Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2024, 11:59 UTC

General

  • Target

    JaffaCakes118_7a754e5ff3a9a34e8475295347438d0c37727fd590a6e912e283fa57d5b111c5.exe

  • Size

    4.2MB

  • MD5

    4e4f8311291d3d3d0d0dc7013d1033cc

  • SHA1

    20f5e96dd22669e7324fda7a0fdd7a01d1b6e833

  • SHA256

    7a754e5ff3a9a34e8475295347438d0c37727fd590a6e912e283fa57d5b111c5

  • SHA512

    c4c066818b42b9ec5d10d036d2fb49328af5d83aa21f0e4b13f48c540cd77e058eca9d1d5507759f6638fef19d51076360d65a0b35f2261a5efd68da3b8fa72c

  • SSDEEP

    98304:3C2E3gsYpgYIWbe98gdSwcCVMLhUG9qr72RpiptyM:SLgGYIue98gbIhkWRpYtyM

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba family
  • Glupteba payload 20 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Metasploit family
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a754e5ff3a9a34e8475295347438d0c37727fd590a6e912e283fa57d5b111c5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a754e5ff3a9a34e8475295347438d0c37727fd590a6e912e283fa57d5b111c5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4252
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a754e5ff3a9a34e8475295347438d0c37727fd590a6e912e283fa57d5b111c5.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a754e5ff3a9a34e8475295347438d0c37727fd590a6e912e283fa57d5b111c5.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2392
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:400
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe /305-305
        3⤵
        • Executes dropped EXE
        • Manipulates WinMonFS driver.
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:5052
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2272
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4324

    Network

    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      trumops.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      trumops.com
      IN TXT
      Response
      trumops.com
      IN TXT
      .v=spf1 include:_incspfcheck.mailspike.net ?all
    • flag-us
      DNS
      retoti.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      retoti.com
      IN TXT
      Response
      retoti.com
      IN TXT
      .v=spf1 include:_incspfcheck.mailspike.net ?all
    • flag-us
      DNS
      retoti.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      retoti.com
      IN TXT
    • flag-us
      DNS
      logs.trumops.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      logs.trumops.com
      IN TXT
      Response
    • flag-us
      DNS
      logs.retoti.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      logs.retoti.com
      IN TXT
      Response
    • flag-us
      DNS
      9471bc14-4bd8-491c-aa04-b7015ab136aa.uuid.trumops.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      9471bc14-4bd8-491c-aa04-b7015ab136aa.uuid.trumops.com
      IN TXT
      Response
    • flag-us
      DNS
      server9.trumops.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server9.trumops.com
      IN A
      Response
      server9.trumops.com
      IN A
      44.221.84.105
    • flag-us
      DNS
      105.84.221.44.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      105.84.221.44.in-addr.arpa
      IN PTR
      Response
      105.84.221.44.in-addr.arpa
      IN PTR
      ec2-44-221-84-105 compute-1 amazonawscom
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      24.139.73.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      24.139.73.23.in-addr.arpa
      IN PTR
      Response
      24.139.73.23.in-addr.arpa
      IN PTR
      a23-73-139-24deploystaticakamaitechnologiescom
    • flag-us
      DNS
      22.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      server9.retoti.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server9.retoti.com
      IN A
      Response
      server9.retoti.com
      IN A
      44.221.84.105
    • flag-us
      DNS
      raw.githubusercontent.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      raw.githubusercontent.com
      IN A
      Response
      raw.githubusercontent.com
      IN A
      185.199.110.133
      raw.githubusercontent.com
      IN A
      185.199.109.133
      raw.githubusercontent.com
      IN A
      185.199.108.133
      raw.githubusercontent.com
      IN A
      185.199.111.133
    • flag-us
      DNS
      133.110.199.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.110.199.185.in-addr.arpa
      IN PTR
      Response
      133.110.199.185.in-addr.arpa
      IN PTR
      cdn-185-199-110-133githubcom
    • flag-us
      DNS
      alviss.coinjoined.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      alviss.coinjoined.com
      IN A
      Response
      alviss.coinjoined.com
      IN A
      128.140.49.4
    • flag-us
      DNS
      skbxmit.coinjoined.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      skbxmit.coinjoined.com
      IN A
      Response
      skbxmit.coinjoined.com
      IN A
      49.12.38.161
    • flag-us
      DNS
      192.67.140.128.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      192.67.140.128.in-addr.arpa
      IN PTR
      Response
      192.67.140.128.in-addr.arpa
      IN PTR
      static19267140128clients your-serverde
    • flag-us
      DNS
      4.49.140.128.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      4.49.140.128.in-addr.arpa
      IN PTR
      Response
      4.49.140.128.in-addr.arpa
      IN PTR
      static449140128clients your-serverde
    • flag-us
      DNS
      38.6.93.142.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      38.6.93.142.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      161.38.12.49.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      161.38.12.49.in-addr.arpa
      IN PTR
      Response
      161.38.12.49.in-addr.arpa
      IN PTR
      static161381249clients your-serverde
    • 44.221.84.105:443
      server9.trumops.com
      tls
      csrss.exe
      25.5kB
      10.3kB
      40
      22
    • 44.221.84.105:443
      server9.trumops.com
      tls
      csrss.exe
      1.9kB
      5.4kB
      12
      12
    • 44.221.84.105:443
      server9.retoti.com
      tls
      csrss.exe
      1.6kB
      5.2kB
      8
      8
    • 185.199.110.133:443
      raw.githubusercontent.com
      tls
      csrss.exe
      1.1kB
      6.8kB
      10
      13
    • 188.230.155.0:50001
      csrss.exe
      156 B
      3
    • 142.93.6.38:50001
      csrss.exe
      485 B
      11.4kB
      9
      12
    • 128.140.49.4:50001
      alviss.coinjoined.com
      csrss.exe
      439 B
      9.9kB
      8
      10
    • 128.140.67.192:50002
      tls
      csrss.exe
      1.6kB
      7.5kB
      15
      13
    • 49.12.38.161:50001
      skbxmit.coinjoined.com
      csrss.exe
      958 B
      5.4kB
      10
      9
    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      219 B
      144 B
      3
      1

      DNS Request

      95.221.229.192.in-addr.arpa

      DNS Request

      95.221.229.192.in-addr.arpa

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      trumops.com
      dns
      csrss.exe
      57 B
      116 B
      1
      1

      DNS Request

      trumops.com

    • 8.8.8.8:53
      retoti.com
      dns
      csrss.exe
      112 B
      115 B
      2
      1

      DNS Request

      retoti.com

      DNS Request

      retoti.com

    • 8.8.8.8:53
      logs.trumops.com
      dns
      csrss.exe
      62 B
      121 B
      1
      1

      DNS Request

      logs.trumops.com

    • 8.8.8.8:53
      logs.retoti.com
      dns
      csrss.exe
      61 B
      120 B
      1
      1

      DNS Request

      logs.retoti.com

    • 8.8.8.8:53
      9471bc14-4bd8-491c-aa04-b7015ab136aa.uuid.trumops.com
      dns
      csrss.exe
      99 B
      158 B
      1
      1

      DNS Request

      9471bc14-4bd8-491c-aa04-b7015ab136aa.uuid.trumops.com

    • 8.8.8.8:53
      server9.trumops.com
      dns
      csrss.exe
      65 B
      81 B
      1
      1

      DNS Request

      server9.trumops.com

      DNS Response

      44.221.84.105

    • 8.8.8.8:53
      105.84.221.44.in-addr.arpa
      dns
      72 B
      127 B
      1
      1

      DNS Request

      105.84.221.44.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      24.139.73.23.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      24.139.73.23.in-addr.arpa

    • 8.8.8.8:53
      22.49.80.91.in-addr.arpa
      dns
      70 B
      145 B
      1
      1

      DNS Request

      22.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      14.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      server9.retoti.com
      dns
      csrss.exe
      64 B
      80 B
      1
      1

      DNS Request

      server9.retoti.com

      DNS Response

      44.221.84.105

    • 8.8.8.8:53
      raw.githubusercontent.com
      dns
      csrss.exe
      71 B
      135 B
      1
      1

      DNS Request

      raw.githubusercontent.com

      DNS Response

      185.199.110.133
      185.199.109.133
      185.199.108.133
      185.199.111.133

    • 8.8.8.8:53
      133.110.199.185.in-addr.arpa
      dns
      74 B
      118 B
      1
      1

      DNS Request

      133.110.199.185.in-addr.arpa

    • 8.8.8.8:53
      alviss.coinjoined.com
      dns
      csrss.exe
      67 B
      83 B
      1
      1

      DNS Request

      alviss.coinjoined.com

      DNS Response

      128.140.49.4

    • 8.8.8.8:53
      skbxmit.coinjoined.com
      dns
      csrss.exe
      68 B
      84 B
      1
      1

      DNS Request

      skbxmit.coinjoined.com

      DNS Response

      49.12.38.161

    • 8.8.8.8:53
      192.67.140.128.in-addr.arpa
      dns
      73 B
      131 B
      1
      1

      DNS Request

      192.67.140.128.in-addr.arpa

    • 8.8.8.8:53
      4.49.140.128.in-addr.arpa
      dns
      71 B
      127 B
      1
      1

      DNS Request

      4.49.140.128.in-addr.arpa

    • 8.8.8.8:53
      38.6.93.142.in-addr.arpa
      dns
      70 B
      137 B
      1
      1

      DNS Request

      38.6.93.142.in-addr.arpa

    • 8.8.8.8:53
      161.38.12.49.in-addr.arpa
      dns
      71 B
      127 B
      1
      1

      DNS Request

      161.38.12.49.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

    • C:\Windows\rss\csrss.exe

      Filesize

      4.2MB

      MD5

      4e4f8311291d3d3d0d0dc7013d1033cc

      SHA1

      20f5e96dd22669e7324fda7a0fdd7a01d1b6e833

      SHA256

      7a754e5ff3a9a34e8475295347438d0c37727fd590a6e912e283fa57d5b111c5

      SHA512

      c4c066818b42b9ec5d10d036d2fb49328af5d83aa21f0e4b13f48c540cd77e058eca9d1d5507759f6638fef19d51076360d65a0b35f2261a5efd68da3b8fa72c

    • memory/1624-25-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1624-21-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1624-31-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1624-30-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1624-29-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1624-28-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1624-19-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1624-23-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1624-20-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1624-27-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1624-26-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1624-13-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1624-24-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/1624-22-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/4252-2-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/4252-0-0x0000000003010000-0x000000000341F000-memory.dmp

      Filesize

      4.1MB

    • memory/4252-3-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/4252-1-0x0000000003420000-0x0000000003CC2000-memory.dmp

      Filesize

      8.6MB

    • memory/4252-4-0x0000000003010000-0x000000000341F000-memory.dmp

      Filesize

      4.1MB

    • memory/4252-5-0x0000000003420000-0x0000000003CC2000-memory.dmp

      Filesize

      8.6MB

    • memory/4388-12-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/4388-7-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/4388-6-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.