Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 02:31 UTC

General

  • Target

    JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe

  • Size

    4.4MB

  • MD5

    7e05243e5366e7dd5e72b367fa2f7d20

  • SHA1

    cde5303f29552e97b308b1898220f2338658cc29

  • SHA256

    ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78

  • SHA512

    554c17908c53007527caba33bbad86078047f6a4cb40111eb28fd63a6afbe00c3adb452342741ed68f002de0afea7909594893e9191161e706efa091f88aa9f4

  • SSDEEP

    98304:55IR4k5sITlHARZVDufSU7Gyl3OaoG7zqjRuZCb7lnO:55q4kSI1e7k7Gyl3CYo3XY

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba family
  • Glupteba payload 20 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Metasploit family
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • GoLang User-Agent 4 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1036
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:320
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe /51-51
        3⤵
        • Executes dropped EXE
        • Manipulates WinMonFS driver.
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4256
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2284
        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1888
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 772
      2⤵
      • Program crash
      PID:2300
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1036 -ip 1036
    1⤵
      PID:4808

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.210.23.2.in-addr.arpa
      IN PTR
      Response
      88.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-88deploystaticakamaitechnologiescom
    • flag-us
      DNS
      humisnee.com
      JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe
      Remote address:
      8.8.8.8:53
      Request
      humisnee.com
      IN A
      Response
      humisnee.com
      IN A
      185.107.56.197
    • flag-us
      DNS
      survey-smiles.com
      JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe
      Remote address:
      8.8.8.8:53
      Request
      survey-smiles.com
      IN A
      Response
      survey-smiles.com
      IN A
      199.59.243.227
    • flag-us
      GET
      http://survey-smiles.com/
      JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe
      Remote address:
      199.59.243.227:80
      Request
      GET / HTTP/1.1
      Host: survey-smiles.com
      User-Agent: Go-http-client/1.1
      Content-Type: application/x-www-form-urlencoded
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      date: Mon, 30 Dec 2024 02:31:09 GMT
      content-type: text/html; charset=utf-8
      content-length: 1054
      x-request-id: 25c45636-80cf-44b5-83b4-3fe481abfd32
      cache-control: no-store, max-age=0
      accept-ch: sec-ch-prefers-color-scheme
      critical-ch: sec-ch-prefers-color-scheme
      vary: sec-ch-prefers-color-scheme
      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_GSbXHjSyM4GBXh+TDdQi5Ch6arC3xeKj8KkRwOq4qrqrlRcvBA0AmkBJ57Iam4tUGtRHYm5e3uPQsAB9Z6SRbg==
      set-cookie: parking_session=25c45636-80cf-44b5-83b4-3fe481abfd32; expires=Mon, 30 Dec 2024 02:46:09 GMT; path=/
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      67.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      197.56.107.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      197.56.107.185.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      ninhaine.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      ninhaine.com
      IN TXT
      Response
    • flag-us
      DNS
      227.243.59.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      227.243.59.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      2makestorage.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      2makestorage.com
      IN TXT
      Response
    • flag-us
      DNS
      nisdably.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      nisdably.com
      IN TXT
      Response
      nisdably.com
      IN TXT
      .v=spf1 include:_incspfcheck.mailspike.net ?all
    • flag-us
      DNS
      2c081dd8-162b-4e9e-b71b-30ccc89eb92f.ninhaine.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      2c081dd8-162b-4e9e-b71b-30ccc89eb92f.ninhaine.com
      IN TXT
      Response
    • flag-us
      DNS
      server12.ninhaine.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server12.ninhaine.com
      IN A
      Response
      server12.ninhaine.com
      IN A
      46.8.8.145
    • flag-us
      DNS
      ww82.ninhaine.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      ww82.ninhaine.com
      IN A
      Response
      ww82.ninhaine.com
      IN CNAME
      63214.bodis.com
      63214.bodis.com
      IN A
      199.59.243.227
    • flag-us
      DNS
      ww53.ninhaine.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      ww53.ninhaine.com
      IN A
      Response
      ww53.ninhaine.com
      IN CNAME
      g87442272.c.giantpanda.com
      g87442272.c.giantpanda.com
      IN A
      172.104.251.198
      g87442272.c.giantpanda.com
      IN A
      172.104.149.86
      g87442272.c.giantpanda.com
      IN A
      139.162.181.76
    • flag-us
      GET
      http://ww82.ninhaine.com/
      csrss.exe
      Remote address:
      199.59.243.227:80
      Request
      GET / HTTP/1.1
      Host: ww82.ninhaine.com
      User-Agent: Go-http-client/1.1
      Content-Type: application/x-www-form-urlencoded
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      date: Mon, 30 Dec 2024 02:31:11 GMT
      content-type: text/html; charset=utf-8
      content-length: 1054
      x-request-id: 96d8db60-44b3-4c0d-abdf-fa6d545ca8e5
      cache-control: no-store, max-age=0
      accept-ch: sec-ch-prefers-color-scheme
      critical-ch: sec-ch-prefers-color-scheme
      vary: sec-ch-prefers-color-scheme
      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
      set-cookie: parking_session=96d8db60-44b3-4c0d-abdf-fa6d545ca8e5; expires=Mon, 30 Dec 2024 02:46:11 GMT; path=/
    • flag-us
      GET
      http://ww82.ninhaine.com/
      csrss.exe
      Remote address:
      199.59.243.227:80
      Request
      GET / HTTP/1.1
      Host: ww82.ninhaine.com
      User-Agent: Go-http-client/1.1
      Content-Type: application/x-www-form-urlencoded
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      date: Mon, 30 Dec 2024 02:31:10 GMT
      content-type: text/html; charset=utf-8
      content-length: 1054
      x-request-id: 0d2e84b2-6b47-49ac-bb0a-45e2f70ee462
      cache-control: no-store, max-age=0
      accept-ch: sec-ch-prefers-color-scheme
      critical-ch: sec-ch-prefers-color-scheme
      vary: sec-ch-prefers-color-scheme
      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
      set-cookie: parking_session=0d2e84b2-6b47-49ac-bb0a-45e2f70ee462; expires=Mon, 30 Dec 2024 02:46:11 GMT; path=/
    • flag-us
      GET
      http://ww82.ninhaine.com/
      csrss.exe
      Remote address:
      199.59.243.227:80
      Request
      GET / HTTP/1.1
      Host: ww82.ninhaine.com
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      date: Mon, 30 Dec 2024 02:31:15 GMT
      content-type: text/html; charset=utf-8
      content-length: 1054
      x-request-id: fb324ad2-d41f-497b-bf4e-88b2913d748d
      cache-control: no-store, max-age=0
      accept-ch: sec-ch-prefers-color-scheme
      critical-ch: sec-ch-prefers-color-scheme
      vary: sec-ch-prefers-color-scheme
      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PckhyWytQcOrXDTtrazgXqEQjYXTFpRe6gZ71FEZbCyWStUmU09reEH3h+S7Dec1xbCfnmy3rh0bu0MILYQw4A==
      set-cookie: parking_session=fb324ad2-d41f-497b-bf4e-88b2913d748d; expires=Mon, 30 Dec 2024 02:46:16 GMT; path=/
    • flag-us
      GET
      http://ww82.ninhaine.com/
      csrss.exe
      Remote address:
      199.59.243.227:80
      Request
      GET / HTTP/1.1
      Host: ww82.ninhaine.com
      User-Agent: Go-http-client/1.1
      Content-Type: application/x-www-form-urlencoded
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      date: Mon, 30 Dec 2024 02:31:16 GMT
      content-type: text/html; charset=utf-8
      content-length: 1054
      x-request-id: 8bfb3c0f-5f56-494c-80f7-d8ce8f712f00
      cache-control: no-store, max-age=0
      accept-ch: sec-ch-prefers-color-scheme
      critical-ch: sec-ch-prefers-color-scheme
      vary: sec-ch-prefers-color-scheme
      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
      set-cookie: parking_session=8bfb3c0f-5f56-494c-80f7-d8ce8f712f00; expires=Mon, 30 Dec 2024 02:46:17 GMT; path=/
    • flag-us
      GET
      http://ww82.ninhaine.com/
      csrss.exe
      Remote address:
      199.59.243.227:80
      Request
      GET / HTTP/1.1
      Host: ww82.ninhaine.com
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      date: Mon, 30 Dec 2024 02:31:17 GMT
      content-type: text/html; charset=utf-8
      content-length: 1054
      x-request-id: 0778e8c8-637f-47f2-ac88-ca71f56a5dfe
      cache-control: no-store, max-age=0
      accept-ch: sec-ch-prefers-color-scheme
      critical-ch: sec-ch-prefers-color-scheme
      vary: sec-ch-prefers-color-scheme
      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DFHN9ahGhrXz4PRY+X6GGYca7/Wh0w6wfUxFVQwTnPzH1JjoF6yMBAHqtr+ezjR7X7ai5e9SB2b/kcCoqH7oug==
      set-cookie: parking_session=0778e8c8-637f-47f2-ac88-ca71f56a5dfe; expires=Mon, 30 Dec 2024 02:46:17 GMT; path=/
    • flag-us
      GET
      http://ww82.ninhaine.com/
      csrss.exe
      Remote address:
      199.59.243.227:80
      Request
      GET / HTTP/1.1
      Host: ww82.ninhaine.com
      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      date: Mon, 30 Dec 2024 02:31:21 GMT
      content-type: text/html; charset=utf-8
      content-length: 1054
      x-request-id: a42e86b6-472f-4d86-b53a-a392043cbf09
      cache-control: no-store, max-age=0
      accept-ch: sec-ch-prefers-color-scheme
      critical-ch: sec-ch-prefers-color-scheme
      vary: sec-ch-prefers-color-scheme
      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_P+ye3PJCFABRY/b5Mgs6rsaCxvawENbrM8ofT1ihVRz6RhsI9L6zWKKwnDoTYxBfxCPAEA1x+p/ffiRDPGhiVg==
      set-cookie: parking_session=a42e86b6-472f-4d86-b53a-a392043cbf09; expires=Mon, 30 Dec 2024 02:46:21 GMT; path=/
    • flag-us
      GET
      http://ww82.ninhaine.com/
      csrss.exe
      Remote address:
      199.59.243.227:80
      Request
      GET / HTTP/1.1
      Host: ww82.ninhaine.com
      User-Agent: Go-http-client/1.1
      Content-Type: application/x-www-form-urlencoded
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      date: Mon, 30 Dec 2024 02:31:20 GMT
      content-type: text/html; charset=utf-8
      content-length: 1054
      x-request-id: 5dcce91b-056c-44e9-9c9e-1a82fae19a5e
      cache-control: no-store, max-age=0
      accept-ch: sec-ch-prefers-color-scheme
      critical-ch: sec-ch-prefers-color-scheme
      vary: sec-ch-prefers-color-scheme
      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
      set-cookie: parking_session=5dcce91b-056c-44e9-9c9e-1a82fae19a5e; expires=Mon, 30 Dec 2024 02:46:21 GMT; path=/
    • flag-de
      GET
      http://ww53.ninhaine.com/
      csrss.exe
      Remote address:
      172.104.251.198:80
      Request
      GET / HTTP/1.1
      Host: ww53.ninhaine.com
      User-Agent: Go-http-client/1.1
      Content-Type: application/json; charset=UTF-8
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Server: openresty/1.27.1.1
      Date: Mon, 30 Dec 2024 02:31:12 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding
      Set-Cookie: session_id=610231c33a534be48c6e3d6ba0621041; Path=/; HttpOnly; Max-Age=86400; Expires=Monday, 30-Dec-2024 02:31:12 GMT
      Content-Encoding: gzip
    • flag-us
      DNS
      145.8.8.46.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      145.8.8.46.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.251.104.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.251.104.172.in-addr.arpa
      IN PTR
      Response
      198.251.104.172.in-addr.arpa
      IN PTR
      172-104-251-198iplinodeusercontentcom
    • flag-us
      DNS
      spolaect.info
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      spolaect.info
      IN A
      Response
    • flag-de
      GET
      http://ww53.ninhaine.com/
      csrss.exe
      Remote address:
      172.104.251.198:80
      Request
      GET / HTTP/1.1
      Host: ww53.ninhaine.com
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Server: openresty/1.27.1.1
      Date: Mon, 30 Dec 2024 02:31:20 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding
      Set-Cookie: session_id=45be7343ccaede55a1533279215ba502; Path=/; HttpOnly; Max-Age=86400; Expires=Monday, 30-Dec-2024 02:31:20 GMT
      Content-Encoding: gzip
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.135.221.88.in-addr.arpa
      IN PTR
      Response
      217.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-217deploystaticakamaitechnologiescom
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-de
      GET
      http://ww53.ninhaine.com/
      csrss.exe
      Remote address:
      172.104.251.198:80
      Request
      GET / HTTP/1.1
      Host: ww53.ninhaine.com
      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Server: openresty/1.27.1.1
      Date: Mon, 30 Dec 2024 02:32:35 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding
      Set-Cookie: session_id=9d70c14df251e13e36f470fc8fda32e8; Path=/; HttpOnly; Max-Age=86400; Expires=Monday, 30-Dec-2024 02:32:35 GMT
      Content-Encoding: gzip
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      server12.2makestorage.com
      Remote address:
      8.8.8.8:53
      Request
      server12.2makestorage.com
      IN A
      Response
    • flag-us
      DNS
      1.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      1.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 185.107.56.197:443
      humisnee.com
      tls
      JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe
      1.4kB
      3.8kB
      13
      10
    • 199.59.243.227:80
      http://survey-smiles.com/
      http
      JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe
      429 B
      2.3kB
      6
      5

      HTTP Request

      GET http://survey-smiles.com/

      HTTP Response

      200
    • 46.8.8.145:443
      server12.ninhaine.com
      tls
      csrss.exe
      16.5kB
      5.6kB
      53
      43
    • 46.8.8.145:443
      server12.ninhaine.com
      tls
      csrss.exe
      785 B
      3.5kB
      9
      8
    • 46.8.8.145:443
      server12.ninhaine.com
      tls
      csrss.exe
      785 B
      3.5kB
      9
      8
    • 199.59.243.227:80
      http://ww82.ninhaine.com/
      http
      csrss.exe
      475 B
      2.4kB
      7
      7

      HTTP Request

      GET http://ww82.ninhaine.com/

      HTTP Response

      200
    • 199.59.243.227:80
      http://ww82.ninhaine.com/
      http
      csrss.exe
      2.1kB
      13.4kB
      22
      22

      HTTP Request

      GET http://ww82.ninhaine.com/

      HTTP Response

      200

      HTTP Request

      GET http://ww82.ninhaine.com/

      HTTP Response

      200

      HTTP Request

      GET http://ww82.ninhaine.com/

      HTTP Response

      200

      HTTP Request

      GET http://ww82.ninhaine.com/

      HTTP Response

      200

      HTTP Request

      GET http://ww82.ninhaine.com/

      HTTP Response

      200

      HTTP Request

      GET http://ww82.ninhaine.com/

      HTTP Response

      200
    • 172.104.251.198:80
      http://ww53.ninhaine.com/
      http
      csrss.exe
      473 B
      1.5kB
      7
      5

      HTTP Request

      GET http://ww53.ninhaine.com/

      HTTP Response

      200
    • 172.104.251.198:80
      http://ww53.ninhaine.com/
      http
      csrss.exe
      529 B
      1.5kB
      7
      5

      HTTP Request

      GET http://ww53.ninhaine.com/

      HTTP Response

      200
    • 46.8.8.145:443
      server12.ninhaine.com
      tls
      csrss.exe
      2.1kB
      4.0kB
      16
      16
    • 172.104.251.198:80
      http://ww53.ninhaine.com/
      http
      csrss.exe
      470 B
      1.5kB
      6
      5

      HTTP Request

      GET http://ww53.ninhaine.com/

      HTTP Response

      200
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      88.210.23.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      88.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      humisnee.com
      dns
      JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe
      58 B
      74 B
      1
      1

      DNS Request

      humisnee.com

      DNS Response

      185.107.56.197

    • 8.8.8.8:53
      survey-smiles.com
      dns
      JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe
      63 B
      79 B
      1
      1

      DNS Request

      survey-smiles.com

      DNS Response

      199.59.243.227

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      67.31.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      67.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      197.56.107.185.in-addr.arpa
      dns
      73 B
      134 B
      1
      1

      DNS Request

      197.56.107.185.in-addr.arpa

    • 8.8.8.8:53
      ninhaine.com
      dns
      csrss.exe
      58 B
      58 B
      1
      1

      DNS Request

      ninhaine.com

    • 8.8.8.8:53
      227.243.59.199.in-addr.arpa
      dns
      73 B
      131 B
      1
      1

      DNS Request

      227.243.59.199.in-addr.arpa

    • 8.8.8.8:53
      2makestorage.com
      dns
      csrss.exe
      62 B
      135 B
      1
      1

      DNS Request

      2makestorage.com

    • 8.8.8.8:53
      nisdably.com
      dns
      csrss.exe
      58 B
      117 B
      1
      1

      DNS Request

      nisdably.com

    • 8.8.8.8:53
      2c081dd8-162b-4e9e-b71b-30ccc89eb92f.ninhaine.com
      dns
      csrss.exe
      95 B
      95 B
      1
      1

      DNS Request

      2c081dd8-162b-4e9e-b71b-30ccc89eb92f.ninhaine.com

    • 8.8.8.8:53
      server12.ninhaine.com
      dns
      csrss.exe
      67 B
      83 B
      1
      1

      DNS Request

      server12.ninhaine.com

      DNS Response

      46.8.8.145

    • 8.8.8.8:53
      ww82.ninhaine.com
      dns
      csrss.exe
      63 B
      105 B
      1
      1

      DNS Request

      ww82.ninhaine.com

      DNS Response

      199.59.243.227

    • 8.8.8.8:53
      ww53.ninhaine.com
      dns
      csrss.exe
      63 B
      148 B
      1
      1

      DNS Request

      ww53.ninhaine.com

      DNS Response

      172.104.251.198
      172.104.149.86
      139.162.181.76

    • 8.8.8.8:53
      145.8.8.46.in-addr.arpa
      dns
      69 B
      129 B
      1
      1

      DNS Request

      145.8.8.46.in-addr.arpa

    • 8.8.8.8:53
      198.251.104.172.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      198.251.104.172.in-addr.arpa

    • 8.8.8.8:53
      spolaect.info
      dns
      csrss.exe
      59 B
      138 B
      1
      1

      DNS Request

      spolaect.info

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      217.135.221.88.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      217.135.221.88.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      19.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      19.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      server12.2makestorage.com
      dns
      71 B
      144 B
      1
      1

      DNS Request

      server12.2makestorage.com

    • 8.8.8.8:53
      1.173.189.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      1.173.189.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

    • C:\Windows\rss\csrss.exe

      Filesize

      4.4MB

      MD5

      7e05243e5366e7dd5e72b367fa2f7d20

      SHA1

      cde5303f29552e97b308b1898220f2338658cc29

      SHA256

      ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78

      SHA512

      554c17908c53007527caba33bbad86078047f6a4cb40111eb28fd63a6afbe00c3adb452342741ed68f002de0afea7909594893e9191161e706efa091f88aa9f4

    • memory/1036-2-0x00000000048F0000-0x000000000520E000-memory.dmp

      Filesize

      9.1MB

    • memory/1036-3-0x0000000000400000-0x0000000000D39000-memory.dmp

      Filesize

      9.2MB

    • memory/1036-7-0x00000000048F0000-0x000000000520E000-memory.dmp

      Filesize

      9.1MB

    • memory/1036-5-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/1036-6-0x0000000000400000-0x0000000000D39000-memory.dmp

      Filesize

      9.2MB

    • memory/1036-1-0x00000000044A0000-0x00000000048E2000-memory.dmp

      Filesize

      4.3MB

    • memory/2400-8-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/2400-9-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/2400-15-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/2400-10-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-27-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-29-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-24-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-25-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-26-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-17-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-28-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-23-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-30-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-31-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-32-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-33-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-34-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    • memory/4256-35-0x0000000000400000-0x000000000257E000-memory.dmp

      Filesize

      33.5MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.