Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2024, 23:23
Behavioral task
behavioral1
Sample
6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe
-
Size
408KB
-
MD5
6497575837718d9eb335fd2fbd03ffc7
-
SHA1
0d433455b6649c8207d4a0ba37d76655a9574473
-
SHA256
ea41cceb229d9a122fb6b14672e1b37540d8580a4eeb7f7a94c08450f09cc363
-
SHA512
0024efd2904d6358da50c0de281600639085b3f65e3747f297805fc04fbae59bc0a1846ede28ebbbf6b40c7aeea0bb9f7287aa75486c388b152e79efa005fcaf
-
SSDEEP
12288:/VG84YDVG84YXVG84Y4VG84YDVG84YXVG84Yi:/VG89VG8BVG8uVG89VG8BVG80
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\system32.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe -
Executes dropped EXE 30 IoCs
pid Process 884 smss.exe 2996 smss.exe 1160 Gaara.exe 3436 smss.exe 2480 Gaara.exe 5068 csrss.exe 4632 smss.exe 1756 Gaara.exe 3452 csrss.exe 2684 Kazekage.exe 2060 smss.exe 2740 Gaara.exe 2152 csrss.exe 1704 Kazekage.exe 2608 system32.exe 2288 smss.exe 3352 Gaara.exe 1896 csrss.exe 2188 Kazekage.exe 316 system32.exe 1384 system32.exe 1048 Kazekage.exe 3884 system32.exe 2192 csrss.exe 732 Kazekage.exe 2576 system32.exe 1244 Gaara.exe 2076 csrss.exe 4556 Kazekage.exe 4492 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 884 smss.exe 2996 smss.exe 1160 Gaara.exe 3436 smss.exe 2480 Gaara.exe 5068 csrss.exe 4632 smss.exe 1756 Gaara.exe 3452 csrss.exe 2060 smss.exe 2740 Gaara.exe 2152 csrss.exe 2288 smss.exe 3352 Gaara.exe 1896 csrss.exe 2192 csrss.exe 1244 Gaara.exe 2076 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\P:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\E:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Desktop.ini smss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\R: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\X: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\V: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\H: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\L: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\S: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\K: 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\T: csrss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\V:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\O:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created \??\N:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf Gaara.exe File opened for modification \??\U:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\T:\Autorun.inf Gaara.exe File opened for modification C:\Autorun.inf Kazekage.exe File created \??\V:\Autorun.inf system32.exe File created \??\X:\Autorun.inf system32.exe File created \??\N:\Autorun.inf smss.exe File created \??\P:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf csrss.exe File opened for modification \??\U:\Autorun.inf Kazekage.exe File created \??\G:\Autorun.inf system32.exe File created \??\B:\Autorun.inf csrss.exe File created \??\O:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created \??\H:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File opened for modification \??\H:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf system32.exe File created \??\T:\Autorun.inf smss.exe File created \??\A:\Autorun.inf csrss.exe File created D:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File opened for modification F:\Autorun.inf Gaara.exe File opened for modification \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf smss.exe File created \??\O:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf smss.exe File opened for modification \??\V:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created \??\S:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\Y:\Autorun.inf system32.exe File created \??\K:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\M:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\I:\Autorun.inf system32.exe File opened for modification \??\P:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf csrss.exe File opened for modification \??\A:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created D:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created \??\X:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\R:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf system32.exe File created \??\Z:\Autorun.inf system32.exe File created \??\A:\Autorun.inf smss.exe File created \??\H:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf Gaara.exe File opened for modification \??\Y:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification \??\X:\Autorun.inf 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created \??\L:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\20-10-2024.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\SysWOW64\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe csrss.exe File created C:\Windows\SysWOW64\mscomctl.ocx 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/752-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0008000000023bd4-11.dat upx behavioral2/files/0x0008000000023bd0-31.dat upx behavioral2/memory/884-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0008000000023bd3-41.dat upx behavioral2/files/0x0008000000023bd4-46.dat upx behavioral2/files/0x0008000000023bd6-53.dat upx behavioral2/files/0x0008000000023bd5-49.dat upx behavioral2/memory/2996-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0008000000023bd5-89.dat upx behavioral2/files/0x0008000000023bd4-85.dat upx behavioral2/files/0x0008000000023c05-97.dat upx behavioral2/files/0x0008000000023bd6-93.dat upx behavioral2/memory/2480-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0008000000023c05-138.dat upx behavioral2/files/0x0008000000023bd6-134.dat upx behavioral2/files/0x0008000000023bd5-130.dat upx behavioral2/memory/4632-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0008000000023bd5-178.dat upx behavioral2/memory/884-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0008000000023c05-182.dat upx behavioral2/memory/2060-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0008000000023bd5-226.dat upx behavioral2/memory/3352-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-470-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\ 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe system32.exe File opened for modification C:\Windows\system\mscoree.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\system\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\WBEM\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\ Gaara.exe File created C:\Windows\system\msvbvm60.dll 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe csrss.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2308 ping.exe 3504 ping.exe 2708 ping.exe 1004 ping.exe 2844 ping.exe 4784 ping.exe 5024 ping.exe 3504 ping.exe 4964 ping.exe 244 ping.exe 532 ping.exe 2172 ping.exe 4600 ping.exe 808 ping.exe 1480 ping.exe 2320 ping.exe 1484 ping.exe 3752 ping.exe 1156 ping.exe 4648 ping.exe 2064 ping.exe 2020 ping.exe 1332 ping.exe 2244 ping.exe 4352 ping.exe 3480 ping.exe 4652 ping.exe 3416 ping.exe 4984 ping.exe 2480 ping.exe 1100 ping.exe 4996 ping.exe 3896 ping.exe 4872 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop system32.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\WallpaperStyle = "2" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 4872 ping.exe 2020 ping.exe 5024 ping.exe 4984 ping.exe 4648 ping.exe 2480 ping.exe 4784 ping.exe 3504 ping.exe 3896 ping.exe 2064 ping.exe 532 ping.exe 2844 ping.exe 2320 ping.exe 4600 ping.exe 2708 ping.exe 1332 ping.exe 2172 ping.exe 3416 ping.exe 1004 ping.exe 808 ping.exe 1156 ping.exe 2244 ping.exe 3504 ping.exe 4352 ping.exe 3480 ping.exe 1100 ping.exe 4996 ping.exe 4652 ping.exe 4964 ping.exe 3752 ping.exe 1484 ping.exe 244 ping.exe 1480 ping.exe 2308 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 1160 Gaara.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 5068 csrss.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe 2684 Kazekage.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 752 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 884 smss.exe 2996 smss.exe 1160 Gaara.exe 3436 smss.exe 2480 Gaara.exe 5068 csrss.exe 4632 smss.exe 1756 Gaara.exe 3452 csrss.exe 2684 Kazekage.exe 2060 smss.exe 2740 Gaara.exe 2152 csrss.exe 1704 Kazekage.exe 2608 system32.exe 2288 smss.exe 3352 Gaara.exe 1896 csrss.exe 2188 Kazekage.exe 316 system32.exe 1384 system32.exe 1048 Kazekage.exe 3884 system32.exe 2192 csrss.exe 732 Kazekage.exe 2576 system32.exe 1244 Gaara.exe 2076 csrss.exe 4556 Kazekage.exe 4492 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 752 wrote to memory of 884 752 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 84 PID 752 wrote to memory of 884 752 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 84 PID 752 wrote to memory of 884 752 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe 84 PID 884 wrote to memory of 2996 884 smss.exe 85 PID 884 wrote to memory of 2996 884 smss.exe 85 PID 884 wrote to memory of 2996 884 smss.exe 85 PID 884 wrote to memory of 1160 884 smss.exe 88 PID 884 wrote to memory of 1160 884 smss.exe 88 PID 884 wrote to memory of 1160 884 smss.exe 88 PID 1160 wrote to memory of 3436 1160 Gaara.exe 89 PID 1160 wrote to memory of 3436 1160 Gaara.exe 89 PID 1160 wrote to memory of 3436 1160 Gaara.exe 89 PID 1160 wrote to memory of 2480 1160 Gaara.exe 90 PID 1160 wrote to memory of 2480 1160 Gaara.exe 90 PID 1160 wrote to memory of 2480 1160 Gaara.exe 90 PID 1160 wrote to memory of 5068 1160 Gaara.exe 91 PID 1160 wrote to memory of 5068 1160 Gaara.exe 91 PID 1160 wrote to memory of 5068 1160 Gaara.exe 91 PID 5068 wrote to memory of 4632 5068 csrss.exe 93 PID 5068 wrote to memory of 4632 5068 csrss.exe 93 PID 5068 wrote to memory of 4632 5068 csrss.exe 93 PID 5068 wrote to memory of 1756 5068 csrss.exe 94 PID 5068 wrote to memory of 1756 5068 csrss.exe 94 PID 5068 wrote to memory of 1756 5068 csrss.exe 94 PID 5068 wrote to memory of 3452 5068 csrss.exe 95 PID 5068 wrote to memory of 3452 5068 csrss.exe 95 PID 5068 wrote to memory of 3452 5068 csrss.exe 95 PID 5068 wrote to memory of 2684 5068 csrss.exe 96 PID 5068 wrote to memory of 2684 5068 csrss.exe 96 PID 5068 wrote to memory of 2684 5068 csrss.exe 96 PID 2684 wrote to memory of 2060 2684 Kazekage.exe 97 PID 2684 wrote to memory of 2060 2684 Kazekage.exe 97 PID 2684 wrote to memory of 2060 2684 Kazekage.exe 97 PID 2684 wrote to memory of 2740 2684 Kazekage.exe 98 PID 2684 wrote to memory of 2740 2684 Kazekage.exe 98 PID 2684 wrote to memory of 2740 2684 Kazekage.exe 98 PID 2684 wrote to memory of 2152 2684 Kazekage.exe 99 PID 2684 wrote to memory of 2152 2684 Kazekage.exe 99 PID 2684 wrote to memory of 2152 2684 Kazekage.exe 99 PID 2684 wrote to memory of 1704 2684 Kazekage.exe 100 PID 2684 wrote to memory of 1704 2684 Kazekage.exe 100 PID 2684 wrote to memory of 1704 2684 Kazekage.exe 100 PID 2684 wrote to memory of 2608 2684 Kazekage.exe 101 PID 2684 wrote to memory of 2608 2684 Kazekage.exe 101 PID 2684 wrote to memory of 2608 2684 Kazekage.exe 101 PID 2608 wrote to memory of 2288 2608 system32.exe 102 PID 2608 wrote to memory of 2288 2608 system32.exe 102 PID 2608 wrote to memory of 2288 2608 system32.exe 102 PID 2608 wrote to memory of 3352 2608 system32.exe 105 PID 2608 wrote to memory of 3352 2608 system32.exe 105 PID 2608 wrote to memory of 3352 2608 system32.exe 105 PID 2608 wrote to memory of 1896 2608 system32.exe 106 PID 2608 wrote to memory of 1896 2608 system32.exe 106 PID 2608 wrote to memory of 1896 2608 system32.exe 106 PID 2608 wrote to memory of 2188 2608 system32.exe 107 PID 2608 wrote to memory of 2188 2608 system32.exe 107 PID 2608 wrote to memory of 2188 2608 system32.exe 107 PID 2608 wrote to memory of 316 2608 system32.exe 108 PID 2608 wrote to memory of 316 2608 system32.exe 108 PID 2608 wrote to memory of 316 2608 system32.exe 108 PID 5068 wrote to memory of 1384 5068 csrss.exe 109 PID 5068 wrote to memory of 1384 5068 csrss.exe 109 PID 5068 wrote to memory of 1384 5068 csrss.exe 109 PID 1160 wrote to memory of 1048 1160 Gaara.exe 110 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:752 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:884 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2996
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1160 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3436
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2480
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5068 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4632
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1756
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3452
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2684 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2060
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2152
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1704
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2608 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2288
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3352
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1896
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2188
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:316
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1100
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4964
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3504
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:532
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2172
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4648
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3480
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4652
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1480
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2308
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1384
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2244
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2064
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4784
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4352
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:808
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:244
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1048
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3884
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4984
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3896
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4600
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2320
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2020
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4996
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2192
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:732
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2576
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5024
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1332
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2844
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2480
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1484
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1004
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1244
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2076
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4556
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4492
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2708
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1156
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4872
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3504
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3416
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3752
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
408KB
MD509b0b71f501e9a6de5378b96c5c6369e
SHA10d387eb0fbc874eaa217951e0a0c9545f2de00e1
SHA25684eba05f97ac5293fb636de3e6df379bae94d8c16f057118645342c8d194c7ef
SHA512b7ac5fe10ad6f0716985fc9621a14018957ac08a3d2baacf74ac202158bb3d563192aa71fc5375edb94a6977cfd68bda3a3aa0330c36babbff42514edd9bb651
-
Filesize
408KB
MD56497575837718d9eb335fd2fbd03ffc7
SHA10d433455b6649c8207d4a0ba37d76655a9574473
SHA256ea41cceb229d9a122fb6b14672e1b37540d8580a4eeb7f7a94c08450f09cc363
SHA5120024efd2904d6358da50c0de281600639085b3f65e3747f297805fc04fbae59bc0a1846ede28ebbbf6b40c7aeea0bb9f7287aa75486c388b152e79efa005fcaf
-
Filesize
408KB
MD5c583485d4da465548f41501a45e74e3e
SHA15f717ad33bf3bebfa316052253530bea2d76761c
SHA2569fbf682c675dbd46108054ebbeac0196e71661f6669784432a13a7636a3c3bd4
SHA512f2f1f63d363cfa71062133e80e79d6bd0eddc359424199a54abb84a50570f6c110f25222617141eda2291f406d3d90f524161cf5e5dd3338f60ffc28447ebd96
-
Filesize
408KB
MD59de7f072415d48aac3eb493395e3487f
SHA17769760ab31b873014dcec0d0299f4b231e5f6a2
SHA256411c4dbc68e2208280b18717c1e3fa2397e96ed97d79fcc8951fc5b8f19bf511
SHA51226c37acf14159b2ac267dac503f69c08068595549d3d58a8a330b83d1109aa3de99eac1f4d99a1244aee9ef6101350699a412b3a8644a7d556456aa14f37c8bb
-
Filesize
408KB
MD5ee788454ceb1d1c6a46b7e2f9c682b53
SHA1e81e9da91ef612c0f069ce739f96f931cc6f7e14
