0d7542ed723304f33fe4263adc5c430c16bbda16b804a74c5f6bff97060e1570

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 07:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe
Size

1.3MB
MD5

a1c16280bb9eae87f7e124706d32fd2c
SHA1

171170d4edb29ef390052a89e063ab866217c244
SHA256

0d7542ed723304f33fe4263adc5c430c16bbda16b804a74c5f6bff97060e1570
SHA512

e9fc9068fc88ff1cde15613f0c36c98a41b190a5717de65ee4d6688973b05e0dcd4248e61d5c0b9c149f733b9c0e8842eca4baf38d96bd4f4a590d2242684ef6
SSDEEP

24576:v+sDdU+YdDpOAQxiY9Z/sQuzZOh5jkTZ3Qu8NEYUym5:fdknQxi4yHzQhhCZ3QuZ

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\KAPFA.sys	KASetup.exe

Executes dropped EXE 5 IoCs

pid	Process
2992	KAgentSilent.exe
2712	KASetup.exe
1532	KaUsrTsk.exe
1776	AgentMon.exe
1004	AgentMon.exe

Loads dropped DLL 16 IoCs

pid	Process
1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe
2992	KAgentSilent.exe
2992	KAgentSilent.exe
2992	KAgentSilent.exe
2992	KAgentSilent.exe
2712	KASetup.exe
2712	KASetup.exe
2712	KASetup.exe
2712	KASetup.exe
2712	KASetup.exe
1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe
1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe
1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe
1004	AgentMon.exe
1004	AgentMon.exe
1004	AgentMon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KASHVRTPCX82039399054846 = "\"C:\\Program Files (x86)\\Kaseya\\VRTPCX82039399054846\\KaUsrTsk.exe\""	KASetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KaseyaSP.dll	KASetup.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\drivers\KaseyaD.VXD	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\drivers\KaseyaSP.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\Package.xml	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\AgentMon.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KasFirewall.log	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\lastChk.txt	AgentMon.exe
File opened for modification	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KASetup.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KaUsrTsk.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KEventLog.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\drivers\KAPFA64.sys	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KaseyaD.ini	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KasStats.log	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\lastChk.txt	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KAgentExt.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KasAgent.log	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\custom\offline.ico	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\AgentMon.log	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\kGetELMg64.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\LogParser.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\sporder.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\drivers\KAPFA.sys	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KasError.log	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KASetup.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\custom\online.ico	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KaseyaFW.ini	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\custom\noremote.ico	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KasError.log	AgentMon.exe
File opened for modification	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\AgentMon.log	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KPrtPng.exe	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KaseyaD.ini	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\custom\blink.ico	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KAgentSilent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KASetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KaUsrTsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentMon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentMon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1532	KaUsrTsk.exe
1532	KaUsrTsk.exe
1532	KaUsrTsk.exe
1532	KaUsrTsk.exe
1532	KaUsrTsk.exe
1532	KaUsrTsk.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1532	KaUsrTsk.exe
1532	KaUsrTsk.exe
1532	KaUsrTsk.exe
1532	KaUsrTsk.exe
1532	KaUsrTsk.exe
1532	KaUsrTsk.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2992	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	30
PID 1220 wrote to memory of 2992	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	30
PID 1220 wrote to memory of 2992	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	30
PID 1220 wrote to memory of 2992	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	30
PID 1220 wrote to memory of 2992	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	30
PID 1220 wrote to memory of 2992	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	30
PID 1220 wrote to memory of 2992	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2712	2992	KAgentSilent.exe	31
PID 2992 wrote to memory of 2712	2992	KAgentSilent.exe	31
PID 2992 wrote to memory of 2712	2992	KAgentSilent.exe	31
PID 2992 wrote to memory of 2712	2992	KAgentSilent.exe	31
PID 2992 wrote to memory of 2712	2992	KAgentSilent.exe	31
PID 2992 wrote to memory of 2712	2992	KAgentSilent.exe	31
PID 2992 wrote to memory of 2712	2992	KAgentSilent.exe	31
PID 1220 wrote to memory of 1532	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	33
PID 1220 wrote to memory of 1532	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	33
PID 1220 wrote to memory of 1532	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	33
PID 1220 wrote to memory of 1532	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	33
PID 1220 wrote to memory of 1776	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	34
PID 1220 wrote to memory of 1776	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	34
PID 1220 wrote to memory of 1776	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	34
PID 1220 wrote to memory of 1776	1220	a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1c16280bb9eae87f7e124706d32fd2c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\KAgentSilent.exe
  KAgentSilent.exe /s /a /k /g VRTPCX82039399054846 /l "C:\Users\Admin\AppData\Local\Temp\KASetup.log" /v "1"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\KASetup.exe
    "C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\KASetup.exe" /k /g VRTPCX82039399054846 /l "C:\Users\Admin\AppData\Local\Temp\KASetup.log" /v "1" /s
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2712
- C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\KaUsrTsk.exe
  KaUsrTsk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1532
- C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\AgentMon.exe
  agentmon.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1776

