metasploit | 7de4139f6a85b50229330443e20993dc94fa106fa66002673d03a6b5e92d58d9

General

Target

f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
Size

167KB
MD5

f514765530986c23a91058653a7a6eff
SHA1

e6bedcdecdacd57424d7749a1e37ed1435fbaa39
SHA256

7de4139f6a85b50229330443e20993dc94fa106fa66002673d03a6b5e92d58d9
SHA512

4390acc9d8c4ccb94797865557073145ddfe57fe6df3ef382d4d46b8b95ffab0715dc3d2106e724a057acf5eed414c99aef6ea5f66c4817c607cbb8fb8f61bc3
SSDEEP

3072:EGEEhNJBwT7tYWLOumoJQX2ZNcjopjiuwCdf6/dZ9OlEGe8:EGPUT7rCum6QXUNiS/yklle8

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Deletes itself 1 IoCs

Processes:

wmpfv1.exe

pid process

2660 wmpfv1.exe

pid	process
2660	wmpfv1.exe

Executes dropped EXE 38 IoCs

Processes:

wmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exe

pid	process
2096	wmpfv1.exe
2660	wmpfv1.exe
2032	wmpfv1.exe
1232	wmpfv1.exe
2336	wmpfv1.exe
1812	wmpfv1.exe
1544	wmpfv1.exe
1328	wmpfv1.exe
1500	wmpfv1.exe
2868	wmpfv1.exe
1904	wmpfv1.exe
400	wmpfv1.exe
952	wmpfv1.exe
1212	wmpfv1.exe
2856	wmpfv1.exe
2364	wmpfv1.exe
3068	wmpfv1.exe
2128	wmpfv1.exe
2844	wmpfv1.exe
2608	wmpfv1.exe
2496	wmpfv1.exe
380	wmpfv1.exe
2680	wmpfv1.exe
2040	wmpfv1.exe
1676	wmpfv1.exe
1476	wmpfv1.exe
2316	wmpfv1.exe
3028	wmpfv1.exe
1804	wmpfv1.exe
824	wmpfv1.exe
2260	wmpfv1.exe
1300	wmpfv1.exe
1660	wmpfv1.exe
2896	wmpfv1.exe
2216	wmpfv1.exe
2520	wmpfv1.exe
972	wmpfv1.exe
2224	wmpfv1.exe

Loads dropped DLL 38 IoCs

Processes:

f514765530986c23a91058653a7a6eff_JaffaCakes118.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exe

pid	process
2696	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
2696	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
2660	wmpfv1.exe
2660	wmpfv1.exe
1232	wmpfv1.exe
1232	wmpfv1.exe
1812	wmpfv1.exe
1812	wmpfv1.exe
1328	wmpfv1.exe
1328	wmpfv1.exe
2868	wmpfv1.exe
2868	wmpfv1.exe
400	wmpfv1.exe
400	wmpfv1.exe
1212	wmpfv1.exe
1212	wmpfv1.exe
2364	wmpfv1.exe
2364	wmpfv1.exe
2128	wmpfv1.exe
2128	wmpfv1.exe
2608	wmpfv1.exe
2608	wmpfv1.exe
380	wmpfv1.exe
380	wmpfv1.exe
2040	wmpfv1.exe
2040	wmpfv1.exe
1476	wmpfv1.exe
1476	wmpfv1.exe
3028	wmpfv1.exe
3028	wmpfv1.exe
824	wmpfv1.exe
824	wmpfv1.exe
1300	wmpfv1.exe
1300	wmpfv1.exe
2896	wmpfv1.exe
2896	wmpfv1.exe
2520	wmpfv1.exe
2520	wmpfv1.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2696-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2696-4-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2696-6-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2696-11-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2696-13-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2696-14-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2696-12-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2696-25-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2660-41-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2660-44-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2660-43-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2660-47-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1232-63-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1232-69-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1812-84-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1812-85-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1812-86-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1812-90-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1328-105-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1328-106-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1328-114-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2868-128-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2868-136-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/400-150-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/400-158-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1212-174-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1212-180-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2364-194-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2364-202-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2128-223-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2608-238-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2608-245-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/380-259-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/380-267-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2040-281-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2040-289-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1476-304-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1476-309-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3028-322-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3028-327-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/824-340-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/824-345-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1300-360-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1300-363-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2896-376-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2896-381-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2520-395-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2520-399-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Drops file in System32 directory 38 IoCs

Processes:

f514765530986c23a91058653a7a6eff_JaffaCakes118.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe

Suspicious use of SetThreadContext 20 IoCs

Processes:

f514765530986c23a91058653a7a6eff_JaffaCakes118.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exe

description	pid	process	target process
PID 2128 set thread context of 2696	2128	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2096 set thread context of 2660	2096	wmpfv1.exe	wmpfv1.exe
PID 2032 set thread context of 1232	2032	wmpfv1.exe	wmpfv1.exe
PID 2336 set thread context of 1812	2336	wmpfv1.exe	wmpfv1.exe
PID 1544 set thread context of 1328	1544	wmpfv1.exe	wmpfv1.exe
PID 1500 set thread context of 2868	1500	wmpfv1.exe	wmpfv1.exe
PID 1904 set thread context of 400	1904	wmpfv1.exe	wmpfv1.exe
PID 952 set thread context of 1212	952	wmpfv1.exe	wmpfv1.exe
PID 2856 set thread context of 2364	2856	wmpfv1.exe	wmpfv1.exe
PID 3068 set thread context of 2128	3068	wmpfv1.exe	wmpfv1.exe
PID 2844 set thread context of 2608	2844	wmpfv1.exe	wmpfv1.exe
PID 2496 set thread context of 380	2496	wmpfv1.exe	wmpfv1.exe
PID 2680 set thread context of 2040	2680	wmpfv1.exe	wmpfv1.exe
PID 1676 set thread context of 1476	1676	wmpfv1.exe	wmpfv1.exe
PID 2316 set thread context of 3028	2316	wmpfv1.exe	wmpfv1.exe
PID 1804 set thread context of 824	1804	wmpfv1.exe	wmpfv1.exe
PID 2260 set thread context of 1300	2260	wmpfv1.exe	wmpfv1.exe
PID 1660 set thread context of 2896	1660	wmpfv1.exe	wmpfv1.exe
PID 2216 set thread context of 2520	2216	wmpfv1.exe	wmpfv1.exe
PID 972 set thread context of 2224	972	wmpfv1.exe	wmpfv1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

f514765530986c23a91058653a7a6eff_JaffaCakes118.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exe

pid	process
2696	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
2660	wmpfv1.exe
1232	wmpfv1.exe
1812	wmpfv1.exe
1328	wmpfv1.exe
2868	wmpfv1.exe
400	wmpfv1.exe
1212	wmpfv1.exe
2364	wmpfv1.exe
2128	wmpfv1.exe
2608	wmpfv1.exe
380	wmpfv1.exe
2040	wmpfv1.exe
1476	wmpfv1.exe
3028	wmpfv1.exe
824	wmpfv1.exe
1300	wmpfv1.exe
2896	wmpfv1.exe
2520	wmpfv1.exe
2224	wmpfv1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f514765530986c23a91058653a7a6eff_JaffaCakes118.exef514765530986c23a91058653a7a6eff_JaffaCakes118.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exe

description	pid	process	target process
PID 2128 wrote to memory of 2696	2128	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2128 wrote to memory of 2696	2128	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2128 wrote to memory of 2696	2128	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2128 wrote to memory of 2696	2128	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2128 wrote to memory of 2696	2128	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2128 wrote to memory of 2696	2128	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2128 wrote to memory of 2696	2128	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2128 wrote to memory of 2696	2128	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2696 wrote to memory of 2096	2696	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	wmpfv1.exe
PID 2696 wrote to memory of 2096	2696	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	wmpfv1.exe
PID 2696 wrote to memory of 2096	2696	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	wmpfv1.exe
PID 2696 wrote to memory of 2096	2696	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	wmpfv1.exe
PID 2096 wrote to memory of 2660	2096	wmpfv1.exe	wmpfv1.exe
PID 2096 wrote to memory of 2660	2096	wmpfv1.exe	wmpfv1.exe
PID 2096 wrote to memory of 2660	2096	wmpfv1.exe	wmpfv1.exe
PID 2096 wrote to memory of 2660	2096	wmpfv1.exe	wmpfv1.exe
PID 2096 wrote to memory of 2660	2096	wmpfv1.exe	wmpfv1.exe
PID 2096 wrote to memory of 2660	2096	wmpfv1.exe	wmpfv1.exe
PID 2096 wrote to memory of 2660	2096	wmpfv1.exe	wmpfv1.exe
PID 2096 wrote to memory of 2660	2096	wmpfv1.exe	wmpfv1.exe
PID 2660 wrote to memory of 2032	2660	wmpfv1.exe	wmpfv1.exe
PID 2660 wrote to memory of 2032	2660	wmpfv1.exe	wmpfv1.exe
PID 2660 wrote to memory of 2032	2660	wmpfv1.exe	wmpfv1.exe
PID 2660 wrote to memory of 2032	2660	wmpfv1.exe	wmpfv1.exe
PID 2032 wrote to memory of 1232	2032	wmpfv1.exe	wmpfv1.exe
PID 2032 wrote to memory of 1232	2032	wmpfv1.exe	wmpfv1.exe
PID 2032 wrote to memory of 1232	2032	wmpfv1.exe	wmpfv1.exe
PID 2032 wrote to memory of 1232	2032	wmpfv1.exe	wmpfv1.exe
PID 2032 wrote to memory of 1232	2032	wmpfv1.exe	wmpfv1.exe
PID 2032 wrote to memory of 1232	2032	wmpfv1.exe	wmpfv1.exe
PID 2032 wrote to memory of 1232	2032	wmpfv1.exe	wmpfv1.exe
PID 2032 wrote to memory of 1232	2032	wmpfv1.exe	wmpfv1.exe
PID 1232 wrote to memory of 2336	1232	wmpfv1.exe	wmpfv1.exe
PID 1232 wrote to memory of 2336	1232	wmpfv1.exe	wmpfv1.exe
PID 1232 wrote to memory of 2336	1232	wmpfv1.exe	wmpfv1.exe
PID 1232 wrote to memory of 2336	1232	wmpfv1.exe	wmpfv1.exe
PID 2336 wrote to memory of 1812	2336	wmpfv1.exe	wmpfv1.exe
PID 2336 wrote to memory of 1812	2336	wmpfv1.exe	wmpfv1.exe
PID 2336 wrote to memory of 1812	2336	wmpfv1.exe	wmpfv1.exe
PID 2336 wrote to memory of 1812	2336	wmpfv1.exe	wmpfv1.exe
PID 2336 wrote to memory of 1812	2336	wmpfv1.exe	wmpfv1.exe
PID 2336 wrote to memory of 1812	2336	wmpfv1.exe	wmpfv1.exe
PID 2336 wrote to memory of 1812	2336	wmpfv1.exe	wmpfv1.exe
PID 2336 wrote to memory of 1812	2336	wmpfv1.exe	wmpfv1.exe
PID 1812 wrote to memory of 1544	1812	wmpfv1.exe	wmpfv1.exe
PID 1812 wrote to memory of 1544	1812	wmpfv1.exe	wmpfv1.exe
PID 1812 wrote to memory of 1544	1812	wmpfv1.exe	wmpfv1.exe
PID 1812 wrote to memory of 1544	1812	wmpfv1.exe	wmpfv1.exe
PID 1544 wrote to memory of 1328	1544	wmpfv1.exe	wmpfv1.exe
PID 1544 wrote to memory of 1328	1544	wmpfv1.exe	wmpfv1.exe
PID 1544 wrote to memory of 1328	1544	wmpfv1.exe	wmpfv1.exe
PID 1544 wrote to memory of 1328	1544	wmpfv1.exe	wmpfv1.exe
PID 1544 wrote to memory of 1328	1544	wmpfv1.exe	wmpfv1.exe
PID 1544 wrote to memory of 1328	1544	wmpfv1.exe	wmpfv1.exe
PID 1544 wrote to memory of 1328	1544	wmpfv1.exe	wmpfv1.exe
PID 1544 wrote to memory of 1328	1544	wmpfv1.exe	wmpfv1.exe
PID 1328 wrote to memory of 1500	1328	wmpfv1.exe	wmpfv1.exe
PID 1328 wrote to memory of 1500	1328	wmpfv1.exe	wmpfv1.exe
PID 1328 wrote to memory of 1500	1328	wmpfv1.exe	wmpfv1.exe
PID 1328 wrote to memory of 1500	1328	wmpfv1.exe	wmpfv1.exe
PID 1500 wrote to memory of 2868	1500	wmpfv1.exe	wmpfv1.exe
PID 1500 wrote to memory of 2868	1500	wmpfv1.exe	wmpfv1.exe
PID 1500 wrote to memory of 2868	1500	wmpfv1.exe	wmpfv1.exe
PID 1500 wrote to memory of 2868	1500	wmpfv1.exe	wmpfv1.exe

C:\Users\Admin\AppData\Local\Temp\f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f514765530986c23a91058653a7a6eff_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f514765530986c23a91058653a7a6eff_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Users\Admin\AppData\Local\Temp\F51476~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Users\Admin\AppData\Local\Temp\F51476~1.EXE
4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2868

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1904

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:400

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:952

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2856

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3068

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2128

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2844

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2608

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2496

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:380

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2680

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1676

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1476

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2316

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3028

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1804

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2260

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
34⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1300

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1660

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
36⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2216

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
38⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2520

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:972

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
40⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2224

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\wmpfv1.exe
Filesize
167KB

MD5
f514765530986c23a91058653a7a6eff

SHA1
e6bedcdecdacd57424d7749a1e37ed1435fbaa39

SHA256
7de4139f6a85b50229330443e20993dc94fa106fa66002673d03a6b5e92d58d9

SHA512
4390acc9d8c4ccb94797865557073145ddfe57fe6df3ef382d4d46b8b95ffab0715dc3d2106e724a057acf5eed414c99aef6ea5f66c4817c607cbb8fb8f61bc3

Download Submit
memory/380-259-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/380-267-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/400-158-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/400-150-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/824-345-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/824-340-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1212-180-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1212-174-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1232-63-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1232-69-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1300-363-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1300-360-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1328-114-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1328-106-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1328-105-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1476-309-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1476-304-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1812-86-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1812-90-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1812-84-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1812-85-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2032-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2040-281-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2040-289-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2096-39-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2128-223-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2128-10-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2336-82-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2364-194-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2364-202-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2520-395-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2520-399-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2608-245-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2608-238-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2660-44-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2660-43-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2660-41-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2660-47-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2696-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2696-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2696-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2696-25-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2696-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2696-4-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2696-6-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2696-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2696-13-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2696-11-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2868-136-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2868-128-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2896-376-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2896-381-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3028-327-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3028-322-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads