Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 20:07 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe
-
Size
4.3MB
-
MD5
cc770be703b8a0d3648065b0710cc7eb
-
SHA1
58f1a0607af37833707c93c3e097948910a18f45
-
SHA256
b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9
-
SHA512
5e6dcd2c7854b8f85a13cc80851fc1aaed9b76268a2e9419c6867028f141c259f1f598b9108000ed2ae787134e91ee0eaa7d28bc5a721a1e6a9f000b76ca9465
-
SSDEEP
98304:WDKQZNba70xKNNbhc3ynsIK6K/2VKZZatadawjXHF9m2Rw7GDRe/nMIcC+:0pNba7sKNNsT/2ha0YLm2Rw7GdeWC+
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba family
-
Glupteba payload 20 IoCs
resource yara_rule behavioral2/memory/2520-2-0x0000000002F10000-0x000000000382E000-memory.dmp family_glupteba behavioral2/memory/2520-3-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/2520-6-0x0000000002F10000-0x000000000382E000-memory.dmp family_glupteba behavioral2/memory/2520-5-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/816-8-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/816-15-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-16-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-22-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-23-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-24-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-25-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-26-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-27-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-28-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-29-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-30-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-31-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-32-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-33-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba behavioral2/memory/1564-34-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1192 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 1564 csrss.exe 3012 injector.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DryFrog = "\"C:\\Windows\\rss\\csrss.exe\"" JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe File opened for modification C:\Windows\rss JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe -
GoLang User-Agent 6 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 33 Go-http-client/1.1 HTTP User-Agent header 34 Go-http-client/1.1 HTTP User-Agent header 45 Go-http-client/1.1 HTTP User-Agent header 62 Go-http-client/1.1 HTTP User-Agent header 18 Go-http-client/1.1 HTTP User-Agent header 32 Go-http-client/1.1 -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs csrss.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4204 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2520 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 2520 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 1564 csrss.exe 1564 csrss.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe 3012 injector.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2520 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe Token: SeImpersonatePrivilege 2520 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe Token: SeSystemEnvironmentPrivilege 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe Token: SeSystemEnvironmentPrivilege 1564 csrss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 816 wrote to memory of 3412 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 88 PID 816 wrote to memory of 3412 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 88 PID 3412 wrote to memory of 1192 3412 cmd.exe 90 PID 3412 wrote to memory of 1192 3412 cmd.exe 90 PID 816 wrote to memory of 1564 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 91 PID 816 wrote to memory of 1564 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 91 PID 816 wrote to memory of 1564 816 JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe 91 PID 1564 wrote to memory of 3012 1564 csrss.exe 99 PID 1564 wrote to memory of 3012 1564 csrss.exe 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1192
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /51-513⤵
- Executes dropped EXE
- Manipulates WinMonFS driver.
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Scheduled Task/Job: Scheduled Task
PID:4204
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3012
-
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request140.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesthumisnee.comIN AResponsehumisnee.comIN A37.48.65.148
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
DNSsurvey-smiles.comJaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exeRemote address:8.8.8.8:53Requestsurvey-smiles.comIN AResponsesurvey-smiles.comIN A199.59.243.227
-
GEThttp://survey-smiles.com/JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exeRemote address:199.59.243.227:80RequestGET / HTTP/1.1
Host: survey-smiles.com
User-Agent: Go-http-client/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1054
x-request-id: 32fd60eb-9bda-48c3-928c-196f19e79b33
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_GSbXHjSyM4GBXh+TDdQi5Ch6arC3xeKj8KkRwOq4qrqrlRcvBA0AmkBJ57Iam4tUGtRHYm5e3uPQsAB9Z6SRbg==
set-cookie: parking_session=32fd60eb-9bda-48c3-928c-196f19e79b33; expires=Mon, 30 Dec 2024 20:22:51 GMT; path=/
-
Remote address:8.8.8.8:53Request148.65.48.37.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request227.243.59.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestninhaine.comIN TXTResponse
-
Remote address:8.8.8.8:53Request2makestorage.comIN TXTResponse
-
Remote address:8.8.8.8:53Requestnisdably.comIN TXTResponsenisdably.comIN TXT.v=spf1 include:_incspfcheck.mailspike.net ?all
-
Remote address:8.8.8.8:53Request132ff1c0-ccbb-443c-a738-991458534ef8.ninhaine.comIN TXTResponse
-
Remote address:8.8.8.8:53Requestserver1.ninhaine.comIN AResponseserver1.ninhaine.comIN A46.8.9.145
-
Remote address:8.8.8.8:53Request145.9.8.46.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestww53.ninhaine.comIN AResponseww53.ninhaine.comIN CNAMEg87442272.c.giantpanda.comg87442272.c.giantpanda.comIN A139.162.181.76g87442272.c.giantpanda.comIN A172.104.149.86g87442272.c.giantpanda.comIN A172.104.251.198
-
Remote address:8.8.8.8:53Requestww82.ninhaine.comIN AResponseww82.ninhaine.comIN CNAME63214.bodis.com63214.bodis.comIN A199.59.243.227
-
Remote address:199.59.243.227:80RequestGET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1054
x-request-id: e4d7a663-e1fd-450e-a25b-2360df61300e
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
set-cookie: parking_session=e4d7a663-e1fd-450e-a25b-2360df61300e; expires=Mon, 30 Dec 2024 20:23:01 GMT; path=/
-
Remote address:199.59.243.227:80RequestGET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1054
x-request-id: 84a45b22-2962-47cf-ad74-c1431f0df62c
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
set-cookie: parking_session=84a45b22-2962-47cf-ad74-c1431f0df62c; expires=Mon, 30 Dec 2024 20:23:01 GMT; path=/
-
Remote address:199.59.243.227:80RequestGET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:74.0) Gecko/20100101 Firefox/74.0
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1054
x-request-id: b5066cd5-d938-4a3c-a8d2-6d3e27df5aac
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_unfYoWFYl0UPpoTq2vzG5ocpZP6jPx9uD9L+rB47S2ns41GToTh3adsqMgOSQql9tjhxr5Y1X4Fb6790gj6RAA==
set-cookie: parking_session=b5066cd5-d938-4a3c-a8d2-6d3e27df5aac; expires=Mon, 30 Dec 2024 20:23:05 GMT; path=/
-
Remote address:139.162.181.76:80RequestGET / HTTP/1.1
Host: ww53.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/json; charset=UTF-8
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Mon, 30 Dec 2024 20:08:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: session_id=71c3c45942920f7109a05cb424cf4e64; Path=/; HttpOnly; Max-Age=86400; Expires=Monday, 30-Dec-2024 20:08:01 GMT
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Request76.181.162.139.in-addr.arpaIN PTRResponse76.181.162.139.in-addr.arpaIN PTR139-162-181-76iplinodeusercontentcom
-
Remote address:8.8.8.8:53Requestspolaect.infoIN AResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:139.162.181.76:80RequestGET / HTTP/1.1
Host: ww53.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Mon, 30 Dec 2024 20:08:11 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: session_id=f9bbc7b58feba5e874adf3139dd0bc5c; Path=/; HttpOnly; Max-Age=86400; Expires=Monday, 30-Dec-2024 20:08:11 GMT
Content-Encoding: gzip
-
Remote address:139.162.181.76:80RequestGET / HTTP/1.1
Host: ww53.ninhaine.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Mon, 30 Dec 2024 20:08:11 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: session_id=1a41e233c98ffee19187d65386b70530; Path=/; HttpOnly; Max-Age=86400; Expires=Monday, 30-Dec-2024 20:08:11 GMT
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:199.59.243.227:80RequestGET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1054
x-request-id: e2674652-a239-4899-894f-45c5a3c1134b
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tSFwUapoYlW5wLBrz6NCtjfX1dDdJjjgIGP/B20R1G/ACJA68H6GFroh0Khp2N5fO9ZJvNkYpn/jboPwKtG2UA==
set-cookie: parking_session=e2674652-a239-4899-894f-45c5a3c1134b; expires=Mon, 30 Dec 2024 20:23:22 GMT; path=/
-
Remote address:139.162.181.76:80RequestGET / HTTP/1.1
Host: ww53.ninhaine.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:74.0) Gecko/20100101 Firefox/74.0
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Mon, 30 Dec 2024 20:08:28 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: session_id=7c8a93a04b6329695024772ca09fa9c8; Path=/; HttpOnly; Max-Age=86400; Expires=Monday, 30-Dec-2024 20:08:28 GMT
Content-Encoding: gzip
-
Remote address:199.59.243.227:80RequestGET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1054
x-request-id: 0506a6f5-bbb0-4db9-adb4-3fdceee20bd3
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
set-cookie: parking_session=0506a6f5-bbb0-4db9-adb4-3fdceee20bd3; expires=Mon, 30 Dec 2024 20:23:33 GMT; path=/
-
Remote address:8.8.8.8:53Request182.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:139.162.181.76:80RequestGET / HTTP/1.1
Host: ww53.ninhaine.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.2.14
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Mon, 30 Dec 2024 20:09:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: session_id=d8aa4d3f6d0ab986e5570588050da621; Path=/; HttpOnly; Max-Age=86400; Expires=Monday, 30-Dec-2024 20:09:05 GMT
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestserver1.2makestorage.comIN AResponse
-
37.48.65.148:443humisnee.comtlsJaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe1.4kB 3.8kB 12 10
-
199.59.243.227:80http://survey-smiles.com/httpJaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe429 B 2.3kB 6 5
HTTP Request
GET http://survey-smiles.com/HTTP Response
200 -
16.4kB 6.1kB 52 56
-
784 B 3.6kB 9 10
-
784 B 3.6kB 9 10
-
475 B 2.4kB 7 7
HTTP Request
GET http://ww82.ninhaine.com/HTTP Response
200 -
775 B 4.6kB 10 10
HTTP Request
GET http://ww82.ninhaine.com/HTTP Response
200HTTP Request
GET http://ww82.ninhaine.com/HTTP Response
200 -
421 B 1.5kB 6 5
HTTP Request
GET http://ww53.ninhaine.com/HTTP Response
200 -
423 B 1.5kB 6 5
HTTP Request
GET http://ww53.ninhaine.com/HTTP Response
200 -
477 B 1.5kB 6 5
HTTP Request
GET http://ww53.ninhaine.com/HTTP Response
200 -
523 B 2.4kB 7 7
HTTP Request
GET http://ww82.ninhaine.com/HTTP Response
200 -
438 B 1.5kB 6 5
HTTP Request
GET http://ww53.ninhaine.com/HTTP Response
200 -
475 B 2.4kB 7 7
HTTP Request
GET http://ww82.ninhaine.com/HTTP Response
200 -
2.2kB 4.2kB 18 19
-
451 B 1.5kB 6 5
HTTP Request
GET http://ww53.ninhaine.com/HTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
142 B 145 B 2 1
DNS Request
97.17.167.52.in-addr.arpa
DNS Request
97.17.167.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
140.32.126.40.in-addr.arpa
-
8.8.8.8:53humisnee.comdnsJaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe58 B 74 B 1 1
DNS Request
humisnee.com
DNS Response
37.48.65.148
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
8.8.8.8:53survey-smiles.comdnsJaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe63 B 79 B 1 1
DNS Request
survey-smiles.com
DNS Response
199.59.243.227
-
71 B 134 B 1 1
DNS Request
148.65.48.37.in-addr.arpa
-
73 B 131 B 1 1
DNS Request
227.243.59.199.in-addr.arpa
-
58 B 58 B 1 1
DNS Request
ninhaine.com
-
62 B 135 B 1 1
DNS Request
2makestorage.com
-
58 B 117 B 1 1
DNS Request
nisdably.com
-
95 B 95 B 1 1
DNS Request
132ff1c0-ccbb-443c-a738-991458534ef8.ninhaine.com
-
66 B 82 B 1 1
DNS Request
server1.ninhaine.com
DNS Response
46.8.9.145
-
69 B 129 B 1 1
DNS Request
145.9.8.46.in-addr.arpa
-
63 B 148 B 1 1
DNS Request
ww53.ninhaine.com
DNS Response
139.162.181.76172.104.149.86172.104.251.198
-
63 B 105 B 1 1
DNS Request
ww82.ninhaine.com
DNS Response
199.59.243.227
-
73 B 126 B 1 1
DNS Request
76.181.162.139.in-addr.arpa
-
59 B 138 B 1 1
DNS Request
spolaect.info
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
86.49.80.91.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
182.129.81.91.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
70 B 143 B 1 1
DNS Request
server1.2makestorage.com
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
4.3MB
MD5cc770be703b8a0d3648065b0710cc7eb
SHA158f1a0607af37833707c93c3e097948910a18f45
SHA256b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9
SHA5125e6dcd2c7854b8f85a13cc80851fc1aaed9b76268a2e9419c6867028f141c259f1f598b9108000ed2ae787134e91ee0eaa7d28bc5a721a1e6a9f000b76ca9465