Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 06:20 UTC

General

  • Target

    JaffaCakes118_ccd141435759e216256e1095c0013328c87b0dc002668a5151c343d4990dcc58.exe

  • Size

    4.3MB

  • MD5

    00bb034d2d309e191e7e3f9b11f1033c

  • SHA1

    02179d91671d3164955b55532b14a3a3c86a8455

  • SHA256

    ccd141435759e216256e1095c0013328c87b0dc002668a5151c343d4990dcc58

  • SHA512

    d65242442eefaff36d0ef554ac4c761d3f7bc3477d7f65348a2cdddcd18fffd313ce5bb5e0211693cdf0c85031650d48265b007a1663c7a9df1c535e4a60cdfb

  • SSDEEP

    98304:erNQups5Z8/GuXmKxbZIn1pXDc5hQnp4QKk3AQ:kQupkk28onAhUp28d

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba family
  • Glupteba payload 20 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Metasploit family
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccd141435759e216256e1095c0013328c87b0dc002668a5151c343d4990dcc58.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccd141435759e216256e1095c0013328c87b0dc002668a5151c343d4990dcc58.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2748
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccd141435759e216256e1095c0013328c87b0dc002668a5151c343d4990dcc58.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccd141435759e216256e1095c0013328c87b0dc002668a5151c343d4990dcc58.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:996
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:3004
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe /301-301
        3⤵
        • Executes dropped EXE
        • Manipulates WinMonFS driver.
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4980
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:4864
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2016

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.210.23.2.in-addr.arpa
      IN PTR
      Response
      88.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-88deploystaticakamaitechnologiescom
    • flag-us
      DNS
      68.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      68.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      trumops.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      trumops.com
      IN TXT
      Response
      trumops.com
      IN TXT
      .v=spf1 include:_incspfcheck.mailspike.net ?all
    • flag-us
      DNS
      retoti.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      retoti.com
      IN TXT
      Response
      retoti.com
      IN TXT
      .v=spf1 include:_incspfcheck.mailspike.net ?all
    • flag-us
      DNS
      logs.trumops.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      logs.trumops.com
      IN TXT
      Response
    • flag-us
      DNS
      logs.retoti.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      logs.retoti.com
      IN TXT
      Response
    • flag-us
      DNS
      0225c61c-8000-4323-a624-b14c62958223.uuid.trumops.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      0225c61c-8000-4323-a624-b14c62958223.uuid.trumops.com
      IN TXT
      Response
    • flag-us
      DNS
      server3.trumops.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server3.trumops.com
      IN A
      Response
      server3.trumops.com
      IN A
      44.221.84.105
    • flag-us
      DNS
      105.84.221.44.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      105.84.221.44.in-addr.arpa
      IN PTR
      Response
      105.84.221.44.in-addr.arpa
      IN PTR
      ec2-44-221-84-105 compute-1 amazonawscom
    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.134.221.88.in-addr.arpa
      IN PTR
      Response
      18.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-18deploystaticakamaitechnologiescom
    • flag-us
      DNS
      181.129.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      181.129.81.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • 44.221.84.105:443
      server3.trumops.com
      tls
      csrss.exe
      14.6kB
      9.5kB
      30
      21
    • 44.221.84.105:443
      server3.trumops.com
      tls
      csrss.exe
      1.9kB
      5.5kB
      13
      12
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      88.210.23.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      88.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      68.159.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      68.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      trumops.com
      dns
      csrss.exe
      57 B
      116 B
      1
      1

      DNS Request

      trumops.com

    • 8.8.8.8:53
      retoti.com
      dns
      csrss.exe
      56 B
      115 B
      1
      1

      DNS Request

      retoti.com

    • 8.8.8.8:53
      logs.trumops.com
      dns
      csrss.exe
      62 B
      121 B
      1
      1

      DNS Request

      logs.trumops.com

    • 8.8.8.8:53
      logs.retoti.com
      dns
      csrss.exe
      61 B
      120 B
      1
      1

      DNS Request

      logs.retoti.com

    • 8.8.8.8:53
      0225c61c-8000-4323-a624-b14c62958223.uuid.trumops.com
      dns
      csrss.exe
      99 B
      158 B
      1
      1

      DNS Request

      0225c61c-8000-4323-a624-b14c62958223.uuid.trumops.com

    • 8.8.8.8:53
      server3.trumops.com
      dns
      csrss.exe
      65 B
      81 B
      1
      1

      DNS Request

      server3.trumops.com

      DNS Response

      44.221.84.105

    • 8.8.8.8:53
      105.84.221.44.in-addr.arpa
      dns
      72 B
      127 B
      1
      1

      DNS Request

      105.84.221.44.in-addr.arpa

    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      18.134.221.88.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      18.134.221.88.in-addr.arpa

    • 8.8.8.8:53
      181.129.81.91.in-addr.arpa
      dns
      72 B
      147 B
      1
      1

      DNS Request

      181.129.81.91.in-addr.arpa

    • 8.8.8.8:53
      19.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      19.229.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

    • C:\Windows\rss\csrss.exe

      Filesize

      4.3MB

      MD5

      00bb034d2d309e191e7e3f9b11f1033c

      SHA1

      02179d91671d3164955b55532b14a3a3c86a8455

      SHA256

      ccd141435759e216256e1095c0013328c87b0dc002668a5151c343d4990dcc58

      SHA512

      d65242442eefaff36d0ef554ac4c761d3f7bc3477d7f65348a2cdddcd18fffd313ce5bb5e0211693cdf0c85031650d48265b007a1663c7a9df1c535e4a60cdfb

    • memory/2052-25-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2052-23-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2052-32-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2052-31-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2052-30-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2052-29-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2052-14-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2052-28-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2052-20-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2052-21-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2052-22-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2052-27-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2052-24-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2052-26-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2748-1-0x0000000003CF0000-0x0000000004100000-memory.dmp

      Filesize

      4.1MB

    • memory/2748-5-0x0000000004100000-0x00000000049A2000-memory.dmp

      Filesize

      8.6MB

    • memory/2748-2-0x0000000004100000-0x00000000049A2000-memory.dmp

      Filesize

      8.6MB

    • memory/2748-3-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/2748-4-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    • memory/2748-6-0x0000000000400000-0x0000000000CBD000-memory.dmp

      Filesize

      8.7MB

    • memory/4676-11-0x0000000000400000-0x000000000362E000-memory.dmp

      Filesize

      50.2MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.