Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2024, 23:23

General

  • Target

    6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe

  • Size

    408KB

  • MD5

    6497575837718d9eb335fd2fbd03ffc7

  • SHA1

    0d433455b6649c8207d4a0ba37d76655a9574473

  • SHA256

    ea41cceb229d9a122fb6b14672e1b37540d8580a4eeb7f7a94c08450f09cc363

  • SHA512

    0024efd2904d6358da50c0de281600639085b3f65e3747f297805fc04fbae59bc0a1846ede28ebbbf6b40c7aeea0bb9f7287aa75486c388b152e79efa005fcaf

  • SSDEEP

    12288:/VG84YDVG84YXVG84Y4VG84YDVG84YXVG84Yi:/VG89VG8BVG8uVG89VG8BVG80

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 63 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 48 IoCs
  • Runs ping.exe 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2736
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2724
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1968
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2000
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2800
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2832
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2012
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2660
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1072
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1876
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2512
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2152
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:844
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2364
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1144
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2292
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1788
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1696
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1720
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1700
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:744
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:892
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1852
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2636
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2620
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1588
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2188
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1520
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2348
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2668
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2828
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1772
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1556
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2924
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1528
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1712
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2704
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2716
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3052
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2860
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2200
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:328
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2660
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1592
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1584
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2932
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1852
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:832
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2052
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1428
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3048
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2788
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2780
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2276
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:836
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2472
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2700
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1520
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2272
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2636
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2624
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2976
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2980
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3068
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Admin Games\Readme.txt

    Filesize

    736B

    MD5

    bb5d6abdf8d0948ac6895ce7fdfbc151

    SHA1

    9266b7a247a4685892197194d2b9b86c8f6dddbd

    SHA256

    5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

    SHA512

    878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

  • C:\Autorun.inf

    Filesize

    196B

    MD5

    1564dfe69ffed40950e5cb644e0894d1

    SHA1

    201b6f7a01cc49bb698bea6d4945a082ed454ce4

    SHA256

    be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

    SHA512

    72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    408KB

    MD5

    6497575837718d9eb335fd2fbd03ffc7

    SHA1

    0d433455b6649c8207d4a0ba37d76655a9574473

    SHA256

    ea41cceb229d9a122fb6b14672e1b37540d8580a4eeb7f7a94c08450f09cc363

    SHA512

    0024efd2904d6358da50c0de281600639085b3f65e3747f297805fc04fbae59bc0a1846ede28ebbbf6b40c7aeea0bb9f7287aa75486c388b152e79efa005fcaf

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    408KB

    MD5

    389e10ebb97544195671343da5d3de9c

    SHA1

    0bc77d0238eecfec402b6d3d5063eaf631e41a07

    SHA256

    93c14ae6a791dd346347a0c8dbc6438233f6971d5d5b3a95971ce0d4b13c5534

    SHA512

    b5fefc020766fd5e9368ffaa53776690c06aabd24029a7f98e59ffe6e10c1766c734a9557fb1ecafe949f84725ad41e6b521405606c016016ef900df0fe1999a

  • C:\Windows\Fonts\The Kazekage.jpg

    Filesize

    1.4MB

    MD5

    d6b05020d4a0ec2a3a8b687099e335df

    SHA1

    df239d830ebcd1cde5c68c46a7b76dad49d415f4

    SHA256

    9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

    SHA512

    78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    408KB

    MD5

    989b9499dc513ff703d2c2e66d6c925a

    SHA1

    b4b00489fdaabd7e144501c9a097922f2ae72c42

    SHA256

    99147ff738c756a7db9f762eb871fd7064d980f4bfa5e2652673826548afaf22

    SHA512

    59b742b7e0a3ca5533c5085e205254bb560f30a34fab41b89dce906edc59c9a1e27f4cf8da1d782143e20db19b1c2fec02c3b1451497cf9fd98c962c797439b4