SHA2561e10a9197e1dc0d9813e763c3a206819f001eb5c35dd5317d168c4948b00b01e
SHA512a93829bffe6f872986587aa8404a2da22685b8e64d7fc819658fa2ef131be1d3727bb0ae599ec5fb9749132de803dbab8b08251cb0c5bd50ab133463a70d88da
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
408KB
MD54c657419a7be939c20c40fa29cfc406c
SHA1bb5bd6c2e7e4de4cf4f122bf55fdb8afcc4acfdd
SHA256210c94654b72e851eb1d826c9fe38eb57735cc52a9e68fd73ab1e441ae74b952
SHA5127f0bef4ffca6a46b73065a3f2519a9eae32ad739e8f088ed64ad3404f9f1c3c237f8d81fa4cadc43a8d01561c1be6b488a52c7628e8fb103a80db5b08ccb5657
-
Filesize
408KB
MD583bdfc1483795437b5aeb915208b91eb
SHA1e1150b44fdef883a4e0814f535a18055a07a0ac2
SHA256df42164193c6ca8c3d4877f1abdd16e4fc13267a505852dc5c25f47911a1f63b
SHA5125602721b81ecf59a4878d5ed3c65322d29b8c34f54c2608c50f98835ec5ab01b6df0bc64206a71f946e63d6c887b24f8e1e60b7163e982e174a8a9d35dd8402f
-
Filesize
408KB
MD54d9dc78bf000bcf60349f7a9d9622531
SHA1ee77c28631b6292833b10f9cc94bbda20f519b3f
SHA2564d5b23a52d9b1ae16ab96c3bf2c658435957323ceb379c3da287a86b304cc78e
SHA51256e5683f617a323227301359d3872812bae577734fc894ac8f9627d29f47351b0b51d955ddd3e70f4c00b04562a9af58d3450dfad7813a2ec8c59e7889c23a7d
-
Filesize
408KB
MD557b56b1c484d2e3c6342e37e8f90ca71
SHA1ea7dfef44fcb341cdada0b38c4b5a1c649a33581
SHA256c32a0c3d78d234d4ab78bdcb94e7fc307afad1cfe6229344bea3e48a584a3d72
SHA512de47aade2d4733f846860ea1291e853ed6b8094779ce9564486e73ab921e9c57ccc508e1a2bb252b2c3bf5a57584899668d671e48bb11af850e12e9b26278e80
-
Filesize
408KB
MD5cc6e2adfcc7e7fe442889684dd326228
SHA16be38722a158902cbcfd6067550403c248ea0c97
SHA256519de8e4c915eb536b73a69071569a3fbc2964fbd6e1eb1ad939f4e37aa59075
SHA5124155636484e76abfb1069da31d0db88df0e6f41abde62085ff836a98f42ec6e31f3b943c45dc1150ff5f74c946c216ba6aab4c23c3b0b8bed40ed684b44de43c
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
408KB
MD5f6c9dce4d1b8b98701c8b7dd2bc6fb31
SHA14ef2c452b3e475ccd061e33a8f88eab51c03fa81
SHA25656d8547249a95557aa6c67e21b8c0ea80cc24fb1c5adb789d8e4a40361ef36c0
SHA512bbbfc4c0e0bd80e39371bb7bfac777acbcaf61ebf541870ce71f93de8659765ef3c838281bdac1d65a9942761f14f6a56b74dce0ed95600ca3ed2b4a89822767
-
Filesize
408KB
MD59236d8042d35313df9c3d2bd8124bb4a
SHA13ae840f735f8d23d5bc8a1c0aaa3f5f2a07f2187
SHA256e5bbd0cc44e74aba3efc3baf5ecc72c0bcdf9394b8342fd6da1faf2f4641b258
SHA51267e7a6b8815bdb2b7fdbf1179f86e0fb2f817584d681a46805865dfaf1b0cf25d7ef82597b19a7243e9555f8f5c9feabca09205b953deefc948a3746377aa2c7
-
Filesize
408KB
MD55136af0639629ae56d4b4175230f4a2c
SHA1ff8ce26a7b11cd36bad2080cf09b2f2f9aa4e157
SHA256080162b1a80d07d4a10622e4bf6dac2feb94d2f32989edf932afe82a6cda5325
SHA512fb1c0214fe294fc4b69155ad3091a6f3390579b92d8462f91cb89d39768f339d929a9742f77fe055391222f06f523cb01102a389b39a43cba2a12141d022b2b8
-
Filesize
408KB
MD51e087f90194d2d0bd7d6d3d44fc91c49
SHA18903121a4b5138b58ddb6df67e5c5186c2581a8a
SHA256ca016c8fbd0662864516ae5d9a283951d741c1c23ca567286c634732e0ee31d3
SHA512e4268d4820331305906c50216ffc098c3eb9af47187b18a591318888118a0891ed180df62b540d403b1857e6d46c33732c566552b0351145117dde2bc16c28ea
-
Filesize
408KB
MD5f8b53b6df50d937f5553dee9553f812e
SHA12fc044358af06e129c3c0ca80cc41cca27b6a835
SHA256c9b6f3d9f68ab820fbb322ec1bd7e1c99c47fc75edab91261aa7f49aa7df5035
SHA512f89a4e51a67c95c9b8ddaa356901f9f93865b998c9aa1056f7e99241494999b1ad03cb23f12ccfbf247a8283de42a09983d6cdf1742ed049be2670ee5a516231
-
Filesize
408KB
MD57e9cb58fe3dacc3e5cc0869fc78442af
SHA1229c49f70648571688075c56c92258a3f2d324b9
SHA256eadfcf3996a06228579eecfabd2a3753daf4ffaf7dad39de388fc46bc6fbac0a
SHA512219d4efedca67153b0898be039085c04eafb15ee7b534eb28d89bf966b6e509d1ac7b8aad2722ea461979730234d0b3fb808e7dbd8924b6a8ffcab668dce1cb4
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
408KB
MD5e7ed183919f679d823d3b34fc84f8728
SHA1da16fbf31d25eb6753ef7abe795e431056926e48
SHA2567cd03e164eae6731f53ae575351f02aacea715f4d9ddedf0ef4f2c75946c5242
SHA51276f5ddf9de2bb207d1e23a94aaa20abdaa2e13cb99e3d45fdf33ea73dff33b6cf2ff74986462c0f04678994210a7f35b64553496df5ac0b7b8ee337ef645dcbf
-
Filesize
408KB
MD57be882f461208d360149b15be5407441
SHA10a1c318ae3a2e849c527c18947a6c12d0cd71219
SHA2568210b3c0fe3642c3a5265a9677c15a608dd015d94d339e034678a426ba8cb662
SHA512bbc4fcd085ecdeb851ea8a30051d89c195bfb8bb56ca15fcecb8f07d4bb58c3b7d850887d89cb99bb04f21541187a34a14450e169566d55c3cbc204e5f087396