Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 20:07 UTC

General

  • Target

    JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe

  • Size

    4.3MB

  • MD5

    cc770be703b8a0d3648065b0710cc7eb

  • SHA1

    58f1a0607af37833707c93c3e097948910a18f45

  • SHA256

    b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9

  • SHA512

    5e6dcd2c7854b8f85a13cc80851fc1aaed9b76268a2e9419c6867028f141c259f1f598b9108000ed2ae787134e91ee0eaa7d28bc5a721a1e6a9f000b76ca9465

  • SSDEEP

    98304:WDKQZNba70xKNNbhc3ynsIK6K/2VKZZatadawjXHF9m2Rw7GDRe/nMIcC+:0pNba7sKNNsT/2ha0YLm2Rw7GdeWC+

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba family
  • Glupteba payload 20 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Metasploit family
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • GoLang User-Agent 6 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3412
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:1192
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe /51-51
        3⤵
        • Executes dropped EXE
        • Manipulates WinMonFS driver.
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4204
        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3012

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    humisnee.com
    JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe
    Remote address:
    8.8.8.8:53
    Request
    humisnee.com
    IN A
    Response
    humisnee.com
    IN A
    37.48.65.148
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    survey-smiles.com
    JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe
    Remote address:
    8.8.8.8:53
    Request
    survey-smiles.com
    IN A
    Response
    survey-smiles.com
    IN A
    199.59.243.227
  • flag-us
    GET
    http://survey-smiles.com/
    JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe
    Remote address:
    199.59.243.227:80
    Request
    GET / HTTP/1.1
    Host: survey-smiles.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Mon, 30 Dec 2024 20:07:51 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: 32fd60eb-9bda-48c3-928c-196f19e79b33
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_GSbXHjSyM4GBXh+TDdQi5Ch6arC3xeKj8KkRwOq4qrqrlRcvBA0AmkBJ57Iam4tUGtRHYm5e3uPQsAB9Z6SRbg==
    set-cookie: parking_session=32fd60eb-9bda-48c3-928c-196f19e79b33; expires=Mon, 30 Dec 2024 20:22:51 GMT; path=/
  • flag-us
    DNS
    148.65.48.37.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    148.65.48.37.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    227.243.59.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    227.243.59.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    ninhaine.com
    IN TXT
    Response
  • flag-us
    DNS
    2makestorage.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    2makestorage.com
    IN TXT
    Response
  • flag-us
    DNS
    nisdably.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    nisdably.com
    IN TXT
    Response
    nisdably.com
    IN TXT
    .v=spf1 include:_incspfcheck.mailspike.net ?all
  • flag-us
    DNS
    132ff1c0-ccbb-443c-a738-991458534ef8.ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    132ff1c0-ccbb-443c-a738-991458534ef8.ninhaine.com
    IN TXT
    Response
  • flag-us
    DNS
    server1.ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    server1.ninhaine.com
    IN A
    Response
    server1.ninhaine.com
    IN A
    46.8.9.145
  • flag-us
    DNS
    145.9.8.46.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    145.9.8.46.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ww53.ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    ww53.ninhaine.com
    IN A
    Response
    ww53.ninhaine.com
    IN CNAME
    g87442272.c.giantpanda.com
    g87442272.c.giantpanda.com
    IN A
    139.162.181.76
    g87442272.c.giantpanda.com
    IN A
    172.104.149.86
    g87442272.c.giantpanda.com
    IN A
    172.104.251.198
  • flag-us
    DNS
    ww82.ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    ww82.ninhaine.com
    IN A
    Response
    ww82.ninhaine.com
    IN CNAME
    63214.bodis.com
    63214.bodis.com
    IN A
    199.59.243.227
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.227:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Mon, 30 Dec 2024 20:08:00 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: e4d7a663-e1fd-450e-a25b-2360df61300e
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
    set-cookie: parking_session=e4d7a663-e1fd-450e-a25b-2360df61300e; expires=Mon, 30 Dec 2024 20:23:01 GMT; path=/
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.227:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Mon, 30 Dec 2024 20:08:00 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: 84a45b22-2962-47cf-ad74-c1431f0df62c
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
    set-cookie: parking_session=84a45b22-2962-47cf-ad74-c1431f0df62c; expires=Mon, 30 Dec 2024 20:23:01 GMT; path=/
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.227:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:74.0) Gecko/20100101 Firefox/74.0
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Mon, 30 Dec 2024 20:08:04 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: b5066cd5-d938-4a3c-a8d2-6d3e27df5aac
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_unfYoWFYl0UPpoTq2vzG5ocpZP6jPx9uD9L+rB47S2ns41GToTh3adsqMgOSQql9tjhxr5Y1X4Fb6790gj6RAA==
    set-cookie: parking_session=b5066cd5-d938-4a3c-a8d2-6d3e27df5aac; expires=Mon, 30 Dec 2024 20:23:05 GMT; path=/
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    139.162.181.76:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/json; charset=UTF-8
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.25.3.2
    Date: Mon, 30 Dec 2024 20:08:01 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=71c3c45942920f7109a05cb424cf4e64; Path=/; HttpOnly; Max-Age=86400; Expires=Monday, 30-Dec-2024 20:08:01 GMT
    Content-Encoding: gzip
  • flag-us
    DNS
    76.181.162.139.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.181.162.139.in-addr.arpa
    IN PTR
    Response
    76.181.162.139.in-addr.arpa
    IN PTR
    139-162-181-76iplinodeusercontentcom
  • flag-us
    DNS
    spolaect.info
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    spolaect.info
    IN A
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    139.162.181.76:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.25.3.2
    Date: Mon, 30 Dec 2024 20:08:11 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=f9bbc7b58feba5e874adf3139dd0bc5c; Path=/; HttpOnly; Max-Age=86400; Expires=Monday, 30-Dec-2024 20:08:11 GMT
    Content-Encoding: gzip
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    139.162.181.76:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.25.3.2
    Date: Mon, 30 Dec 2024 20:08:11 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=1a41e233c98ffee19187d65386b70530; Path=/; HttpOnly; Max-Age=86400; Expires=Monday, 30-Dec-2024 20:08:11 GMT
    Content-Encoding: gzip
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.227:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Mon, 30 Dec 2024 20:08:21 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: e2674652-a239-4899-894f-45c5a3c1134b
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tSFwUapoYlW5wLBrz6NCtjfX1dDdJjjgIGP/B20R1G/ACJA68H6GFroh0Khp2N5fO9ZJvNkYpn/jboPwKtG2UA==
    set-cookie: parking_session=e2674652-a239-4899-894f-45c5a3c1134b; expires=Mon, 30 Dec 2024 20:23:22 GMT; path=/
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    139.162.181.76:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:74.0) Gecko/20100101 Firefox/74.0
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.25.3.2
    Date: Mon, 30 Dec 2024 20:08:28 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=7c8a93a04b6329695024772ca09fa9c8; Path=/; HttpOnly; Max-Age=86400; Expires=Monday, 30-Dec-2024 20:08:28 GMT
    Content-Encoding: gzip
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.227:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Mon, 30 Dec 2024 20:08:33 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: 0506a6f5-bbb0-4db9-adb4-3fdceee20bd3
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
    set-cookie: parking_session=0506a6f5-bbb0-4db9-adb4-3fdceee20bd3; expires=Mon, 30 Dec 2024 20:23:33 GMT; path=/
  • flag-us
    DNS
    182.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    182.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    139.162.181.76:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.2.14
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.25.3.2
    Date: Mon, 30 Dec 2024 20:09:05 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=d8aa4d3f6d0ab986e5570588050da621; Path=/; HttpOnly; Max-Age=86400; Expires=Monday, 30-Dec-2024 20:09:05 GMT
    Content-Encoding: gzip
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    server1.2makestorage.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    server1.2makestorage.com
    IN A
    Response
  • 37.48.65.148:443
    humisnee.com
    tls
    JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe
    1.4kB
    3.8kB
    12
    10
  • 199.59.243.227:80
    http://survey-smiles.com/
    http
    JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe
    429 B
    2.3kB
    6
    5

    HTTP Request

    GET http://survey-smiles.com/

    HTTP Response

    200
  • 46.8.9.145:443
    server1.ninhaine.com
    tls
    csrss.exe
    16.4kB
    6.1kB
    52
    56
  • 46.8.9.145:443
    server1.ninhaine.com
    tls
    csrss.exe
    784 B
    3.6kB
    9
    10
  • 46.8.9.145:443
    server1.ninhaine.com
    tls
    csrss.exe
    784 B
    3.6kB
    9
    10
  • 199.59.243.227:80
    http://ww82.ninhaine.com/
    http
    csrss.exe
    475 B
    2.4kB
    7
    7

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200
  • 199.59.243.227:80
    http://ww82.ninhaine.com/
    http
    csrss.exe
    775 B
    4.6kB
    10
    10

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200
  • 139.162.181.76:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    421 B
    1.5kB
    6
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 139.162.181.76:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    423 B
    1.5kB
    6
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 139.162.181.76:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    477 B
    1.5kB
    6
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 199.59.243.227:80
    http://ww82.ninhaine.com/
    http
    csrss.exe
    523 B
    2.4kB
    7
    7

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200
  • 139.162.181.76:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    438 B
    1.5kB
    6
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 199.59.243.227:80
    http://ww82.ninhaine.com/
    http
    csrss.exe
    475 B
    2.4kB
    7
    7

