Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 18:42 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe
-
Size
4.3MB
-
MD5
96fd0f878771bed5078fa43d497be8d9
-
SHA1
f0becdf26b1df6e4443d4484f0404eb54eaf0f94
-
SHA256
7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba
-
SHA512
98aec4a75643d13afef1f0625a4a08a8aec642890efe51275d3e8f5fde2ca69b528470e4abcb145359864b53cc63cbe81c401a86bedea35aaa9111a4583acace
-
SSDEEP
98304:D3xSkZ/7Oc7vzvTI3Uel/dxYHiv9V7kSwrQrF3+o1Cy0:zb/q2vzvs3Uod6I9azrQrZk
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba family
-
Glupteba payload 20 IoCs
resource yara_rule behavioral2/memory/3572-2-0x00000000035A0000-0x0000000003E42000-memory.dmp family_glupteba behavioral2/memory/3572-3-0x0000000000400000-0x0000000000CBD000-memory.dmp family_glupteba behavioral2/memory/3572-5-0x00000000035A0000-0x0000000003E42000-memory.dmp family_glupteba behavioral2/memory/3572-6-0x0000000000400000-0x0000000000CBD000-memory.dmp family_glupteba behavioral2/memory/3572-4-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/4448-9-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/4448-15-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/3844-17-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/3844-23-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/3844-24-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/3844-25-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/3844-26-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/3844-27-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/3844-28-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/3844-29-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/3844-30-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/3844-31-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/3844-32-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/3844-33-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/3844-34-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2456 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 3844 csrss.exe 3276 injector.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SolitaryWater = "\"C:\\Windows\\rss\\csrss.exe\"" JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 51 raw.githubusercontent.com 52 raw.githubusercontent.com -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe File opened for modification C:\Windows\rss JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 968 4448 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs csrss.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3848 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3572 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 3572 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 3844 csrss.exe 3844 csrss.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe 3276 injector.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3572 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe Token: SeImpersonatePrivilege 3572 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe Token: SeSystemEnvironmentPrivilege 3844 csrss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4448 wrote to memory of 1892 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 86 PID 4448 wrote to memory of 1892 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 86 PID 1892 wrote to memory of 2456 1892 cmd.exe 88 PID 1892 wrote to memory of 2456 1892 cmd.exe 88 PID 4448 wrote to memory of 3844 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 89 PID 4448 wrote to memory of 3844 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 89 PID 4448 wrote to memory of 3844 4448 JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe 89 PID 3844 wrote to memory of 3276 3844 csrss.exe 97 PID 3844 wrote to memory of 3276 3844 csrss.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2456
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /305-3053⤵
- Executes dropped EXE
- Manipulates WinMonFS driver.
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Scheduled Task/Job: Scheduled Task
PID:3848
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3276
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 8923⤵
- Program crash
PID:968
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4448 -ip 44481⤵PID:368
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request20.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttrumops.comIN TXTResponsetrumops.comIN TXT.v=spf1 include:_incspfcheck.mailspike.net ?all
-
Remote address:8.8.8.8:53Requestretoti.comIN TXTResponseretoti.comIN TXT.v=spf1 include:_incspfcheck.mailspike.net ?all
-
Remote address:8.8.8.8:53Requestlogs.trumops.comIN TXTResponse
-
Remote address:8.8.8.8:53Requestlogs.retoti.comIN TXTResponse
-
Remote address:8.8.8.8:53Request5ea1c33f-2451-467e-aa89-1bd9d2f7df4c.uuid.trumops.comIN TXTResponse
-
Remote address:8.8.8.8:53Requestserver4.trumops.comIN AResponseserver4.trumops.comIN A44.221.84.105
-
Remote address:8.8.8.8:53Request105.84.221.44.in-addr.arpaIN PTRResponse105.84.221.44.in-addr.arpaIN PTRec2-44-221-84-105 compute-1 amazonawscom
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestserver4.retoti.comIN AResponseserver4.retoti.comIN A44.221.84.105
-
Remote address:8.8.8.8:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN A185.199.108.133raw.githubusercontent.comIN A185.199.109.133raw.githubusercontent.comIN A185.199.110.133raw.githubusercontent.comIN A185.199.111.133
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestalviss.coinjoined.comIN AResponsealviss.coinjoined.comIN A128.140.49.4
-
Remote address:8.8.8.8:53Requeste2.keff.orgIN AResponsee2.keff.orgIN A45.154.252.100
-
Remote address:8.8.8.8:53Request133.108.199.185.in-addr.arpaIN PTRResponse133.108.199.185.in-addr.arpaIN PTRcdn-185-199-108-133githubcom
-
Remote address:8.8.8.8:53Request4.49.140.128.in-addr.arpaIN PTRResponse4.49.140.128.in-addr.arpaIN PTRstatic449140128clientsyour-serverde
-
Remote address:8.8.8.8:53Request2electrumx.hopto.meIN AResponse2electrumx.hopto.meIN A8.8.8.8
-
Remote address:8.8.8.8:53Request38.6.93.142.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestskbxmit.coinjoined.comIN AResponseskbxmit.coinjoined.comIN A49.12.38.161
-
Remote address:8.8.8.8:53Request161.38.12.49.in-addr.arpaIN PTRResponse161.38.12.49.in-addr.arpaIN PTRstatic161381249clientsyour-serverde
-
Remote address:8.8.8.8:53Request104.65.78.5.in-addr.arpaIN PTRResponse104.65.78.5.in-addr.arpaIN PTRstatic10465785clientsyour-serverde
-
Remote address:8.8.8.8:53Requestself.events.data.microsoft.comIN AResponseself.events.data.microsoft.comIN CNAMEself-events-data.trafficmanager.netself-events-data.trafficmanager.netIN CNAMEonedscolprduks04.uksouth.cloudapp.azure.comonedscolprduks04.uksouth.cloudapp.azure.comIN A51.104.15.253
-
Remote address:8.8.8.8:53Request253.15.104.51.in-addr.arpaIN PTRResponse
-
15.7kB 10.3kB 34 24
-
1.9kB 5.5kB 13 12
-
1.2kB 6.9kB 12 14
-
439 B 9.9kB 8 10
-
260 B 200 B 5 5
-
485 B 11.5kB 9 12
-
104 B 2
-
958 B 5.5kB 10 10
-
1.6kB 7.5kB 15 12
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
20.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
57 B 116 B 1 1
DNS Request
trumops.com
-
56 B 115 B 1 1
DNS Request
retoti.com
-
62 B 121 B 1 1
DNS Request
logs.trumops.com
-
61 B 120 B 1 1
DNS Request
logs.retoti.com
-
99 B 158 B 1 1
DNS Request
5ea1c33f-2451-467e-aa89-1bd9d2f7df4c.uuid.trumops.com
-
65 B 81 B 1 1
DNS Request
server4.trumops.com
DNS Response
44.221.84.105
-
72 B 127 B 1 1
DNS Request
105.84.221.44.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
21.49.80.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
86.49.80.91.in-addr.arpa
-
64 B 80 B 1 1
DNS Request
server4.retoti.com
DNS Response
44.221.84.105
-
71 B 135 B 1 1
DNS Request
raw.githubusercontent.com
DNS Response
185.199.108.133185.199.109.133185.199.110.133185.199.111.133
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
67 B 83 B 1 1
DNS Request
alviss.coinjoined.com
DNS Response
128.140.49.4
-
57 B 73 B 1 1
DNS Request
e2.keff.org
DNS Response
45.154.252.100
-
74 B 118 B 1 1
DNS Request
133.108.199.185.in-addr.arpa
-
71 B 127 B 1 1
DNS Request
4.49.140.128.in-addr.arpa
-
65 B 81 B 1 1
DNS Request
2electrumx.hopto.me
DNS Response
8.8.8.8
-
70 B 137 B 1 1
DNS Request
38.6.93.142.in-addr.arpa
-
68 B 84 B 1 1
DNS Request
skbxmit.coinjoined.com
DNS Response
49.12.38.161
-
71 B 127 B 1 1
DNS Request
161.38.12.49.in-addr.arpa
-
70 B 125 B 1 1
DNS Request
104.65.78.5.in-addr.arpa
-
76 B 195 B 1 1
DNS Request
self.events.data.microsoft.com
DNS Response
51.104.15.253
-
72 B 146 B 1 1
DNS Request
253.15.104.51.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
4.3MB
MD596fd0f878771bed5078fa43d497be8d9
SHA1f0becdf26b1df6e4443d4484f0404eb54eaf0f94
SHA2567698f71461f6be19bcd08b58ab7e4c2f7e226bb1410fa3fa5902445846a7edba
SHA51298aec4a75643d13afef1f0625a4a08a8aec642890efe51275d3e8f5fde2ca69b528470e4abcb145359864b53cc63cbe81c401a86bedea35aaa9111a4583acace