C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\AgentMon.exe
"C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\AgentMon.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\AgentMon.log

Filesize
265B

MD5
8b4879dde7f376f9f780ff3b59d04a22

SHA1
85d2833b8cfe6a09bf56bf06039e3653714c6877

SHA256
c6b1a000f98d3792b7294a7d799e1839fef3e2442dc1d9c21ae48b540754cf79

SHA512
f3f0055ce82a075da2b2001ebf6a16afa36f4e91dbdd8fc5b22b599197db26c1add4fc7a327e9efc984b8b5958b0c1d001b787976dd182e76bf4405996269640

Download Submit
C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\Package.xml

Filesize
130B

MD5
6fdce69101e646e37f74d15f76bba599

SHA1
5b20fd165624e7b89ca6afe441d70f5a062e761e

SHA256
0d2487a369e419361d5644522f781461f88608329d8c7a713f07f6a652617c09

SHA512
d60c7dd408f0a7e56b00c0ee4feb00fbee08560a726e9b75c04d6a58454a429c9637fccbf3d52f7ee32abac730b476d36f3bdaa8036d3f1f67158d77c0531a12

Download Submit
C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\custom\offline.ico

Filesize
2KB

MD5
b3e73f0d0278520f1b3dda926789d6cd

SHA1
de105b5c07b37fbcf026288df363fba7fe88f05c

SHA256
d11b25c674bd74806191d50d26da19447249f00dcd76e5cdd79905ad934c611a

SHA512
2f86e804cb5aa10cc989288341a9c65a4abeae4df094fde0e0835b72273dca71146ce852dde5bf30b339f9d606988bb32e94d11f784caa540c24d5b2d6ef3173

Download Submit
C:\Program Files (x86)\Kaseya\VRTPCX82039399054846\custom\online.ico

Filesize
2KB

MD5
47a9e5c5d0ee052ee82010687b40a37a

SHA1
602e9ad4234bb138ea6c55d3dea2a2b1d3c04241

SHA256
0bd058377752a660f5d9cb7a3f4eafd498bf24ccc9d52c1cd6bc8900dd0dcb9f

SHA512
4c68c1084ce5d6d0c824342664ee2f03323186c442e4ccbdc18dae1f63788ce265ac7ea234c9dbf929e9d0e7152340e992c9d5587a48b7b49ad81476c03f6dfe

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaseya\Kaseya Agent.lnk

Filesize
1KB

MD5
e5fcc3238ab0c93261213951bba2376b

SHA1
5aa64c13d72e4e976d41b50724fef5159f26e205

SHA256
1796438106fd5da36561a061c92bdf8885cb27aac17b41642936e8173e82c2dd

SHA512
cf9e0e607931bb0bfc766bff7ede5e88c8b7dea867693342ebc5fc65de87137e5cf6c3c6b203f45fc3f83bb83fc5c3e3307d756016ae510455348666394751e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
1KB

MD5
7b405a4c5150869bf9867883d3010829

SHA1
5d17a83c5dab0a31e95c80b6c2922a4c6a7def4d

SHA256
b6c96ba0e736c0354b4ca379b7dd9dd4acccf5e5ebc0dcbd798e795498f14b57

SHA512
852c829b9d95daa389b9a599e984945e0aa829544afcb24d2d25272dcb17ed2f52f3a05c7c8d9c42a8b5235e69226997b1a29fd252f14c6cb64ff9831aea91c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
3KB

MD5
f3bf1f03ec4ef811966433eafb680826

SHA1
40fae01380cf331113a28dbc5c1460562b885ff6

SHA256
18cb5a26daabbcec50e80c94a355b28568f9f75ce033be6cafca6e89b5938089

SHA512
ddd1620251304ca53b7e9e9e8bd32593a58e9cd96b1b2b691942f9019b9829a1735452bb08ee649db849abb32a742ca19c89e5f1a98510e90c481e3995103733

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
4KB

MD5
f68f099883ee74a99b28e05f15644260

SHA1
8a5aa2c02194383b67a0c663a7f25b51c808ac0e

SHA256
336cba636fef0e52b76115645040be093f20c7a4439df73d208f0066351cb06b

SHA512
e44f4fe1ce86fa47c899de3439c9155e20d55ee2d623898c9605467bc84eff7a9719d79c97d6b8a6be967fdb5af57eadc69a0fa075d58bf56cbbd77b2e88669f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
10KB

MD5
b690fc0859699bde2db4cc934549643a

SHA1
373d1d7270de10f14bf02830893fc7e48a111536

SHA256
c9011d679cfce297ffad826302995c23ea76c099a6a1be29b1a2135c6e59e14d

SHA512
f553a5dec8d8265c7ffe48354d9cf0d47a40be047e915d249a20a9556b9e4cdda17537ace51981a181e4e57c9505bd6007f3a851d51dc85308cc6387327931ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
2KB

MD5
5ba3a4b6d6ba78ff6a97b8883cab0f10

SHA1
3e725986909c16ae8b78619782a40eb51dcc6ab2

SHA256
61d3e3f4ae4c6a403a4a172d369dc8cd5a163d2b2ca77cfe9d5b2542caca895d

SHA512
9aa12a8ac07ea6fddbb75f4b39ba1aeffb0b07c3dcf7a7ed5f9bcece0c0d7f15dd72ca30f05d96676bd4476b6bdc4b95a9e7258ed74be3c4148b72f89a2d14ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\KaseyaD.ini

Filesize
2KB

MD5
2f8461990cefff1fb07ea51362267fb3

SHA1
aaa07993ce9606bfff326d35723360642832b4c7

SHA256
d53fd2ed72a21149c7814003ebf7c369a05f249dcca891ac20162bc52555f4f7

SHA512
418bd9a0064621a73f5ccc75c7fc0a8f3a4193d04c0b51b53692d4c52453acfdff7404ccc54643556e4dfdd5ce58f95bad5517af58073508949dca15764dc2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\AgentMon.exe

Filesize
788KB

MD5
bf7dcff200293bbc4b3eb9f41a96135a

SHA1
522e5176b39107dff6dc8e27d327db80263c848d

SHA256
540d2870045880731bb27331bed3d77ac399203a6b213a36ae5b2a18cbc19db3

SHA512
6d3eb1ec516e1e3c9d818d059156aeeb96f61f85fdae57492253e5d1031417122ceb35600b7e1dcdef1303784b9f9d39323d05cfbda8daa7233eb57ad9420e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\KAPFA.sys

Filesize
13KB

MD5
9c3abc6d9cc915056f0918469f567975

SHA1
d0a992b0e4a2f48bade0a58bd17a5ca4cf59b067

SHA256
623029374fc651371657f7513928b86266428ab3063ebcb5a08eb7bc774ecb9c

SHA512
7def2205dd23603f45c7d344ef2b93bc43cc6e12165b098f40147393bbe7e68d72100041ae3d58213c2219a5301ee8f51b21bbf4f4a3c48d745ae4b401f9ef92

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\KAPFA64.sys

Filesize
30KB

MD5
f2f32fa75cfee77419c0ad6291afc7c0

SHA1
7f64472a9c24877a2273bc93ce7c09370362679b

SHA256
7433be0487867dc60329fbe73d62cb7cc86856e9fb62f14749e0898586718e9c

SHA512
d0e97e90081212bf335054941e6282b8d84b44089183443add2353c927c1295d256d29909c582ac94a625b9214877af5b7f2dec5dc6cdfbf1346e6a7418d785f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\KAgentExt.dll

Filesize
76KB

MD5
991a25a0ef12e3bfe97f52b601a226cb

SHA1
89f51021aa9f01198542adabc39efb868dc3caaf

SHA256
a8cef71c78870cad05d82ade86ae7f8fb449c478670f8c9feaad5adc59ea0fef

SHA512
11952b2d3181a2b0c305e163383fa5e1f6e62bfa86a635ee4ff294e24bb202ef65062f2de0af0a31eac061541127b09fc0ae69f669d3039ec623deae27503704

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\KEventLog.dll

Filesize
128KB

MD5
89c41a5e16f6ff6943c60a46a3e8b616

SHA1
180fee12b85c299e40b35d862c6cd4b3ea64912d

SHA256
c32b639858e84d1443c002b94e26607b4d8129d8fa47cd04a4ce98001d3ba64b

SHA512
1807c3b4aac54b1851714e4ae3d72392ec2be38313939159f3efe3249c3de1fd2ec158535867540a52c2e5f299ac155a221f27e9e7d88834c2312182d142c5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\KPrtPng.exe

Filesize
104KB

MD5
92b1394dd0de06e28fb5d7c1ed039076

SHA1
9985e69c32807c66081d4da594ed26556147cfff

SHA256
d5e2eda7a8c2b18faa5e2c22ce2a44bbead55e03ad58c25fbb167cf4e0e8fca2

SHA512
40403d69e91d95fd47b80508a3479b2aeacffe5f7857b252d6d5725642a12f8b3946bc2c73ae5256a87a8796a430733f011249805083b0b035bd6bd385644499

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\KaUsrTsk.exe

Filesize
312KB

MD5
dc943974d018699d8584fc0326043c01

SHA1
0b1fd0beceea2a509fc4dbf433373b991d2c6992

SHA256
d86dcd4e4280e524d1e0bd15ac97797683fa5b756734c531f52e2f4824518ca7

SHA512
4a0d9d7cbcd512873c7534a264a17347807d6ce15afd73b17433c2f287dd19458d58a39c0006f0a2ec80ff96a89bf5e1700b56a59372716195d40951838d4e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\KaseyaD.VXD

Filesize
30KB

MD5
2bdd2b147075c82b1f802f2c503fad22

SHA1
db1472b622e391c931b7f23d828c167023818edd

SHA256
82762843c454aee6002264f1074ac4108a8f4e53b2862fa463cc7ba7345e9949

SHA512
25d722253cf3724afa0b9baba4b8ec67ab4505b27420f3aed65999f5fe33a0bf2091a19ad9d6c4f8e9cfb857b06db0794cb4e90b1786a000cda38d0e9cf3f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\KaseyaD.ini

Filesize
2KB

MD5
3d8b610262459277622c3a3386a1c02b

SHA1
040550af4cbfe39c82fea4ba99ed011b69e478cf

SHA256
1529153a7259c1f855c932a487b809e357accee33ff5516b9c9b837f3dd5ecb5

SHA512
d13689e3380dea2b21deda5fcbedaf3bbd366d37e0885b6c37fffdf217ecb0176ee225136bf06a0c07550fd2ddc511c49fe85612245d2eb037a47588dc646079

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\KaseyaFW.ini

Filesize
2KB

MD5
110bcfd4a9b3ace873e40d41ad039b72

SHA1
5f652ecfb90311a8a2e5a52424d333cc6234f0e0

SHA256
04e0218852ef83d415f1497c56088ec001e3fb72af3b487dbe171be13c636c04

SHA512
fe9f8c2062f4c2280fd6aaab244d97047e53989ba5817911580744d86177fd42f812a402a740c346e891bdd2b95d2086de19b9822239da025860dfd263616f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\KaseyaSP.dll