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200
  • 46.8.9.145:443
    server1.ninhaine.com
    tls
    csrss.exe
    2.2kB
    4.2kB
    18
    19
  • 139.162.181.76:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    451 B
    1.5kB
    6
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    142 B
    145 B
    2
    1

    DNS Request

    97.17.167.52.in-addr.arpa

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    humisnee.com
    dns
    JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe
    58 B
    74 B
    1
    1

    DNS Request

    humisnee.com

    DNS Response

    37.48.65.148

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    survey-smiles.com
    dns
    JaffaCakes118_b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9.exe
    63 B
    79 B
    1
    1

    DNS Request

    survey-smiles.com

    DNS Response

    199.59.243.227

  • 8.8.8.8:53
    148.65.48.37.in-addr.arpa
    dns
    71 B
    134 B
    1
    1

    DNS Request

    148.65.48.37.in-addr.arpa

  • 8.8.8.8:53
    227.243.59.199.in-addr.arpa
    dns
    73 B
    131 B
    1
    1

    DNS Request

    227.243.59.199.in-addr.arpa

  • 8.8.8.8:53
    ninhaine.com
    dns
    csrss.exe
    58 B
    58 B
    1
    1

    DNS Request

    ninhaine.com

  • 8.8.8.8:53
    2makestorage.com
    dns
    csrss.exe
    62 B
    135 B
    1
    1

    DNS Request

    2makestorage.com

  • 8.8.8.8:53
    nisdably.com
    dns
    csrss.exe
    58 B
    117 B
    1
    1

    DNS Request

    nisdably.com

  • 8.8.8.8:53
    132ff1c0-ccbb-443c-a738-991458534ef8.ninhaine.com
    dns
    csrss.exe
    95 B
    95 B
    1
    1

    DNS Request

    132ff1c0-ccbb-443c-a738-991458534ef8.ninhaine.com

  • 8.8.8.8:53
    server1.ninhaine.com
    dns
    csrss.exe
    66 B
    82 B
    1
    1

    DNS Request

    server1.ninhaine.com

    DNS Response

    46.8.9.145

  • 8.8.8.8:53
    145.9.8.46.in-addr.arpa
    dns
    69 B
    129 B
    1
    1

    DNS Request

    145.9.8.46.in-addr.arpa

  • 8.8.8.8:53
    ww53.ninhaine.com
    dns
    csrss.exe
    63 B
    148 B
    1
    1

    DNS Request

    ww53.ninhaine.com

    DNS Response

    139.162.181.76
    172.104.149.86
    172.104.251.198

  • 8.8.8.8:53
    ww82.ninhaine.com
    dns
    csrss.exe
    63 B
    105 B
    1
    1

    DNS Request

    ww82.ninhaine.com

    DNS Response

    199.59.243.227

  • 8.8.8.8:53
    76.181.162.139.in-addr.arpa
    dns
    73 B
    126 B
    1
    1

    DNS Request

    76.181.162.139.in-addr.arpa

  • 8.8.8.8:53
    spolaect.info
    dns
    csrss.exe
    59 B
    138 B
    1
    1

    DNS Request

    spolaect.info

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    86.49.80.91.in-addr.arpa
    dns
    70 B
    145 B
    1
    1

    DNS Request

    86.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    182.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    182.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    server1.2makestorage.com
    dns
    csrss.exe
    70 B
    143 B
    1
    1

    DNS Request

    server1.2makestorage.com

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

    Filesize

    281KB

    MD5

    d98e33b66343e7c96158444127a117f6

    SHA1

    bb716c5509a2bf345c6c1152f6e3e1452d39d50d

    SHA256

    5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

    SHA512

    705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

  • C:\Windows\rss\csrss.exe

    Filesize

    4.3MB

    MD5

    cc770be703b8a0d3648065b0710cc7eb

    SHA1

    58f1a0607af37833707c93c3e097948910a18f45

    SHA256

    b791ec277c433182561405a05087d7543af32d9ca7098c0ea7edcb1138cba2c9

    SHA512

    5e6dcd2c7854b8f85a13cc80851fc1aaed9b76268a2e9419c6867028f141c259f1f598b9108000ed2ae787134e91ee0eaa7d28bc5a721a1e6a9f000b76ca9465

  • memory/816-7-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/816-15-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/816-8-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-23-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-29-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-34-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-33-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-16-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-32-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-22-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-31-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-24-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-25-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-26-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-27-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-28-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1564-30-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/2520-5-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/2520-1-0x0000000002AC0000-0x0000000002F0B000-memory.dmp

    Filesize

    4.3MB

  • memory/2520-2-0x0000000002F10000-0x000000000382E000-memory.dmp

    Filesize

    9.1MB

  • memory/2520-3-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/2520-6-0x0000000002F10000-0x000000000382E000-memory.dmp

    Filesize

    9.1MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.