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    408KB

    MD5

    f2aba999e1455cdaa73fd30528258044

    SHA1

    0fef95ac995990bd7f2a6085ea7b45443dc83616

    SHA256

    4156f0ddf027cb5c8ae9fd36dc1ec06dd2febd49eea6a4647b786ca9294693e6

    SHA512

    ea50ad82595dda82058a949fa2de300daed82a46032527fa5862bb9dac3f7608b75e6a5f97cd0c954c1d8c2decc8da2d277a6664a5f55a32b6ae8dee9fbc2a09

  • C:\Windows\SysWOW64\Desktop.ini

    Filesize

    65B

    MD5

    64acfa7e03b01f48294cf30d201a0026

    SHA1

    10facd995b38a095f30b4a800fa454c0bcbf8438

    SHA256

    ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

    SHA512

    65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    408KB

    MD5

    124f750d773c659306980d466de8ba5e

    SHA1

    b34f7d7602752050eaac1ed6f55831a5c1747a82

    SHA256

    c67dc1d85ce5c0b975034f887a5cdde04923f2886dc73dd0d4d101bd7e01d4c5

    SHA512

    bcd19ad6d65cd49824fc88a70b49f46aadd4777818372963b890a4c1c4a0fc5a71d39a6877b28a805369f6fad6c08deb116ef5a237e43d135af41a19136a1b91

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    408KB

    MD5

    0425060877c6f850c570c06d84e0ee8f

    SHA1

    3a1f7c1a050b2b662dfaa28030087b68b28ac4f4

    SHA256

    a6c6aa09aca989df8651b9bd1603ad8701e64f6194162e8df7a36086865bee00

    SHA512

    fc6dde6580a376714de640238d41b2337538e41c77dbddb6f2c38ad511e98021ab79e7e342bfdcdf2264bc7f280a3abb46b68c0a2abde6adc00f90a38977288e

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    408KB

    MD5

    189e066cbb06ddee1fc3c607811f6f80

    SHA1

    c9d6dd09252cb09827e3bdc54a72e135fc3b4569

    SHA256

    9405656210a7f9eda61a23f310d6419f9f254bac2de34669b52942230980f378

    SHA512

    96444f2dced6e638f0ff5f5fea9b99a6e87326f5e9a95f092edcaf0c18b202e852ec7f845e73dbc4e0ec34e405a354fb831e45c8e7dc137d7a78ca7a6225d8d8

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    408KB

    MD5

    35433c21809374b83e255c07c4b35166

    SHA1

    0a4ca6d482c774b9478ac46257d5f75ccb3f9f70

    SHA256

    4c4f39f5a82f841b336229b3e2af1a944c0b0987e8614aed880417af84c9f8cd

    SHA512

    9f049958f486be461bcde7debcaffcb6b507ee0b2df24f7bf93170c6dc095a06bad5a6c868d954b1ad6081cbaae834fa8bbce7a2390d3c6492dd207e19a2e3bc

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    408KB

    MD5

    b522bf0a1175825f00ab4e7770df940a

    SHA1

    fb3de6d3979b20aa021b8e4cc76773f3d41e4f5e

    SHA256

    d4b26029745f54962aa8883587576b8f3cd3183d6c032ca5a386e2cc48ea0b53

    SHA512

    0c22fffa9b288c6a8860c1a9167f3ea695d80a3b47a7f3567142877e9fcebae98909c59eb23bdb98628341c0728688eddc59df8af32496421a80911a04e4c95c

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    408KB

    MD5

    f748ab16a45b1db58868f853bde3dee9

    SHA1

    a80b59579dd3131ce38d3db0e90ec97f1404639a

    SHA256

    f53744a5af13fcec6959f50150b5b74cd4bbbd62c106fa348f15ebdf6d862c59

    SHA512

    8e2a5450667bcbc0e5c88e4019eb1135a26ee3f1a1283438a0112816c4d0b14ac2cc87c82544097b8d0004c4bbfb01994bab7cf9d910a72f8aaf27bd64a7357b

  • C:\Windows\system\msvbvm60.dll

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • \Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

    Filesize

    408KB

    MD5

    604c4f1ea48daefd709162ea2a7ab51b

    SHA1

    5493dca96073823b17f4b1e08fdcc22ce4e3bff7

    SHA256

    f818a15707bf92730dc5d954235ba84df8158c4d0d1e68ae9bb889eef8f6756d

    SHA512

    8e424207a9c76ad324b33e8c33ed870238d8930f2348aee533c48d9e0f28719588289a4f4e98e6429468011d9ef77e26ecca0294dd1fd7d677fc1cd22e671654

  • \Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

    Filesize

    408KB

    MD5

    874cb40562e3ace766176bc2df15ead3

    SHA1

    f381a214b8ca74c8014b574e67888e26543c80bb

    SHA256

    449b6667fe443e0f72426a468d8f4972fe2b0cbb5871ed938744faabf16d72c9

    SHA512

    7dab9dac3bc8acea1bafb7faac384fc0a07858ab59e12aeb144f92819f07b6162e13bb51dd542a465ce71ea9be1cc2d4402f067bc634145e6c30105004f37d60

  • \Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    408KB

    MD5

    1921bd97b467e9886fc607982df034fa

    SHA1

    38fbac555278854fb3a713f7ea17146f6eb33c55

    SHA256

    44572c58bc0bc00224abd0e2c837bdf5c4e16386d42391038aff7f720efdbbc7

    SHA512

    a5eb8b1b24c1f069694b8cd34798426f209b6c049ee66e8efcec2f9d088e2f98334bd0d359f7e77b507851836043b409715238fa72c11ad95a90996063dc8282

  • memory/328-303-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/328-308-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/744-290-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/744-286-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/844-242-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1072-192-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1072-185-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1144-249-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1428-318-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1428-313-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1520-329-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1700-284-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1720-279-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1788-272-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1876-194-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1876-197-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1968-80-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2000-345-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2000-145-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2000-207-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2000-90-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2000-144-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2000-177-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2000-323-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2000-230-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2000-301-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2000-412-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2012-148-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2012-186-0x0000000000830000-0x000000000085A000-memory.dmp

    Filesize

    168KB

  • memory/2012-232-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2012-346-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2012-175-0x0000000000830000-0x000000000085A000-memory.dmp

    Filesize

    168KB

  • memory/2012-470-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2012-204-0x0000000000830000-0x000000000085A000-memory.dmp

    Filesize

    168KB

  • memory/2012-205-0x0000000000830000-0x000000000085A000-memory.dmp

    Filesize

    168KB

  • memory/2052-312-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2052-306-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2152-238-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2152-233-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2200-300-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2272-334-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2292-538-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2292-285-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2292-348-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2292-256-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2364-246-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2512-255-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2512-236-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2512-584-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2512-208-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2512-280-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2512-231-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2512-251-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2512-347-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2624-342-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2660-184-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2724-83-0x0000000000430000-0x000000000045A000-memory.dmp

    Filesize

    168KB

  • memory/2724-132-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2724-316-0x0000000000430000-0x000000000045A000-memory.dmp

    Filesize

    168KB

  • memory/2724-411-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2724-337-0x0000000000430000-0x000000000045A000-memory.dmp

    Filesize

    168KB

  • memory/2724-305-0x0000000000430000-0x000000000045A000-memory.dmp

    Filesize

    168KB

  • memory/2724-344-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2736-122-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2736-343-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2736-330-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2736-322-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2736-123-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2736-37-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2736-33-0x0000000000310000-0x000000000033A000-memory.dmp

    Filesize

    168KB

  • memory/2736-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2800-130-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2832-137-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2924-293-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3048-325-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3048-319-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB