Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/10/2024, 23:23
Behavioral task
behavioral1
Sample
6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe
-
Size
408KB
-
MD5
6497575837718d9eb335fd2fbd03ffc7
-
SHA1
0d433455b6649c8207d4a0ba37d76655a9574473
-
SHA256
ea41cceb229d9a122fb6b14672e1b37540d8580a4eeb7f7a94c08450f09cc363
-
SHA512
0024efd2904d6358da50c0de281600639085b3f65e3747f297805fc04fbae59bc0a1846ede28ebbbf6b40c7aeea0bb9f7287aa75486c388b152e79efa005fcaf
-
SSDEEP
12288:/VG84YDVG84YXVG84Y4VG84YDVG84YXVG84Yi:/VG89VG8BVG8uVG89VG8BVG80
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Gaara.exe -
Executes dropped EXE 30 IoCs
pid Process 2724 smss.exe 1968 smss.exe 2000 Gaara.exe 2800 smss.exe 2832 Gaara.exe 2012 csrss.exe 2660 smss.exe 1072 Gaara.exe 1876 csrss.exe 2512 Kazekage.exe 2152 smss.exe 844 Gaara.exe 2364 csrss.exe 1144 Kazekage.exe 2292 system32.exe 1788 smss.exe 1696 Gaara.exe 1720 csrss.exe 1700 Kazekage.exe 744 system32.exe 2924 system32.exe 2200 Kazekage.exe 328 system32.exe 2052 csrss.exe 1428 Kazekage.exe 3048 system32.exe 1520 Gaara.exe 2272 csrss.exe 2636 Kazekage.exe 2624 system32.exe -
Loads dropped DLL 63 IoCs
pid Process 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 2724 smss.exe 2724 smss.exe 1968 smss.exe 2724 smss.exe 2724 smss.exe 2000 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2800 smss.exe 2000 Gaara.exe 2832 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2012 csrss.exe 2012 csrss.exe 2660 smss.exe 2012 csrss.exe 1072 Gaara.exe 1876 csrss.exe 2012 csrss.exe 2012 csrss.exe 2512 Kazekage.exe 2152 smss.exe 2512 Kazekage.exe 844 Gaara.exe 2512 Kazekage.exe 2364 csrss.exe 2512 Kazekage.exe 2512 Kazekage.exe 2512 Kazekage.exe 2512 Kazekage.exe 2292 system32.exe 1788 smss.exe 2292 system32.exe 1696 Gaara.exe 2292 system32.exe 1720 csrss.exe 2292 system32.exe 2292 system32.exe 2292 system32.exe 2292 system32.exe 2012 csrss.exe 2012 csrss.exe 2000 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2724 smss.exe 2052 csrss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 1520 Gaara.exe 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 2272 csrss.exe 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\S:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\X:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification F:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\O:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini system32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: smss.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\T: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\V: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\U: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\Z: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\Q: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\A: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\R: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\N: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\B: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\G: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\Y: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\A: Kazekage.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\N:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf csrss.exe File opened for modification \??\Y:\Autorun.inf system32.exe File created \??\V:\Autorun.inf Kazekage.exe File opened for modification \??\A:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created \??\U:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\V:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created \??\R:\Autorun.inf Gaara.exe File opened for modification \??\G:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\Y:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created D:\Autorun.inf smss.exe File created \??\H:\Autorun.inf Gaara.exe File created \??\T:\Autorun.inf system32.exe File opened for modification \??\N:\Autorun.inf system32.exe File created \??\J:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf Kazekage.exe File created \??\R:\Autorun.inf Kazekage.exe File created D:\Autorun.inf system32.exe File opened for modification \??\H:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf csrss.exe File created \??\O:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\Y:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created \??\P:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\I:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf smss.exe File created \??\O:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf system32.exe File created \??\I:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\Z:\Autorun.inf Gaara.exe File opened for modification \??\P:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf system32.exe File created \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\I:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf system32.exe File created \??\H:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf Gaara.exe File created \??\Q:\Autorun.inf system32.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File created \??\A:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\H:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Autorun.inf csrss.exe File opened for modification \??\J:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf system32.exe File created \??\A:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File created \??\S:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\20-10-2024.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral1/memory/2736-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000014742-11.dat upx behavioral1/files/0x00080000000145c0-30.dat upx behavioral1/memory/2736-33-0x0000000000310000-0x000000000033A000-memory.dmp upx behavioral1/files/0x000700000001487c-55.dat upx behavioral1/files/0x0009000000014a1d-59.dat upx behavioral1/files/0x00080000000156b8-63.dat upx behavioral1/files/0x00070000000146f9-81.dat upx behavioral1/memory/1968-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00080000000156b8-109.dat upx behavioral1/files/0x0009000000014a1d-105.dat upx behavioral1/files/0x000700000001487c-101.dat upx behavioral1/memory/2736-123-0x0000000000310000-0x000000000033A000-memory.dmp upx behavioral1/memory/2736-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000014742-141.dat upx behavioral1/memory/2012-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00080000000156b8-163.dat upx behavioral1/memory/2000-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0009000000014a1d-198.dat upx behavioral1/memory/2512-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-205-0x0000000000830000-0x000000000085A000-memory.dmp upx behavioral1/memory/2012-204-0x0000000000830000-0x000000000085A000-memory.dmp upx behavioral1/files/0x00080000000156b8-219.dat upx behavioral1/memory/2152-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/744-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/744-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1428-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1428-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-347-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\Fonts\The Kazekage.jpg 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Kazekage.exe File created C:\Windows\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\ 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\WBEM\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe system32.exe File opened for modification C:\Windows\ Gaara.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2636 ping.exe 2188 ping.exe 2788 ping.exe 892 ping.exe 1852 ping.exe 2980 ping.exe 2472 ping.exe 2860 ping.exe 1588 ping.exe 1528 ping.exe 832 ping.exe 1592 ping.exe 1520 ping.exe 2348 ping.exe 2276 ping.exe 2620 ping.exe 2668 ping.exe 3052 ping.exe 1556 ping.exe 2660 ping.exe 2932 ping.exe 2704 ping.exe 2828 ping.exe 1712 ping.exe 2320 ping.exe 836 ping.exe 3068 ping.exe 2700 ping.exe 1772 ping.exe 2780 ping.exe 1584 ping.exe 2716 ping.exe 1852 ping.exe 2976 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop smss.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Size = "72" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Screen Saver.Marquee Gaara.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe -
Modifies registry class 48 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 2932 ping.exe 1584 ping.exe 2620 ping.exe 2860 ping.exe 2188 ping.exe 1520 ping.exe 2700 ping.exe 2788 ping.exe 1528 ping.exe 3068 ping.exe 3052 ping.exe 2348 ping.exe 2704 ping.exe 2472 ping.exe 1772 ping.exe 1556 ping.exe 1592 ping.exe 1712 ping.exe 2976 ping.exe 2276 ping.exe 1588 ping.exe 2780 ping.exe 2660 ping.exe 1852 ping.exe 2636 ping.exe 2320 ping.exe 892 ping.exe 2668 ping.exe 1852 ping.exe 832 ping.exe 2980 ping.exe 836 ping.exe 2716 ping.exe 2828 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2000 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2000 Gaara.exe 2012 csrss.exe 2012 csrss.exe 2012 csrss.exe 2012 csrss.exe 2012 csrss.exe 2012 csrss.exe 2012 csrss.exe 2012 csrss.exe 2012 csrss.exe 2012 csrss.exe 2012 csrss.exe 2012 csrss.exe 2512 Kazekage.exe 2512 Kazekage.exe 2512 Kazekage.exe 2512 Kazekage.exe 2512 Kazekage.exe 2512 Kazekage.exe 2512 Kazekage.exe 2512 Kazekage.exe 2512 Kazekage.exe 2512 Kazekage.exe 2512 Kazekage.exe 2512 Kazekage.exe 2292 system32.exe 2292 system32.exe 2292 system32.exe 2292 system32.exe 2292 system32.exe 2292 system32.exe 2292 system32.exe 2292 system32.exe 2292 system32.exe 2292 system32.exe 2292 system32.exe 2292 system32.exe 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 2724 smss.exe 1968 smss.exe 2000 Gaara.exe 2800 smss.exe 2832 Gaara.exe 2012 csrss.exe 2660 smss.exe 1072 Gaara.exe 1876 csrss.exe 2512 Kazekage.exe 2152 smss.exe 844 Gaara.exe 2364 csrss.exe 1144 Kazekage.exe 2292 system32.exe 1788 smss.exe 1696 Gaara.exe 1720 csrss.exe 1700 Kazekage.exe 744 system32.exe 2924 system32.exe 2200 Kazekage.exe 328 system32.exe 2052 csrss.exe 1428 Kazekage.exe 3048 system32.exe 1520 Gaara.exe 2272 csrss.exe 2636 Kazekage.exe 2624 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2724 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 28 PID 2736 wrote to memory of 2724 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 28 PID 2736 wrote to memory of 2724 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 28 PID 2736 wrote to memory of 2724 2736 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 28 PID 2724 wrote to memory of 1968 2724 smss.exe 29 PID 2724 wrote to memory of 1968 2724 smss.exe 29 PID 2724 wrote to memory of 1968 2724 smss.exe 29 PID 2724 wrote to memory of 1968 2724 smss.exe 29 PID 2724 wrote to memory of 2000 2724 smss.exe 30 PID 2724 wrote to memory of 2000 2724 smss.exe 30 PID 2724 wrote to memory of 2000 2724 smss.exe 30 PID 2724 wrote to memory of 2000 2724 smss.exe 30 PID 2000 wrote to memory of 2800 2000 Gaara.exe 31 PID 2000 wrote to memory of 2800 2000 Gaara.exe 31 PID 2000 wrote to memory of 2800 2000 Gaara.exe 31 PID 2000 wrote to memory of 2800 2000 Gaara.exe 31 PID 2000 wrote to memory of 2832 2000 Gaara.exe 32 PID 2000 wrote to memory of 2832 2000 Gaara.exe 32 PID 2000 wrote to memory of 2832 2000 Gaara.exe 32 PID 2000 wrote to memory of 2832 2000 Gaara.exe 32 PID 2000 wrote to memory of 2012 2000 Gaara.exe 33 PID 2000 wrote to memory of 2012 2000 Gaara.exe 33 PID 2000 wrote to memory of 2012 2000 Gaara.exe 33 PID 2000 wrote to memory of 2012 2000 Gaara.exe 33 PID 2012 wrote to memory of 2660 2012 csrss.exe 34 PID 2012 wrote to memory of 2660 2012 csrss.exe 34 PID 2012 wrote to memory of 2660 2012 csrss.exe 34 PID 2012 wrote to memory of 2660 2012 csrss.exe 34 PID 2012 wrote to memory of 1072 2012 csrss.exe 35 PID 2012 wrote to memory of 1072 2012 csrss.exe 35 PID 2012 wrote to memory of 1072 2012 csrss.exe 35 PID 2012 wrote to memory of 1072 2012 csrss.exe 35 PID 2012 wrote to memory of 1876 2012 csrss.exe 36 PID 2012 wrote to memory of 1876 2012 csrss.exe 36 PID 2012 wrote to memory of 1876 2012 csrss.exe 36 PID 2012 wrote to memory of 1876 2012 csrss.exe 36 PID 2012 wrote to memory of 2512 2012 csrss.exe 37 PID 2012 wrote to memory of 2512 2012 csrss.exe 37 PID 2012 wrote to memory of 2512 2012 csrss.exe 37 PID 2012 wrote to memory of 2512 2012 csrss.exe 37 PID 2512 wrote to memory of 2152 2512 Kazekage.exe 38 PID 2512 wrote to memory of 2152 2512 Kazekage.exe 38 PID 2512 wrote to memory of 2152 2512 Kazekage.exe 38 PID 2512 wrote to memory of 2152 2512 Kazekage.exe 38 PID 2512 wrote to memory of 844 2512 Kazekage.exe 39 PID 2512 wrote to memory of 844 2512 Kazekage.exe 39 PID 2512 wrote to memory of 844 2512 Kazekage.exe 39 PID 2512 wrote to memory of 844 2512 Kazekage.exe 39 PID 2512 wrote to memory of 2364 2512 Kazekage.exe 40 PID 2512 wrote to memory of 2364 2512 Kazekage.exe 40 PID 2512 wrote to memory of 2364 2512 Kazekage.exe 40 PID 2512 wrote to memory of 2364 2512 Kazekage.exe 40 PID 2512 wrote to memory of 1144 2512 Kazekage.exe 41 PID 2512 wrote to memory of 1144 2512 Kazekage.exe 41 PID 2512 wrote to memory of 1144 2512 Kazekage.exe 41 PID 2512 wrote to memory of 1144 2512 Kazekage.exe 41 PID 2512 wrote to memory of 2292 2512 Kazekage.exe 42 PID 2512 wrote to memory of 2292 2512 Kazekage.exe 42 PID 2512 wrote to memory of 2292 2512 Kazekage.exe 42 PID 2512 wrote to memory of 2292 2512 Kazekage.exe 42 PID 2292 wrote to memory of 1788 2292 system32.exe 43 PID 2292 wrote to memory of 1788 2292 system32.exe 43 PID 2292 wrote to memory of 1788 2292 system32.exe 43 PID 2292 wrote to memory of 1788 2292 system32.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2736 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2724 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1968
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2000 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2832
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2012 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1072
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1876
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2512 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2152
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:844
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2364
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1144
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2292 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1788
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1696
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:744
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1852
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2620
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1588
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2188
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1520
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2348
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2668
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2828
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1772
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1556
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2924
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1528
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1712
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2704
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2716
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2860
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:328
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2660
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1592
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1584
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1852
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:832
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2052
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1428
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3048
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2788
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2780
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2276
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:836
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2472
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2700
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1520
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2272
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2636
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2624
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2976
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2980
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3068
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2320
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
408KB
MD56497575837718d9eb335fd2fbd03ffc7
SHA10d433455b6649c8207d4a0ba37d76655a9574473
SHA256ea41cceb229d9a122fb6b14672e1b37540d8580a4eeb7f7a94c08450f09cc363
SHA5120024efd2904d6358da50c0de281600639085b3f65e3747f297805fc04fbae59bc0a1846ede28ebbbf6b40c7aeea0bb9f7287aa75486c388b152e79efa005fcaf
-
Filesize
408KB
MD5389e10ebb97544195671343da5d3de9c
SHA10bc77d0238eecfec402b6d3d5063eaf631e41a07
SHA25693c14ae6a791dd346347a0c8dbc6438233f6971d5d5b3a95971ce0d4b13c5534
SHA512b5fefc020766fd5e9368ffaa53776690c06aabd24029a7f98e59ffe6e10c1766c734a9557fb1ecafe949f84725ad41e6b521405606c016016ef900df0fe1999a
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
408KB
MD5989b9499dc513ff703d2c2e66d6c925a
SHA1b4b00489fdaabd7e144501c9a097922f2ae72c42
SHA25699147ff738c756a7db9f762eb871fd7064d980f4bfa5e2652673826548afaf22
SHA51259b742b7e0a3ca5533c5085e205254bb560f30a34fab41b89dce906edc59c9a1e27f4cf8da1d782143e20db19b1c2fec02c3b1451497cf9fd98c962c797439b4
-
Filesize
408KB
MD5f2aba999e1455cdaa73fd30528258044
SHA10fef95ac995990bd7f2a6085ea7b45443dc83616
SHA2564156f0ddf027cb5c8ae9fd36dc1ec06dd2febd49eea6a4647b786ca9294693e6
SHA512ea50ad82595dda82058a949fa2de300daed82a46032527fa5862bb9dac3f7608b75e6a5f97cd0c954c1d8c2decc8da2d277a6664a5f55a32b6ae8dee9fbc2a09
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
408KB
MD5124f750d773c659306980d466de8ba5e
SHA1b34f7d7602752050eaac1ed6f55831a5c1747a82
SHA256c67dc1d85ce5c0b975034f887a5cdde04923f2886dc73dd0d4d101bd7e01d4c5
SHA512bcd19ad6d65cd49824fc88a70b49f46aadd4777818372963b890a4c1c4a0fc5a71d39a6877b28a805369f6fad6c08deb116ef5a237e43d135af41a19136a1b91
-
Filesize
408KB
MD50425060877c6f850c570c06d84e0ee8f
SHA13a1f7c1a050b2b662dfaa28030087b68b28ac4f4
SHA256a6c6aa09aca989df8651b9bd1603ad8701e64f6194162e8df7a36086865bee00
SHA512fc6dde6580a376714de640238d41b2337538e41c77dbddb6f2c38ad511e98021ab79e7e342bfdcdf2264bc7f280a3abb46b68c0a2abde6adc00f90a38977288e
-
Filesize
408KB
MD5189e066cbb06ddee1fc3c607811f6f80
SHA1c9d6dd09252cb09827e3bdc54a72e135fc3b4569
SHA2569405656210a7f9eda61a23f310d6419f9f254bac2de34669b52942230980f378
SHA51296444f2dced6e638f0ff5f5fea9b99a6e87326f5e9a95f092edcaf0c18b202e852ec7f845e73dbc4e0ec34e405a354fb831e45c8e7dc137d7a78ca7a6225d8d8
-
Filesize
408KB
MD535433c21809374b83e255c07c4b35166
SHA10a4ca6d482c774b9478ac46257d5f75ccb3f9f70
SHA2564c4f39f5a82f841b336229b3e2af1a944c0b0987e8614aed880417af84c9f8cd
SHA5129f049958f486be461bcde7debcaffcb6b507ee0b2df24f7bf93170c6dc095a06bad5a6c868d954b1ad6081cbaae834fa8bbce7a2390d3c6492dd207e19a2e3bc
-
Filesize
408KB
MD5b522bf0a1175825f00ab4e7770df940a
SHA1fb3de6d3979b20aa021b8e4cc76773f3d41e4f5e
SHA256d4b26029745f54962aa8883587576b8f3cd3183d6c032ca5a386e2cc48ea0b53
SHA5120c22fffa9b288c6a8860c1a9167f3ea695d80a3b47a7f3567142877e9fcebae98909c59eb23bdb98628341c0728688eddc59df8af32496421a80911a04e4c95c
-
Filesize
408KB
MD5f748ab16a45b1db58868f853bde3dee9
SHA1a80b59579dd3131ce38d3db0e90ec97f1404639a
SHA256f53744a5af13fcec6959f50150b5b74cd4bbbd62c106fa348f15ebdf6d862c59
SHA5128e2a5450667bcbc0e5c88e4019eb1135a26ee3f1a1283438a0112816c4d0b14ac2cc87c82544097b8d0004c4bbfb01994bab7cf9d910a72f8aaf27bd64a7357b
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
408KB
MD5604c4f1ea48daefd709162ea2a7ab51b
SHA15493dca96073823b17f4b1e08fdcc22ce4e3bff7
SHA256f818a15707bf92730dc5d954235ba84df8158c4d0d1e68ae9bb889eef8f6756d
SHA5128e424207a9c76ad324b33e8c33ed870238d8930f2348aee533c48d9e0f28719588289a4f4e98e6429468011d9ef77e26ecca0294dd1fd7d677fc1cd22e671654
-
Filesize
408KB
MD5874cb40562e3ace766176bc2df15ead3
SHA1f381a214b8ca74c8014b574e67888e26543c80bb
SHA256449b6667fe443e0f72426a468d8f4972fe2b0cbb5871ed938744faabf16d72c9
SHA5127dab9dac3bc8acea1bafb7faac384fc0a07858ab59e12aeb144f92819f07b6162e13bb51dd542a465ce71ea9be1cc2d4402f067bc634145e6c30105004f37d60
-
Filesize
408KB
MD51921bd97b467e9886fc607982df034fa
SHA138fbac555278854fb3a713f7ea17146f6eb33c55
SHA25644572c58bc0bc00224abd0e2c837bdf5c4e16386d42391038aff7f720efdbbc7
SHA512a5eb8b1b24c1f069694b8cd34798426f209b6c049ee66e8efcec2f9d088e2f98334bd0d359f7e77b507851836043b409715238fa72c11ad95a90996063dc8282