Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2024 00:00
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe
-
Size
4.4MB
-
MD5
e8b0090bafd4bbbbedba76ed83d27c21
-
SHA1
6614977c2de9096b837f072aa942866fe9b0af58
-
SHA256
526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3
-
SHA512
541b39478b92dfb0f4753e037d3f87b90dc5b420a2dcb0d189f45efabcc5979af48a6fe856577229be490e4e001c4f0f7dad0c26ca9ff63665fbe04d43ab809b
-
SSDEEP
98304:vGjMEhVl9iA6ibKOTtWF465Lag1AacZA7BEVsAB6bTuYmdjAFtr:ejMEvl9iwbdtWF4eLJ1Aaje+AAuYmdjq
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba family
-
Glupteba payload 21 IoCs
resource yara_rule behavioral2/memory/2492-2-0x0000000002E30000-0x0000000003757000-memory.dmp family_glupteba behavioral2/memory/2492-3-0x0000000000400000-0x0000000000D42000-memory.dmp family_glupteba behavioral2/memory/2492-6-0x0000000002E30000-0x0000000003757000-memory.dmp family_glupteba behavioral2/memory/2492-5-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/2492-7-0x0000000000400000-0x0000000000D42000-memory.dmp family_glupteba behavioral2/memory/912-9-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/912-10-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/912-18-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/1428-19-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/1428-25-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/1428-26-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/1428-27-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/1428-28-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/1428-29-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/1428-30-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/1428-31-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/1428-32-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/1428-33-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/1428-34-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/1428-35-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba behavioral2/memory/1428-36-0x0000000000400000-0x0000000002583000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 464 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 1428 csrss.exe 2940 injector.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PurpleResonance = "\"C:\\Windows\\rss\\csrss.exe\"" JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe File created C:\Windows\rss\csrss.exe JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Program crash 64 IoCs
pid pid_target Process procid_target 212 2492 WerFault.exe 81 4544 2492 WerFault.exe 81 5028 2492 WerFault.exe 81 3192 2492 WerFault.exe 81 4612 2492 WerFault.exe 81 5000 2492 WerFault.exe 81 4296 2492 WerFault.exe 81 3720 2492 WerFault.exe 81 4004 2492 WerFault.exe 81 2628 2492 WerFault.exe 81 220 2492 WerFault.exe 81 4212 2492 WerFault.exe 81 1248 2492 WerFault.exe 81 2192 2492 WerFault.exe 81 4784 2492 WerFault.exe 81 2176 2492 WerFault.exe 81 3832 2492 WerFault.exe 81 2760 2492 WerFault.exe 81 3552 2492 WerFault.exe 81 2208 2492 WerFault.exe 81 552 2492 WerFault.exe 81 3048 912 WerFault.exe 128 4576 912 WerFault.exe 128 3716 912 WerFault.exe 128 4976 912 WerFault.exe 128 4208 912 WerFault.exe 128 1744 912 WerFault.exe 128 4316 912 WerFault.exe 128 3120 912 WerFault.exe 128 5044 912 WerFault.exe 128 1420 912 WerFault.exe 128 1632 912 WerFault.exe 128 3612 912 WerFault.exe 128 4620 912 WerFault.exe 128 4644 912 WerFault.exe 128 2940 912 WerFault.exe 128 312 912 WerFault.exe 128 4028 912 WerFault.exe 128 212 912 WerFault.exe 128 3868 912 WerFault.exe 128 372 912 WerFault.exe 128 4004 1428 WerFault.exe 177 2628 1428 WerFault.exe 177 220 1428 WerFault.exe 177 3420 1428 WerFault.exe 177 1528 1428 WerFault.exe 177 1060 1428 WerFault.exe 177 3196 1428 WerFault.exe 177 2144 1428 WerFault.exe 177 4648 1428 WerFault.exe 177 744 1428 WerFault.exe 177 2208 1428 WerFault.exe 177 1452 1428 WerFault.exe 177 3444 1428 WerFault.exe 177 2764 1428 WerFault.exe 177 3972 1428 WerFault.exe 177 3096 1428 WerFault.exe 177 2360 1428 WerFault.exe 177 1744 1428 WerFault.exe 177 5108 1428 WerFault.exe 177 2580 1428 WerFault.exe 177 3544 1428 WerFault.exe 177 452 1428 WerFault.exe 177 804 1428 WerFault.exe 177 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe -
