Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cd71299dfb...18.exe

windows7-x64

10

cd71299dfb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    31/08/2024, 19:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd71299dfba856b2a9ec3ffb880ebad5_JaffaCakes118.exe

  • Size

    5.0MB

  • MD5

    cd71299dfba856b2a9ec3ffb880ebad5

  • SHA1

    e630635246663d5f8dbb87a7d09644f0b83d3fa3

  • SHA256

    396d94f129bc31e0115927a1207ce6380638de2776e2d31c5e4f7ea9ed39652e

  • SHA512

    03b2ae84c3c83bf3c18c6a924966f55edd66b196cb219eb92ded98275fe87b1a56a44e128e3ff46c2cb9e466f55fa8b7f2e817ae9795a5a9d96cd0f67e326dc6

  • SSDEEP

    98304:ml2VNuhIKfrRyZZgWbfakxFz3Si8NhMeMKqiFNT2keUenQigIpv:E2V+IKdMqwF3SDwcqiFNT2FII

Score
10/10
gluptebadiscoverydropperevasionloaderpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 16 IoCs
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 12 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 3 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd71299dfba856b2a9ec3ffb880ebad5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cd71299dfba856b2a9ec3ffb880ebad5_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2612
    • C:\Users\Admin\AppData\Local\Temp\cd71299dfba856b2a9ec3ffb880ebad5_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\cd71299dfba856b2a9ec3ffb880ebad5_JaffaCakes118.exe"
      2⤵
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • Modifies data under HKEY_USERS
          PID:2676
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe /6-JaffaCakes118
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        PID:2932
  • C:\Windows\system32\makecab.exe
    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240831192339.log C:\Windows\Logs\CBS\CbsPersist_20240831192339.cab
    1⤵
    • Drops file in Windows directory
    PID:2652

Network

  • flag-us
    DNS
    venoxcontrol.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    venoxcontrol.com
    IN A
    Response
  • flag-us
    DNS
    okonewacon.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    okonewacon.com
    IN A
    Response
    okonewacon.com
    IN A
    54.244.188.177
  • flag-us
    DNS
    blackempirebuild.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    blackempirebuild.com
    IN A
    Response
    blackempirebuild.com
    IN A
    204.11.56.48
  • 54.244.188.177:443
    okonewacon.com
    tls
    csrss.exe
    4.6kB
     5.7kB
     20
    17
  • 204.11.56.48:443
    blackempirebuild.com
    csrss.exe
    152 B
     3
  • 204.11.56.48:443
    blackempirebuild.com
    csrss.exe
    152 B
     3
  • 204.11.56.48:443
    blackempirebuild.com
    csrss.exe
    152 B
     3
  • 54.244.188.177:443
    okonewacon.com
    tls
    csrss.exe
    2.0kB
     4.3kB
     8
    6
  • 8.8.8.8:53
    venoxcontrol.com
    dns
    csrss.exe
    62 B
     135 B
     1
    1

    DNS Request

    venoxcontrol.com

  • 8.8.8.8:53
    okonewacon.com
    dns
    csrss.exe
    60 B
     76 B
     1
    1

    DNS Request

    okonewacon.com

    DNS Response

    54.244.188.177

  • 8.8.8.8:53
    blackempirebuild.com
    dns
    csrss.exe
    66 B
     82 B
     1
    1

    DNS Request

    blackempirebuild.com

    DNS Response

    204.11.56.48

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\rss\csrss.exe
    Filesize

    5.0MB

    MD5

    cd71299dfba856b2a9ec3ffb880ebad5

    SHA1

    e630635246663d5f8dbb87a7d09644f0b83d3fa3

    SHA256

    396d94f129bc31e0115927a1207ce6380638de2776e2d31c5e4f7ea9ed39652e

    SHA512

    03b2ae84c3c83bf3c18c6a924966f55edd66b196cb219eb92ded98275fe87b1a56a44e128e3ff46c2cb9e466f55fa8b7f2e817ae9795a5a9d96cd0f67e326dc6

    Download Submit

  • memory/2612-7-0x0000000002980000-0x0000000002E4C000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2612-1-0x0000000002980000-0x0000000002E4C000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2612-3-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2612-5-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2612-0-0x0000000002980000-0x0000000002E4C000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2612-8-0x0000000002E50000-0x0000000003520000-memory.dmp

    Filesize

    6.8MB

    Download

  • memory/2612-2-0x0000000002E50000-0x0000000003520000-memory.dmp

    Filesize

    6.8MB

    Download

  • memory/2932-39-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2932-36-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2932-46-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2932-44-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2932-21-0x0000000002890000-0x0000000002D5C000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2932-42-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2932-35-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2932-40-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2932-38-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2932-22-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3008-10-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3008-20-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3008-6-0x0000000002910000-0x0000000002DDC000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3008-9-0x0000000000400000-0x0000000000AEB000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.