Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 19:51
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe
-
Size
4.3MB
-
MD5
6f00d125acf26839af12b80c43652991
-
SHA1
72600c5b1345419cd4be3f7bf352fcd848d775d2
-
SHA256
cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936
-
SHA512
2308f6a80a807424017b86e665fa8c43ccf0852a1ed1fb4a5ced04b024fa39c27c63cea0a67dfdace1730433e182e8b98a166fe76ae3d3438a7f341fbaf684ee
-
SSDEEP
98304:D3xSkZ/7Oc7vzvTI3Uel/dxYHiv9V7kSwrQrF3+o1CyZ:zb/q2vzvs3Uod6I9azrQrZJ
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba family
-
Glupteba payload 20 IoCs
resource yara_rule behavioral2/memory/3600-2-0x00000000038D0000-0x0000000004172000-memory.dmp family_glupteba behavioral2/memory/3600-3-0x0000000000400000-0x0000000000CBD000-memory.dmp family_glupteba behavioral2/memory/3600-6-0x0000000000400000-0x0000000000CBD000-memory.dmp family_glupteba behavioral2/memory/3600-5-0x00000000038D0000-0x0000000004172000-memory.dmp family_glupteba behavioral2/memory/3600-4-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/1776-9-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/1776-14-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/2060-16-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/2060-22-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/2060-23-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/2060-24-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/2060-25-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/2060-26-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/2060-27-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/2060-28-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/2060-29-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/2060-30-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/2060-31-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/2060-32-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba behavioral2/memory/2060-33-0x0000000000400000-0x0000000002F4C000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3732 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 2060 csrss.exe 1416 injector.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PatientPond = "\"C:\\Windows\\rss\\csrss.exe\"" JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 53 raw.githubusercontent.com 54 raw.githubusercontent.com -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe File created C:\Windows\rss\csrss.exe JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1496 1776 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" csrss.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4508 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3600 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 3600 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 2060 csrss.exe 2060 csrss.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe 1416 injector.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3600 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe Token: SeImpersonatePrivilege 3600 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe Token: SeSystemEnvironmentPrivilege 2060 csrss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1776 wrote to memory of 3060 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 88 PID 1776 wrote to memory of 3060 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 88 PID 3060 wrote to memory of 3732 3060 cmd.exe 90 PID 3060 wrote to memory of 3732 3060 cmd.exe 90 PID 1776 wrote to memory of 2060 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 91 PID 1776 wrote to memory of 2060 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 91 PID 1776 wrote to memory of 2060 1776 JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe 91 PID 2060 wrote to memory of 1416 2060 csrss.exe 112 PID 2060 wrote to memory of 1416 2060 csrss.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3732
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /301-3013⤵
- Executes dropped EXE
- Manipulates WinMonFS driver.
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Scheduled Task/Job: Scheduled Task
PID:4508
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4192
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1416
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 8603⤵
- Program crash
PID:1496
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1776 -ip 17761⤵PID:2140
Network
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request138.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttrumops.comIN TXTResponsetrumops.comIN TXT.v=spf1 include:_incspfcheck.mailspike.net ?all
-
Remote address:8.8.8.8:53Requesttrumops.comIN TXT
-
Remote address:8.8.8.8:53Requestretoti.comIN TXTResponseretoti.comIN TXT.v=spf1 include:_incspfcheck.mailspike.net ?all
-
Remote address:8.8.8.8:53Requestlogs.trumops.comIN TXTResponse
-
Remote address:8.8.8.8:53Requestlogs.retoti.comIN TXTResponse
-
Remote address:8.8.8.8:53Request280448f9-d036-4e3c-869e-0d854e06c9fb.uuid.trumops.comIN TXTResponse
-
Remote address:8.8.8.8:53Requestserver4.trumops.comIN AResponseserver4.trumops.comIN A44.221.84.105
-
Remote address:8.8.8.8:53Request105.84.221.44.in-addr.arpaIN PTRResponse105.84.221.44.in-addr.arpaIN PTRec2-44-221-84-105 compute-1 amazonawscom
-
Remote address:8.8.8.8:53Request105.84.221.44.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestserver4.retoti.comIN AResponseserver4.retoti.comIN A44.221.84.105
-
Remote address:8.8.8.8:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN A185.199.108.133raw.githubusercontent.comIN A185.199.111.133raw.githubusercontent.comIN A185.199.109.133raw.githubusercontent.comIN A185.199.110.133
-
Remote address:8.8.8.8:53Request133.108.199.185.in-addr.arpaIN PTRResponse133.108.199.185.in-addr.arpaIN PTRcdn-185-199-108-133githubcom
-
Remote address:8.8.8.8:53Request133.108.199.185.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestnode.degga.netIN AResponsenode.degga.netIN A162.192.36.227
-
Remote address:8.8.8.8:53Requestnode.degga.netIN A
-
Remote address:8.8.8.8:53Requestelectrum.blockstream.infoIN AResponseelectrum.blockstream.infoIN A34.36.93.230
-
Remote address:8.8.8.8:53Requestexs.dyshek.orgIN AResponseexs.dyshek.orgIN A135.181.31.178
-
Remote address:8.8.8.8:53Requestvmd84592.contaboserver.netIN AResponse
-
Remote address:8.8.8.8:53Requestfulcrum.thechaceys.comIN AResponse
-
Remote address:8.8.8.8:53Request230.93.36.34.in-addr.arpaIN PTRResponse230.93.36.34.in-addr.arpaIN PTR230933634bcgoogleusercontentcom
-
Remote address:8.8.8.8:53Request178.31.181.135.in-addr.arpaIN PTRResponse178.31.181.135.in-addr.arpaIN PTRstatic17831181135clientsyour-serverde
-
Remote address:8.8.8.8:53Requestlavahost.orgIN AResponselavahost.orgIN A5.10.171.150
-
Remote address:8.8.8.8:53Request82.73.121.34.in-addr.arpaIN PTRResponse82.73.121.34.in-addr.arpaIN PTR827312134bcgoogleusercontentcom
-
Remote address:8.8.8.8:53Requestbtc.aftrek.orgIN AResponsebtc.aftrek.orgIN A49.12.35.19
-
Remote address:8.8.8.8:53Requestbtc.aftrek.orgIN A
-
Remote address:8.8.8.8:53Request19.35.12.49.in-addr.arpaIN PTRResponse19.35.12.49.in-addr.arpaIN PTRstatic19351249clientsyour-serverde
-
21.3kB 11.8kB 41 25
-
1.4kB 7.9kB 18 14
-
2.4kB 5.4kB 11 9
-
2.8kB 8.3kB 18 14
-
104 B 2
-
156 B 80 B 3 2
-
510 B 3.5kB 8 8
-
485 B 10.7kB 9 11
-
1.2kB 5.6kB 13 11
-
104 B 2
-
1.1kB 6.2kB 12 10
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
138.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
114 B 116 B 2 1
DNS Request
trumops.com
DNS Request
trumops.com
-
56 B 115 B 1 1
DNS Request
retoti.com
-
62 B 121 B 1 1
DNS Request
logs.trumops.com
-
61 B 120 B 1 1
DNS Request
logs.retoti.com
-
99 B 158 B 1 1
DNS Request
280448f9-d036-4e3c-869e-0d854e06c9fb.uuid.trumops.com
-
65 B 81 B 1 1
DNS Request
server4.trumops.com
DNS Response
44.221.84.105
-
144 B 127 B 2 1
DNS Request
105.84.221.44.in-addr.arpa
DNS Request
105.84.221.44.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
64 B 80 B 1 1
DNS Request
server4.retoti.com
DNS Response
44.221.84.105
-
71 B 135 B 1 1
DNS Request
raw.githubusercontent.com
DNS Response
185.199.108.133185.199.111.133185.199.109.133185.199.110.133
-
148 B 118 B 2 1
DNS Request
133.108.199.185.in-addr.arpa
DNS Request
133.108.199.185.in-addr.arpa
-
120 B 76 B 2 1
DNS Request
node.degga.net
DNS Request
node.degga.net
DNS Response
162.192.36.227
-
71 B 87 B 1 1
DNS Request
electrum.blockstream.info
DNS Response
34.36.93.230
-
60 B 76 B 1 1
DNS Request
exs.dyshek.org
DNS Response
135.181.31.178
-
72 B 141 B 1 1
DNS Request
vmd84592.contaboserver.net
-
68 B 126 B 1 1
DNS Request
fulcrum.thechaceys.com
-
71 B 122 B 1 1
DNS Request
230.93.36.34.in-addr.arpa
-
73 B 131 B 1 1
DNS Request
178.31.181.135.in-addr.arpa
-
58 B 74 B 1 1
DNS Request
lavahost.org
DNS Response
5.10.171.150
-
71 B 122 B 1 1
DNS Request
82.73.121.34.in-addr.arpa
-
120 B 76 B 2 1
DNS Request
btc.aftrek.org
DNS Request
btc.aftrek.org
DNS Response
49.12.35.19
-
70 B 125 B 1 1
DNS Request
19.35.12.49.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
4.3MB
MD56f00d125acf26839af12b80c43652991
SHA172600c5b1345419cd4be3f7bf352fcd848d775d2
SHA256cf73757e09f097765efe858b3e2caf35afdefcd75f2abf712bb631a57c445936
SHA5122308f6a80a807424017b86e665fa8c43ccf0852a1ed1fb4a5ced04b024fa39c27c63cea0a67dfdace1730433e182e8b98a166fe76ae3d3438a7f341fbaf684ee