GoLang User-Agent 6 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 40 Go-http-client/1.1 HTTP User-Agent header 56 Go-http-client/1.1 HTTP User-Agent header 59 Go-http-client/1.1 HTTP User-Agent header 19 Go-http-client/1.1 HTTP User-Agent header 38 Go-http-client/1.1 HTTP User-Agent header 39 Go-http-client/1.1 -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" csrss.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4280 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2492 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 2492 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 1428 csrss.exe 1428 csrss.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe 2940 injector.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2492 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Token: SeImpersonatePrivilege 2492 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Token: SeSystemEnvironmentPrivilege 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe Token: SeSystemEnvironmentPrivilege 1428 csrss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 912 wrote to memory of 2348 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 170 PID 912 wrote to memory of 2348 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 170 PID 2348 wrote to memory of 464 2348 cmd.exe 175 PID 2348 wrote to memory of 464 2348 cmd.exe 175 PID 912 wrote to memory of 1428 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 177 PID 912 wrote to memory of 1428 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 177 PID 912 wrote to memory of 1428 912 JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe 177 PID 1428 wrote to memory of 2940 1428 csrss.exe 225 PID 1428 wrote to memory of 2940 1428 csrss.exe 225 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 3322⤵
- Program crash
PID:212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 3402⤵
- Program crash
PID:4544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 3402⤵
- Program crash
PID:5028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 6042⤵
- Program crash
PID:3192
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 6962⤵
- Program crash
PID:4612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 6962⤵
- Program crash
PID:5000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 7242⤵
- Program crash
PID:4296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 7522⤵
- Program crash
PID:3720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 7282⤵
- Program crash
PID:4004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 7082⤵
- Program crash
PID:2628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 7962⤵
- Program crash
PID:220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 7962⤵
- Program crash
PID:4212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 6202⤵
- Program crash
PID:1248
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 8882⤵
- Program crash
PID:2192
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 9002⤵
- Program crash
PID:4784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 6162⤵
- Program crash
PID:2176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 7842⤵
- Program crash
PID:3832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 7802⤵
- Program crash
PID:2760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 8842⤵
- Program crash
PID:3552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 8002⤵
- Program crash
PID:2208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 7362⤵
- Program crash
PID:552
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 2963⤵
- Program crash
PID:3048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 3043⤵
- Program crash
PID:4576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 3043⤵
- Program crash
PID:3716
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 6283⤵
- Program crash
PID:4976
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 6283⤵
- Program crash
PID:4208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 6283⤵
- Program crash
PID:1744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 6283⤵
- Program crash
PID:4316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 7243⤵
- Program crash
PID:3120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 7083⤵
- Program crash
PID:5044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 6083⤵
- Program crash
PID:1420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 7123⤵
- Program crash
PID:1632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 8043⤵
- Program crash
PID:3612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 8483⤵
- Program crash
PID:4620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 9203⤵
- Program crash
PID:4644
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 9363⤵
- Program crash
PID:2940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 8603⤵
- Program crash
PID:312
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 14363⤵
- Program crash
PID:4028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 14283⤵
- Program crash
PID:212
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:464
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 14643⤵
- Program crash
PID:3868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 14603⤵
- Program crash
PID:372
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /51-513⤵
- Executes dropped EXE
- Manipulates WinMonFS driver.
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 3324⤵
- Program crash
PID:4004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 3404⤵
- Program crash
PID:2628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 3604⤵
- Program crash
PID:220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 6644⤵
- Program crash
PID:3420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 6644⤵
- Program crash
PID:1528
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 6644⤵
- Program crash
PID:1060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 6644⤵
- Program crash
PID:3196
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 7284⤵
- Program crash
PID:2144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 7524⤵
- Program crash
PID:4648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 6164⤵
- Program crash
PID:744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 7404⤵
- Program crash
PID:2208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 7684⤵
- Program crash
PID:1452
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Scheduled Task/Job: Scheduled Task
PID:4280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 7444⤵
- Program crash
PID:3444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 8964⤵
- Program crash
PID:2764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 9324⤵
- Program crash
PID:3972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 9684⤵
- Program crash
PID:3096
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 9804⤵
- Program crash
PID:2360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 9684⤵
- Program crash
PID:1744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 15124⤵
- Program crash
PID:5108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 15244⤵
- Program crash
PID:2580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 16164⤵
- Program crash
PID:3544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 16324⤵
- Program crash
PID:452
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 16284⤵
- Program crash
PID:804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 14604⤵PID:2052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 15044⤵PID:4008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 14564⤵PID:5028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 14604⤵PID:744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 17124⤵PID:3128
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2492 -ip 24921⤵PID:1724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2492 -ip 24921⤵PID:4196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 24921⤵PID:4884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2492 -ip 24921⤵PID:2672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2492 -ip 24921⤵PID:1376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2492 -ip 24921⤵PID:372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2492 -ip 24921⤵PID:1124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2492 -ip 24921⤵PID:4676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 24921⤵PID:4060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2492 -ip 24921⤵PID:3764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2492 -ip 24921⤵PID:1708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 24921⤵PID:1712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2492 -ip 24921⤵PID:4860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2492 -ip 24921⤵PID:5080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2492 -ip 24921⤵PID:4416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 24921⤵PID:4568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2492 -ip 24921⤵PID:4944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 24921⤵PID:1584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 24921⤵PID:660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2492 -ip 24921⤵PID:4852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2492 -ip 24921⤵PID:2744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 912 -ip 9121⤵PID:768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 912 -ip 9121⤵PID:4424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 912 -ip 9121⤵PID:2764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 912 -ip 9121⤵PID:4524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 912 -ip 9121⤵PID:2560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 912 -ip 9121⤵PID:4988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 912 -ip 9121⤵PID:2088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 912 -ip 9121⤵PID:2320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 912 -ip 9121⤵PID:4960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 912 -ip 9121⤵PID:1960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 912 -ip 9121⤵PID:3524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 912 -ip 9121⤵PID:1560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 912 -ip 9121⤵PID:1728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 912 -ip 9121⤵PID:3904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 912 -ip 9121⤵PID:3792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 912 -ip 9121⤵PID:3564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 912 -ip 9121⤵PID:868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 912 -ip 9121⤵PID:832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 912 -ip 9121⤵PID:408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 912 -ip 9121⤵PID:1376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 14281⤵PID:3536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1428 -ip 14281⤵PID:3764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 14281⤵PID:1708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1428 -ip 14281⤵PID:4112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1428 -ip 14281⤵PID:4444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1428 -ip 14281⤵PID:3776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1428 -ip 14281⤵PID:4784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1428 -ip 14281⤵PID:928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1428 -ip 14281⤵PID:3980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1428 -ip 14281⤵PID:3496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1428 -ip 14281⤵PID:3680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1428 -ip 14281⤵PID:552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1428 -ip 14281⤵PID:2276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1428 -ip 14281⤵PID:4576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1428 -ip 14281⤵PID:1700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1428 -ip 14281⤵PID:1836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1428 -ip 14281⤵PID:1948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1428 -ip 14281⤵PID:428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1428 -ip 14281⤵PID:3120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1428 -ip 14281⤵PID:3464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1428 -ip 14281⤵PID:4656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1428 -ip 14281⤵PID:1660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1428 -ip 14281⤵PID:3304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1428 -ip 14281⤵PID:4176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1428 -ip 14281⤵PID:1576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 14281⤵PID:4544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1428 -ip 14281⤵PID:3552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1428 -ip 14281⤵PID:384
Network
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request136.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesthumisnee.comIN AResponsehumisnee.comIN A37.48.65.149
-
DNSsurvey-smiles.comJaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exeRemote address:8.8.8.8:53Requestsurvey-smiles.comIN AResponsesurvey-smiles.comIN A199.59.243.227
-
GEThttp://survey-smiles.com/JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exeRemote address:199.59.243.227:80RequestGET / HTTP/1.1
Host: survey-smiles.com
User-Agent: Go-http-client/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1054
x-request-id: e69ddbba-6d86-4c57-be7f-c4188c78febb
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_GSbXHjSyM4GBXh+TDdQi5Ch6arC3xeKj8KkRwOq4qrqrlRcvBA0AmkBJ57Iam4tUGtRHYm5e3uPQsAB9Z6SRbg==
set-cookie: parking_session=e69ddbba-6d86-4c57-be7f-c4188c78febb; expires=Fri, 27 Dec 2024 00:15:21 GMT; path=/
-
Remote address:8.8.8.8:53Request149.65.48.37.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request227.243.59.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestninhaine.comIN TXTResponse
-
Remote address:8.8.8.8:53Request2makestorage.comIN TXTResponse
-
Remote address:8.8.8.8:53Request2makestorage.comIN TXT
-
Remote address:8.8.8.8:53Requestnisdably.comIN TXTResponsenisdably.comIN TXT.v=spf1 include:_incspfcheck.mailspike.net ?all
-
Remote address:8.8.8.8:53Request39dbf1c9-00f7-4017-81ad-15747890045a.ninhaine.comIN TXTResponse
-
Remote address:8.8.8.8:53Requestserver5.ninhaine.comIN AResponseserver5.ninhaine.comIN A46.8.9.145
-
Remote address:8.8.8.8:53Request145.9.8.46.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestww82.ninhaine.comIN AResponseww82.ninhaine.comIN CNAME63214.bodis.com63214.bodis.comIN A199.59.243.227
-
Remote address:8.8.8.8:53Requestww53.ninhaine.comIN AResponseww53.ninhaine.comIN CNAMEg87442272.c.giantpanda.comg87442272.c.giantpanda.comIN A172.104.251.198g87442272.c.giantpanda.comIN A172.104.149.86g87442272.c.giantpanda.comIN A139.162.181.76
-
Remote address:199.59.243.227:80RequestGET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1054
x-request-id: 3850da07-2ee3-4783-a911-cbd63d27ae66
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
set-cookie: parking_session=3850da07-2ee3-4783-a911-cbd63d27ae66; expires=Fri, 27 Dec 2024 00:15:31 GMT; path=/
-
Remote address:199.59.243.227:80RequestGET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.2.14
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1054
x-request-id: 9a7143bd-827b-4d51-9ca1-6f56d44af7c9
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ejMXHwXvX7+aVx6NPJH5ipT/oHvgZg1ybBIuGiWiqhwH+P67oGvjrYbzo0bFbk0y7/updtU3k0oKdt48FMS8yg==
set-cookie: parking_session=9a7143bd-827b-4d51-9ca1-6f56d44af7c9; expires=Fri, 27 Dec 2024 00:15:35 GMT; path=/
-
Remote address:172.104.251.198:80RequestGET / HTTP/1.1
Host: ww53.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 27 Dec 2024 00:00:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: session_id=8a02c2d05f4109ad3b764853e057b974; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:00:31 GMT
Content-Encoding: gzip
-
Remote address:172.104.251.198:80RequestGET / HTTP/1.1
Host: ww53.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/json; charset=UTF-8
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 27 Dec 2024 00:00:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: session_id=3a3d24e561d1ea48d4d327875ee13326; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:00:31 GMT
