glupteba | 407c70f0c1a1e34503dae74dd973cf037d607e3c4deb8f063d33f2142f1baf71

Analysis

max time kernel
126s
max time network
129s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Size

6.9MB
MD5

89c47e27bec5a374476ffaf92ab2b6d2
SHA1

6486a7db83b1be2ed5ef7239262d22508d3e075a
SHA256

407c70f0c1a1e34503dae74dd973cf037d607e3c4deb8f063d33f2142f1baf71
SHA512

f0c65570b230236b2dda4e326122f54b8174fd2d17c6e5c9ddb1b0f80c9733f023ba86252400dc0bc9ee314fb4023bd1dac6fda6297e17fe18493d175f2634bc
SSDEEP

98304:kzHf7vmorbC/yNwFC6TJZcE94Kcj3sA/Ibt1YcyDXs:+Hzvpr6FHt4Kc+NIs

Score

10^/10

glupteba dropper evasion loader persistence trojan

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0006000000015cb0-1.dat	family_glupteba

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\WinterSurf = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\cloudnet.exe = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
2448	netsh.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid	Process
2996	csrss.exe

Loads dropped DLL 2 IoCs

Processes:

89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe

pid	Process
2180	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
2180	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\WinterSurf = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\cloudnet.exe = "0"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinterSurf = "\"C:\\Windows\\rss\\csrss.exe\""	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exemakecab.exe

description	ioc	Process
File opened for modification	C:\Windows\rss	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
File created	C:\Windows\rss\csrss.exe	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240601073649.cab	makecab.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exenetsh.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.execsrss.exe

pid	Process
2356	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
2356	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
2356	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
2356	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
2180	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
2180	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
2180	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
2996	csrss.exe
2996	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	2356	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2356	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.execmd.exe

description	pid	Process	procid_target
PID 2180 wrote to memory of 2484	2180	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2484	2180	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2484	2180	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2484	2180	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe	33
PID 2484 wrote to memory of 2448	2484	cmd.exe	35
PID 2484 wrote to memory of 2448	2484	cmd.exe	35
PID 2484 wrote to memory of 2448	2484	cmd.exe	35
PID 2180 wrote to memory of 2996	2180	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe	36
PID 2180 wrote to memory of 2996	2180	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe	36
PID 2180 wrote to memory of 2996	2180	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe	36
PID 2180 wrote to memory of 2996	2180	89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
- C:\Users\Admin\AppData\Local\Temp\89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe"
  2⤵
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:2448
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe ""
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2996

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240601073649.log C:\Windows\Logs\CBS\CbsPersist_20240601073649.cab
1⤵
- Drops file in Windows directory
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\rss\csrss.exe

Filesize
6.9MB

MD5
89c47e27bec5a374476ffaf92ab2b6d2

SHA1
6486a7db83b1be2ed5ef7239262d22508d3e075a

SHA256
407c70f0c1a1e34503dae74dd973cf037d607e3c4deb8f063d33f2142f1baf71

SHA512
f0c65570b230236b2dda4e326122f54b8174fd2d17c6e5c9ddb1b0f80c9733f023ba86252400dc0bc9ee314fb4023bd1dac6fda6297e17fe18493d175f2634bc

Download Submit