Filesize
132KB

MD5
897a17111258513e8d762b47cdf67cf5

SHA1
2a306c4937f9bd417a711ab9e183f33bb717f5a5

SHA256
c1e73a9892311cbf08914a96ac5862ecde37cdf8d131a77f87c39f3e6d7fbe13

SHA512
ca48493c0ffde64e87dbe627ff1058c94683de8b983c6b23194f173d585f7b0c7b82d3a9bf3cce8f280c60c232293a62a9f467c5eb4d0afc4a2d6a711d617bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\LogParser.dll

Filesize
132KB

MD5
b5722f2b92962e36044660516645e15b

SHA1
b8166fbc9ccb2495a3d837b5386e2d689ef50d50

SHA256
f02a1b375bedf328e8034022e1cd6ea5f3a97e48c823584386a3a35426fe6b08

SHA512
dee3c5ce22a8153d00938618478494fe314acd30ef00a2c594ba22dd4147378866edb814b48735b86e874d80ce32687dabeeefb65cded29b3138abfe886c7e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\kGetELMg64.exe

Filesize
94KB

MD5
07a4918403b3b96d9fdeba51ab3cc224

SHA1
268df049b2b19fbf2e2aae2085c85bd67c8dbc27

SHA256
b4acf11dac17dcc26c23f0f148491727056a29f0c22308478be92a8d04278fd5

SHA512
26c7b000984fd4b06b25b8554b4694c52d75a3c77a074509df6444c89befe40013b181262ea56bf3a8d1c7a8d08529c12ca7a13fb3cc36ba891958c589c242fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\pftw1.pkg

Filesize
916KB

MD5
eb8318ce9a78bd02971ef304a49335f6

SHA1
2fdb8deb511b3ac9c649633a5862562d423abf94

SHA256
6a102e31a7d5575d5643eff76aa74b38064803f2737ecd5ce01cc9c6de0ee862

SHA512
bd679099730e1ea7ebafc14e95ec2d94b3a2ab26bd35cf7961f75a1eb6b481e1cd0cc97b5558f57ce351ff6833ea156f4613c8c765f868d84e5911ae9f023a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftCD01.tmp\sporder.dll

Filesize
9KB

MD5
e2050130c7c0ec056a44237bbb8feb43

SHA1
8aab6d37d7b9663896c47b6fcc7fbf89781599df

SHA256
aa06892b2869b24218e21f87070abab39e177f0edfedc30fd9ae169e8faf23f9

SHA512
70507ef106ee91d5970c8ac351c060e329236f4920c96612a160b0db827e0354d5c5aaa096c2b77c301294b9ce680aadd5ade56ce345ad46779bd73901c581a4

Download Submit
\Users\Admin\AppData\Local\Temp\KAgentSilent.exe

Filesize
1.2MB

MD5
a8bd35ec8612cd28fa5cfce2bc8e8de5

SHA1
b46ef7189bcf28ec3fe8c652d23cc47dde276005

SHA256
b21438c1af6b35e00a2b02cf34bc214c2bb4ff52c2cef4deb56e74ff6964e16f

SHA512
feb524b91d7379cef67a21f3f17ad0d957445ed99aa26fa655f5eb72e7a1587c0290e87c01e17e47ed0c5a0031e4b88bcfe44641e8886b8fcd1200a0d5348aec

Download Submit
\Users\Admin\AppData\Local\Temp\pftCD01.tmp\KASetup.exe

Filesize
160KB

MD5
7f4ac2a4ff774b018960bb4435b82d26

SHA1
a7f176c263f12ae2e62a91153eb5fb1c298cacd0

SHA256
4b58b6c4cfecabd0ee7aa76244d1a398780903dcc130e0d33de26dd5760eb8f3

SHA512
3b23d3d4504b52b6a4a79c455ed3b55213a4ae559c40e4163411a3768aa924c73d37a0b4a158ffc29584fcc3e5e72375f6d30c060501e8543f9f997d66c098cb

Download Submit
memory/1004-266-0x0000000000600000-0x0000000000623000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads