Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2024, 23:23

General

  • Target

    6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe

  • Size

    408KB

  • MD5

    6497575837718d9eb335fd2fbd03ffc7

  • SHA1

    0d433455b6649c8207d4a0ba37d76655a9574473

  • SHA256

    ea41cceb229d9a122fb6b14672e1b37540d8580a4eeb7f7a94c08450f09cc363

  • SHA512

    0024efd2904d6358da50c0de281600639085b3f65e3747f297805fc04fbae59bc0a1846ede28ebbbf6b40c7aeea0bb9f7287aa75486c388b152e79efa005fcaf

  • SSDEEP

    12288:/VG84YDVG84YXVG84Y4VG84YDVG84YXVG84Yi:/VG89VG8BVG8uVG89VG8BVG80

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6497575837718d9eb335fd2fbd03ffc7_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:752
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:884
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2996
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1160
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3436
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2480
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5068
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4632
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1756
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3452
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2684
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2060
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2740
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2152
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1704
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2608
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2288
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3352
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1896
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2188
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:316
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1100
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4964
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3504
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:532
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2172
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4648
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3480
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4652
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1480
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2308
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1384
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2244
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2064
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4784
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4352
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:808
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:244
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1048
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3884
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4984
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3896
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4600
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2320
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2020
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4996
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2192
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:732
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2576
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5024
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1332
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2844
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2480
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1484
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1004
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1244
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2076
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4556
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4492
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2708
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1156
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4872
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3504
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3416
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Admin Games\Readme.txt

    Filesize

    736B

    MD5

    bb5d6abdf8d0948ac6895ce7fdfbc151

    SHA1

    9266b7a247a4685892197194d2b9b86c8f6dddbd

    SHA256

    5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

    SHA512

    878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

  • C:\Autorun.inf

    Filesize

    196B

    MD5

    1564dfe69ffed40950e5cb644e0894d1

    SHA1

    201b6f7a01cc49bb698bea6d4945a082ed454ce4

    SHA256

    be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

    SHA512

    72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

    Filesize

    408KB

    MD5

    09b0b71f501e9a6de5378b96c5c6369e

    SHA1

    0d387eb0fbc874eaa217951e0a0c9545f2de00e1

    SHA256

    84eba05f97ac5293fb636de3e6df379bae94d8c16f057118645342c8d194c7ef

    SHA512

    b7ac5fe10ad6f0716985fc9621a14018957ac08a3d2baacf74ac202158bb3d563192aa71fc5375edb94a6977cfd68bda3a3aa0330c36babbff42514edd9bb651

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    408KB

    MD5

    6497575837718d9eb335fd2fbd03ffc7

    SHA1

    0d433455b6649c8207d4a0ba37d76655a9574473

    SHA256

    ea41cceb229d9a122fb6b14672e1b37540d8580a4eeb7f7a94c08450f09cc363

    SHA512

    0024efd2904d6358da50c0de281600639085b3f65e3747f297805fc04fbae59bc0a1846ede28ebbbf6b40c7aeea0bb9f7287aa75486c388b152e79efa005fcaf

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    408KB

    MD5

    c583485d4da465548f41501a45e74e3e

    SHA1

    5f717ad33bf3bebfa316052253530bea2d76761c

    SHA256

    9fbf682c675dbd46108054ebbeac0196e71661f6669784432a13a7636a3c3bd4

    SHA512

    f2f1f63d363cfa71062133e80e79d6bd0eddc359424199a54abb84a50570f6c110f25222617141eda2291f406d3d90f524161cf5e5dd3338f60ffc28447ebd96

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    408KB

    MD5

    9de7f072415d48aac3eb493395e3487f

    SHA1

    7769760ab31b873014dcec0d0299f4b231e5f6a2

    SHA256

    411c4dbc68e2208280b18717c1e3fa2397e96ed97d79fcc8951fc5b8f19bf511

    SHA512

    26c37acf14159b2ac267dac503f69c08068595549d3d58a8a330b83d1109aa3de99eac1f4d99a1244aee9ef6101350699a412b3a8644a7d556456aa14f37c8bb

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

    Filesize

    408KB

    MD5

    ee788454ceb1d1c6a46b7e2f9c682b53

    SHA1

    e81e9da91ef612c0f069ce739f96f931cc6f7e14

    SHA256

    1e10a9197e1dc0d9813e763c3a206819f001eb5c35dd5317d168c4948b00b01e

    SHA512

    a93829bffe6f872986587aa8404a2da22685b8e64d7fc819658fa2ef131be1d3727bb0ae599ec5fb9749132de803dbab8b08251cb0c5bd50ab133463a70d88da

  • C:\Windows\Fonts\The Kazekage.jpg

    Filesize

    1.4MB

    MD5

    d6b05020d4a0ec2a3a8b687099e335df

    SHA1

    df239d830ebcd1cde5c68c46a7b76dad49d415f4

    SHA256

    9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

    SHA512

    78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    408KB

    MD5

    4c657419a7be939c20c40fa29cfc406c

    SHA1

    bb5bd6c2e7e4de4cf4f122bf55fdb8afcc4acfdd

    SHA256

    210c94654b72e851eb1d826c9fe38eb57735cc52a9e68fd73ab1e441ae74b952

    SHA512

    7f0bef4ffca6a46b73065a3f2519a9eae32ad739e8f088ed64ad3404f9f1c3c237f8d81fa4cadc43a8d01561c1be6b488a52c7628e8fb103a80db5b08ccb5657

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    408KB

    MD5

    83bdfc1483795437b5aeb915208b91eb

    SHA1

    e1150b44fdef883a4e0814f535a18055a07a0ac2

    SHA256

    df42164193c6ca8c3d4877f1abdd16e4fc13267a505852dc5c25f47911a1f63b

    SHA512

    5602721b81ecf59a4878d5ed3c65322d29b8c34f54c2608c50f98835ec5ab01b6df0bc64206a71f946e63d6c887b24f8e1e60b7163e982e174a8a9d35dd8402f

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    408KB

    MD5

    4d9dc78bf000bcf60349f7a9d9622531

    SHA1

    ee77c28631b6292833b10f9cc94bbda20f519b3f

    SHA256

    4d5b23a52d9b1ae16ab96c3bf2c658435957323ceb379c3da287a86b304cc78e

    SHA512

    56e5683f617a323227301359d3872812bae577734fc894ac8f9627d29f47351b0b51d955ddd3e70f4c00b04562a9af58d3450dfad7813a2ec8c59e7889c23a7d

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    408KB

    MD5

    57b56b1c484d2e3c6342e37e8f90ca71

    SHA1

    ea7dfef44fcb341cdada0b38c4b5a1c649a33581

    SHA256

    c32a0c3d78d234d4ab78bdcb94e7fc307afad1cfe6229344bea3e48a584a3d72

    SHA512

    de47aade2d4733f846860ea1291e853ed6b8094779ce9564486e73ab921e9c57ccc508e1a2bb252b2c3bf5a57584899668d671e48bb11af850e12e9b26278e80

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    408KB

    MD5

    cc6e2adfcc7e7fe442889684dd326228

    SHA1

    6be38722a158902cbcfd6067550403c248ea0c97

    SHA256

    519de8e4c915eb536b73a69071569a3fbc2964fbd6e1eb1ad939f4e37aa59075

    SHA512

    4155636484e76abfb1069da31d0db88df0e6f41abde62085ff836a98f42ec6e31f3b943c45dc1150ff5f74c946c216ba6aab4c23c3b0b8bed40ed684b44de43c

  • C:\Windows\SysWOW64\Desktop.ini

    Filesize

    65B

    MD5

    64acfa7e03b01f48294cf30d201a0026

    SHA1

    10facd995b38a095f30b4a800fa454c0bcbf8438

    SHA256

    ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

    SHA512

    65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    408KB

    MD5

    f6c9dce4d1b8b98701c8b7dd2bc6fb31

    SHA1

    4ef2c452b3e475ccd061e33a8f88eab51c03fa81

    SHA256

    56d8547249a95557aa6c67e21b8c0ea80cc24fb1c5adb789d8e4a40361ef36c0

    SHA512

    bbbfc4c0e0bd80e39371bb7bfac777acbcaf61ebf541870ce71f93de8659765ef3c838281bdac1d65a9942761f14f6a56b74dce0ed95600ca3ed2b4a89822767

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    408KB

    MD5

    9236d8042d35313df9c3d2bd8124bb4a

    SHA1

    3ae840f735f8d23d5bc8a1c0aaa3f5f2a07f2187

    SHA256

    e5bbd0cc44e74aba3efc3baf5ecc72c0bcdf9394b8342fd6da1faf2f4641b258

    SHA512

    67e7a6b8815bdb2b7fdbf1179f86e0fb2f817584d681a46805865dfaf1b0cf25d7ef82597b19a7243e9555f8f5c9feabca09205b953deefc948a3746377aa2c7

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    408KB

    MD5

    5136af0639629ae56d4b4175230f4a2c

    SHA1

    ff8ce26a7b11cd36bad2080cf09b2f2f9aa4e157

    SHA256

    080162b1a80d07d4a10622e4bf6dac2feb94d2f32989edf932afe82a6cda5325

    SHA512

    fb1c0214fe294fc4b69155ad3091a6f3390579b92d8462f91cb89d39768f339d929a9742f77fe055391222f06f523cb01102a389b39a43cba2a12141d022b2b8

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    408KB

    MD5

    1e087f90194d2d0bd7d6d3d44fc91c49

    SHA1

    8903121a4b5138b58ddb6df67e5c5186c2581a8a

    SHA256

    ca016c8fbd0662864516ae5d9a283951d741c1c23ca567286c634732e0ee31d3

    SHA512

    e4268d4820331305906c50216ffc098c3eb9af47187b18a591318888118a0891ed180df62b540d403b1857e6d46c33732c566552b0351145117dde2bc16c28ea

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    408KB

    MD5

    f8b53b6df50d937f5553dee9553f812e

    SHA1

    2fc044358af06e129c3c0ca80cc41cca27b6a835

    SHA256

    c9b6f3d9f68ab820fbb322ec1bd7e1c99c47fc75edab91261aa7f49aa7df5035

    SHA512

    f89a4e51a67c95c9b8ddaa356901f9f93865b998c9aa1056f7e99241494999b1ad03cb23f12ccfbf247a8283de42a09983d6cdf1742ed049be2670ee5a516231

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    408KB

    MD5

    7e9cb58fe3dacc3e5cc0869fc78442af

    SHA1

    229c49f70648571688075c56c92258a3f2d324b9

    SHA256

    eadfcf3996a06228579eecfabd2a3753daf4ffaf7dad39de388fc46bc6fbac0a

    SHA512

    219d4efedca67153b0898be039085c04eafb15ee7b534eb28d89bf966b6e509d1ac7b8aad2722ea461979730234d0b3fb808e7dbd8924b6a8ffcab668dce1cb4

  • C:\Windows\System\msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • F:\Admin Games\Gaara games - Naruto.exe

    Filesize

    408KB

    MD5

    e7ed183919f679d823d3b34fc84f8728

    SHA1

    da16fbf31d25eb6753ef7abe795e431056926e48

    SHA256

    7cd03e164eae6731f53ae575351f02aacea715f4d9ddedf0ef4f2c75946c5242

    SHA512

    76f5ddf9de2bb207d1e23a94aaa20abdaa2e13cb99e3d45fdf33ea73dff33b6cf2ff74986462c0f04678994210a7f35b64553496df5ac0b7b8ee337ef645dcbf

  • F:\Admin Games\Gaara games - Naruto.exe

    Filesize

    408KB

    MD5

    7be882f461208d360149b15be5407441

    SHA1

    0a1c318ae3a2e849c527c18947a6c12d0cd71219

    SHA256

    8210b3c0fe3642c3a5265a9677c15a608dd015d94d339e034678a426ba8cb662

    SHA512

    bbc4fcd085ecdeb851ea8a30051d89c195bfb8bb56ca15fcecb8f07d4bb58c3b7d850887d89cb99bb04f21541187a34a14450e169566d55c3cbc204e5f087396

  • memory/316-258-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/732-282-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/752-411-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/752-170-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/752-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/752-303-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/884-304-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/884-34-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/884-412-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/884-195-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1048-269-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1160-305-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1160-75-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1160-206-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1160-470-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1244-287-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1244-291-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1384-262-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1704-216-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1756-163-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1896-249-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2060-201-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2152-213-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2188-254-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2192-277-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2480-124-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2480-114-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2576-280-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2576-286-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2608-219-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2608-308-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2608-275-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2684-252-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2684-171-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2684-538-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2684-307-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2740-209-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2996-70-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2996-81-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3352-245-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3452-169-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3452-160-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3884-272-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4492-302-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4556-298-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4632-156-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/5068-306-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/5068-471-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/5068-122-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/5068-238-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB