Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 02:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe
-
Size
4.4MB
-
MD5
7e05243e5366e7dd5e72b367fa2f7d20
-
SHA1
cde5303f29552e97b308b1898220f2338658cc29
-
SHA256
ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78
-
SHA512
554c17908c53007527caba33bbad86078047f6a4cb40111eb28fd63a6afbe00c3adb452342741ed68f002de0afea7909594893e9191161e706efa091f88aa9f4
-
SSDEEP
98304:55IR4k5sITlHARZVDufSU7Gyl3OaoG7zqjRuZCb7lnO:55q4kSI1e7k7Gyl3CYo3XY
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba family
-
Glupteba payload 20 IoCs
resource yara_rule behavioral2/memory/1036-2-0x00000000048F0000-0x000000000520E000-memory.dmp family_glupteba behavioral2/memory/1036-3-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1036-7-0x00000000048F0000-0x000000000520E000-memory.dmp family_glupteba behavioral2/memory/1036-5-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/1036-6-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/2400-9-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/2400-10-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/2400-15-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/4256-17-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/4256-23-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/4256-24-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/4256-25-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/4256-26-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/4256-27-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/4256-28-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/4256-29-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/4256-30-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/4256-31-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/4256-32-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba behavioral2/memory/4256-33-0x0000000000400000-0x000000000257E000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 320 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 4256 csrss.exe 1888 injector.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LittleSky = "\"C:\\Windows\\rss\\csrss.exe\"" JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe File opened for modification C:\Windows\rss JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2300 1036 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe -
GoLang User-Agent 4 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 15 Go-http-client/1.1 HTTP User-Agent header 30 Go-http-client/1.1 HTTP User-Agent header 31 Go-http-client/1.1 HTTP User-Agent header 32 Go-http-client/1.1 -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2284 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1036 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 1036 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 4256 csrss.exe 4256 csrss.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe 1888 injector.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1036 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Token: SeImpersonatePrivilege 1036 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Token: SeSystemEnvironmentPrivilege 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe Token: SeSystemEnvironmentPrivilege 4256 csrss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2400 wrote to memory of 1380 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 91 PID 2400 wrote to memory of 1380 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 91 PID 1380 wrote to memory of 320 1380 cmd.exe 93 PID 1380 wrote to memory of 320 1380 cmd.exe 93 PID 2400 wrote to memory of 4256 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 94 PID 2400 wrote to memory of 4256 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 94 PID 2400 wrote to memory of 4256 2400 JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe 94 PID 4256 wrote to memory of 1888 4256 csrss.exe 108 PID 4256 wrote to memory of 1888 4256 csrss.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:320
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /51-513⤵
- Executes dropped EXE
- Manipulates WinMonFS driver.
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Scheduled Task/Job: Scheduled Task
PID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1888
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 7722⤵
- Program crash
PID:2300
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1036 -ip 10361⤵PID:4808
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
4.4MB
MD57e05243e5366e7dd5e72b367fa2f7d20
SHA1cde5303f29552e97b308b1898220f2338658cc29
SHA256ccfc3cd1e73d1ce7d728efa4850f5d410a36f7447ca72d617a19d6448732bc78
SHA512554c17908c53007527caba33bbad86078047f6a4cb40111eb28fd63a6afbe00c3adb452342741ed68f002de0afea7909594893e9191161e706efa091f88aa9f4