glupteba | 1467fe3265b0b8f88e0987481406fd4f12d52deed6121f5af99c2d2b9b20d99c

Analysis

max time kernel
112s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Size

5.2MB
MD5

a410f6bd37a266dc450fa073629b7cbc
SHA1

48fafe2c47daec3bc90b4fc92ca1eaef5f2da171
SHA256

1467fe3265b0b8f88e0987481406fd4f12d52deed6121f5af99c2d2b9b20d99c
SHA512

df8eb046c879e1adf95b24fdd100ca69440b2287f0cb90f70894232f726a64f24012e9bc13031087ffb2efbc987e93a9621c1b458043ef0c676b6e1c6377fc89
SSDEEP

49152:1eaOFKQPrvUrRiGcdoVsyG/3JojFPpeiYDp2kNNJ7H8lsL6oUlMXhRMHwERw7s7b:aFLIgoVsyGBojpClTHXhRy/RwI4MJ9

Score

10^/10

glupteba dropper evasion loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4924	netsh.exe
5080	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
3636	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BillowingWind = "\"C:\\Windows\\rss\\csrss.exe\""	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rss\csrss.exe	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
File opened for modification	C:\Windows\rss	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4048	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
4048	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
856	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
856	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4048	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4048	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 3256	856	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe	88
PID 856 wrote to memory of 3256	856	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe	88
PID 3256 wrote to memory of 4924	3256	cmd.exe	90
PID 3256 wrote to memory of 4924	3256	cmd.exe	90
PID 856 wrote to memory of 4796	856	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe	91
PID 856 wrote to memory of 4796	856	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe	91
PID 4796 wrote to memory of 5080	4796	cmd.exe	93
PID 4796 wrote to memory of 5080	4796	cmd.exe	93
PID 856 wrote to memory of 3636	856	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe	94
PID 856 wrote to memory of 3636	856	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe	94
PID 856 wrote to memory of 3636	856	a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048
- C:\Users\Admin\AppData\Local\Temp\a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a410f6bd37a266dc450fa073629b7cbc_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5080
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe ""
    3⤵
    - Executes dropped EXE
    PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe

Filesize
5.2MB

MD5
a410f6bd37a266dc450fa073629b7cbc

SHA1
48fafe2c47daec3bc90b4fc92ca1eaef5f2da171

SHA256
1467fe3265b0b8f88e0987481406fd4f12d52deed6121f5af99c2d2b9b20d99c

SHA512
df8eb046c879e1adf95b24fdd100ca69440b2287f0cb90f70894232f726a64f24012e9bc13031087ffb2efbc987e93a9621c1b458043ef0c676b6e1c6377fc89

Download Submit