Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d055aa1d27...18.exe

windows7-x64

10

d055aa1d27...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    12s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 19:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d055aa1d2702cf0186ac8dc1c2aea170_JaffaCakes118.exe

  • Size

    5.0MB

  • MD5

    d055aa1d2702cf0186ac8dc1c2aea170

  • SHA1

    01671d78a8ff90a9b34d162fb4ab04c6716a950c

  • SHA256

    c0e45b39bf808cc4741933404772f7a2f90dfc453b17b5d30fc71f2f7373e7c8

  • SHA512

    21399ead14206296f035177bc9e564099006dd526430b45c6226abf0c46d1c5fac363f4c0af7d1bd2eb968b8dae4eb68250971a5d99901ab6e12a8bfc53acabf

  • SSDEEP

    98304:NnbMiCEK1vZpAWCfSdr1bZwbFizPkgFpM4xAIkSksjJ22OweySzHQrDzERAF:NnJ7K1vZmXf+rLwbobFptky92PDe3NF

Score
10/10
gluptebadropperevasionloader

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 12 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d055aa1d2702cf0186ac8dc1c2aea170_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d055aa1d2702cf0186ac8dc1c2aea170_JaffaCakes118.exe"
    1⤵
      PID:3056
      • C:\Users\Admin\AppData\Local\Temp\d055aa1d2702cf0186ac8dc1c2aea170_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\d055aa1d2702cf0186ac8dc1c2aea170_JaffaCakes118.exe"
        2⤵
          PID:2724
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:1788
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:2900
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe /6-JaffaCakes118
              3⤵
                PID:2996
          • C:\Windows\system32\makecab.exe
            "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240906194946.log C:\Windows\Logs\CBS\CbsPersist_20240906194946.cab
            1⤵
              PID:2832

            Network

            • flag-us
              DNS
              venoxcontrol.com
              Remote address:
              8.8.8.8:53
              Request
              venoxcontrol.com
              IN A
              Response
              venoxcontrol.com
              IN A
              107.178.223.183
              venoxcontrol.com
              IN A
              104.155.138.21
            • flag-us
              DNS
              okonewacon.com
              Remote address:
              8.8.8.8:53
              Request
              okonewacon.com
              IN A
              Response
              okonewacon.com
              IN A
              54.244.188.177
            • flag-us
              DNS
              blackempirebuild.com
              Remote address:
              8.8.8.8:53
              Request
              blackempirebuild.com
              IN A
              Response
              blackempirebuild.com
              IN A
              204.11.56.48
            • 107.178.223.183:443
              venoxcontrol.com
              tls
              469 B
               662 B
               5
              3
            • 107.178.223.183:443
              venoxcontrol.com
              tls
              515 B
               664 B
               6
              3
            • 107.178.223.183:443
              venoxcontrol.com
              tls
              515 B
               702 B
               6
              4
            • 107.178.223.183:443
              venoxcontrol.com
              tls
              469 B
               663 B
               5
              3
            • 54.244.188.177:443
              okonewacon.com
              tls
              4.4kB
               5.6kB
               16
              15
            • 204.11.56.48:443
              blackempirebuild.com
              152 B
               3
            • 107.178.223.183:443
              venoxcontrol.com
              tls
              469 B
               663 B
               5
              3
            • 204.11.56.48:443
              blackempirebuild.com
              152 B
               3
            • 107.178.223.183:443
              venoxcontrol.com
              tls
              469 B
               663 B
               5
              3
            • 204.11.56.48:443
              blackempirebuild.com
              152 B
               3
            • 8.8.8.8:53
              venoxcontrol.com
              dns
              62 B
               94 B
               1
              1

              DNS Request

              venoxcontrol.com

              DNS Response

              107.178.223.183
              104.155.138.21

            • 8.8.8.8:53
              okonewacon.com
              dns
              60 B
               76 B
               1
              1

              DNS Request

              okonewacon.com

              DNS Response

              54.244.188.177

            • 8.8.8.8:53
              blackempirebuild.com
              dns
              66 B
               82 B
               1
              1

              DNS Request

              blackempirebuild.com

              DNS Response

              204.11.56.48

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • \Windows\rss\csrss.exe
              Filesize

              5.0MB

              MD5

              d055aa1d2702cf0186ac8dc1c2aea170

              SHA1

              01671d78a8ff90a9b34d162fb4ab04c6716a950c

              SHA256

              c0e45b39bf808cc4741933404772f7a2f90dfc453b17b5d30fc71f2f7373e7c8

              SHA512

              21399ead14206296f035177bc9e564099006dd526430b45c6226abf0c46d1c5fac363f4c0af7d1bd2eb968b8dae4eb68250971a5d99901ab6e12a8bfc53acabf

              Download Submit

            • memory/2724-17-0x0000000001880000-0x0000000001D49000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2724-29-0x0000000000400000-0x0000000001108000-memory.dmp

              Filesize

              13.0MB

              Download

            • memory/2724-19-0x0000000000400000-0x0000000001108000-memory.dmp

              Filesize

              13.0MB

              Download

            • memory/2724-18-0x0000000000400000-0x0000000001108000-memory.dmp

              Filesize

              13.0MB

              Download

            • memory/2996-31-0x0000000000400000-0x0000000001108000-memory.dmp

              Filesize

              13.0MB

              Download

            • memory/2996-33-0x0000000000400000-0x0000000001108000-memory.dmp

              Filesize

              13.0MB

              Download

            • memory/2996-40-0x0000000000400000-0x0000000001108000-memory.dmp

              Filesize

              13.0MB

              Download

            • memory/2996-38-0x0000000000400000-0x0000000001108000-memory.dmp

              Filesize

              13.0MB

              Download

            • memory/2996-37-0x0000000000400000-0x0000000001108000-memory.dmp

              Filesize

              13.0MB

              Download

            • memory/2996-36-0x0000000000400000-0x0000000001108000-memory.dmp

              Filesize

              13.0MB

              Download

            • memory/2996-30-0x00000000017D0000-0x0000000001C99000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2996-34-0x0000000000400000-0x0000000001108000-memory.dmp

              Filesize

              13.0MB

              Download

            • memory/3056-2-0x0000000000400000-0x0000000000AE9000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/3056-0-0x0000000001760000-0x0000000001C29000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/3056-1-0x0000000001760000-0x0000000001C29000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/3056-3-0x0000000000400000-0x0000000001108000-memory.dmp

              Filesize

              13.0MB

              Download

            • memory/3056-5-0x0000000000400000-0x0000000000AE9000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/3056-4-0x0000000001760000-0x0000000001C29000-memory.dmp

              Filesize

              4.8MB

              Download

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.