000400000-0x0000000000B0B000-memory.dmp	family_glupteba
behavioral2/memory/2620-21-0x0000000000400000-0x0000000000B0B000-memory.dmp	family_glupteba
behavioral2/memory/2620-23-0x0000000000400000-0x0000000000B0B000-memory.dmp	family_glupteba
behavioral2/memory/2620-24-0x0000000000400000-0x0000000000B0B000-memory.dmp	family_glupteba
behavioral2/memory/2620-27-0x0000000000400000-0x0000000000B0B000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1840	netsh.exe
2436	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SparklingRiver = "\"C:\\Windows\\rss\\csrss.exe\""	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
File created	C:\Windows\rss\csrss.exe	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3364	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
3364	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
3364	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
3364	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
3364	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
3364	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
3364	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
3364	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
864	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
864	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
864	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
864	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
864	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
864	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
2620	csrss.exe
2620	csrss.exe
2620	csrss.exe
2620	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3364	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3364	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1004	864	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe	96
PID 864 wrote to memory of 1004	864	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe	96
PID 1004 wrote to memory of 1840	1004	cmd.exe	98
PID 1004 wrote to memory of 1840	1004	cmd.exe	98
PID 864 wrote to memory of 3456	864	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe	99
PID 864 wrote to memory of 3456	864	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe	99
PID 3456 wrote to memory of 2436	3456	cmd.exe	101
PID 3456 wrote to memory of 2436	3456	cmd.exe	101
PID 864 wrote to memory of 2620	864	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe	102
PID 864 wrote to memory of 2620	864	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe	102
PID 864 wrote to memory of 2620	864	468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe	102

C:\Users\Admin\AppData\Local\Temp\468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364
- C:\Users\Admin\AppData\Local\Temp\468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\468dcdb06c6733d0048a75360d52e1a4_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1840
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2436
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe ""
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3924 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe

Filesize
3.8MB

MD5
468dcdb06c6733d0048a75360d52e1a4

SHA1
eb1ad2cb3ddb7ac6560cf30cc7c286bd31989b1d

SHA256
803f140bd2b1a74fe2334a0f68337fbd85adc6074dff8fc6bea58b6f2a5ab457

SHA512
b78b6e303b4264727e157e559fcb947c7016087e453d4449001a5378297fc6306cec59aabec418f4a08e32101d7e74eca689a8801de451dbb76c5e696f4b0909

Download Submit
memory/864-7-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/864-15-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/864-9-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/864-8-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/2620-19-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/2620-17-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/2620-18-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/2620-20-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/2620-21-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/2620-23-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/2620-24-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/2620-27-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/3364-5-0x0000000002DA0000-0x0000000003491000-memory.dmp

Filesize
6.9MB

Download
memory/3364-4-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/3364-3-0x0000000000400000-0x0000000000B0B000-memory.dmp

Filesize
7.0MB

Download
memory/3364-2-0x0000000002DA0000-0x0000000003491000-memory.dmp

Filesize
6.9MB

Download
memory/3364-1-0x00000000029F0000-0x0000000002D9E000-memory.dmp

Filesize
3.7MB

Download