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Request198.251.104.172.in-addr.arpaIN PTRResponse198.251.104.172.in-addr.arpaIN PTR172-104-251-198iplinodeusercontentcom
-
Remote address:8.8.8.8:53Requestspolaect.infoIN AResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request107.12.20.2.in-addr.arpaIN PTRResponse107.12.20.2.in-addr.arpaIN PTRa2-20-12-107deploystaticakamaitechnologiescom
-
Remote address:172.104.251.198:80RequestGET / HTTP/1.1
Host: ww53.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 27 Dec 2024 00:00:41 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: session_id=8d684c08579dadc444751a0124e06b23; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:00:41 GMT
Content-Encoding: gzip
-
Remote address:172.104.251.198:80RequestGET / HTTP/1.1
Host: ww53.ninhaine.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 27 Dec 2024 00:00:42 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: session_id=f12382b9d8faf519db36eb6070b35fde; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:00:42 GMT
Content-Encoding: gzip
-
Remote address:172.104.251.198:80RequestGET / HTTP/1.1
Host: ww53.ninhaine.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 27 Dec 2024 00:00:48 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: session_id=c77ff42ff0ef0a58676c02e72576c579; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:00:48 GMT
Content-Encoding: gzip
-
Remote address:199.59.243.227:80RequestGET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1054
x-request-id: 4fa68281-5a93-4009-ba76-1f488c5ec556
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rMdlG4llKTVStELUNxzB/mmJKkI6ZNoCSC0wBMfjFwiJFX+ro9hXjIQENE6s0AhnqTMupVKBZ7wH6GwQ8mMBbg==
set-cookie: parking_session=4fa68281-5a93-4009-ba76-1f488c5ec556; expires=Fri, 27 Dec 2024 00:15:54 GMT; path=/
-
Remote address:172.104.251.198:80RequestGET / HTTP/1.1
Host: ww53.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 27 Dec 2024 00:01:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: session_id=19307797cff519c4e51d4df2526b74f9; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:01:00 GMT
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Request31.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:172.104.251.198:80RequestGET / HTTP/1.1
Host: ww53.ninhaine.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/605.1.15
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 27 Dec 2024 00:02:12 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: session_id=4c1447abfad10cd9ea9fed4e7d9638fb; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:02:12 GMT
Content-Encoding: gzip
-
37.48.65.149:443humisnee.comtlsJaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe1.4kB 3.8kB 13 10
-
199.59.243.227:80http://survey-smiles.com/httpJaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe533 B 2.3kB 8 5
HTTP Request
GET http://survey-smiles.com/HTTP Response
200 -
16.8kB 5.7kB 54 44
-
876 B 3.5kB 11 8
-
934 B 3.6kB 12 9
-
788 B 4.6kB 10 10
HTTP Request
GET http://ww82.ninhaine.com/HTTP Response
200HTTP Request
GET http://ww82.ninhaine.com/HTTP Response
200 -
423 B 1.5kB 6 5
HTTP Request
GET http://ww53.ninhaine.com/HTTP Response
200 -
421 B 1.5kB 6 5
HTTP Request
GET http://ww53.ninhaine.com/HTTP Response
200 -
711 B 2.8kB 9 6
HTTP Request
GET http://ww53.ninhaine.com/HTTP Response
200HTTP Request
GET http://ww53.ninhaine.com/HTTP Response
200 -
477 B 1.5kB 6 5
HTTP Request
GET http://ww53.ninhaine.com/HTTP Response
200 -
529 B 2.4kB 7 7
HTTP Request
GET http://ww82.ninhaine.com/HTTP Response
200 -
423 B 1.5kB 6 5
HTTP Request
GET http://ww53.ninhaine.com/HTTP Response
200 -
2.1kB 4.1kB 17 16
-
475 B 1.5kB 6 5
HTTP Request
GET http://ww53.ninhaine.com/HTTP Response
200
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
136.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
8.8.8.8:53humisnee.comdnsJaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe58 B 74 B 1 1
DNS Request
humisnee.com
DNS Response
37.48.65.149
-
8.8.8.8:53survey-smiles.comdnsJaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe63 B 79 B 1 1
DNS Request
survey-smiles.com
DNS Response
199.59.243.227
-
71 B 134 B 1 1
DNS Request
149.65.48.37.in-addr.arpa
-
73 B 131 B 1 1
DNS Request
227.243.59.199.in-addr.arpa
-
58 B 58 B 1 1
DNS Request
ninhaine.com
-
124 B 135 B 2 1
DNS Request
2makestorage.com
DNS Request
2makestorage.com
-
58 B 117 B 1 1
DNS Request
nisdably.com
-
95 B 95 B 1 1
DNS Request
39dbf1c9-00f7-4017-81ad-15747890045a.ninhaine.com
-
66 B 82 B 1 1
DNS Request
server5.ninhaine.com
DNS Response
46.8.9.145
-
69 B 129 B 1 1
DNS Request
145.9.8.46.in-addr.arpa
-
63 B 105 B 1 1
DNS Request
ww82.ninhaine.com
DNS Response
199.59.243.227
-
63 B 148 B 1 1
DNS Request
ww53.ninhaine.com
DNS Response
172.104.251.198172.104.149.86139.162.181.76
-
74 B 128 B 1 1
DNS Request
198.251.104.172.in-addr.arpa
-
59 B 138 B 1 1
DNS Request
spolaect.info
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
107.12.20.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
31.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
4.4MB
MD5e8b0090bafd4bbbbedba76ed83d27c21
SHA16614977c2de9096b837f072aa942866fe9b0af58
SHA256526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3
SHA512541b39478b92dfb0f4753e037d3f87b90dc5b420a2dcb0d189f45efabcc5979af48a6fe856577229be490e4e001c4f0f7dad0c26ca9ff63665fbe04d43ab809b