metasploit | 7de4139f6a85b50229330443e20993dc94fa106fa66002673d03a6b5e92d58d9

General

Target

f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
Size

167KB
MD5

f514765530986c23a91058653a7a6eff
SHA1

e6bedcdecdacd57424d7749a1e37ed1435fbaa39
SHA256

7de4139f6a85b50229330443e20993dc94fa106fa66002673d03a6b5e92d58d9
SHA512

4390acc9d8c4ccb94797865557073145ddfe57fe6df3ef382d4d46b8b95ffab0715dc3d2106e724a057acf5eed414c99aef6ea5f66c4817c607cbb8fb8f61bc3
SSDEEP

3072:EGEEhNJBwT7tYWLOumoJQX2ZNcjopjiuwCdf6/dZ9OlEGe8:EGPUT7rCum6QXUNiS/yklle8

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exef514765530986c23a91058653a7a6eff_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wmpfv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

wmpfv1.exe

pid process

4916 wmpfv1.exe

pid	process
4916	wmpfv1.exe

Executes dropped EXE 30 IoCs

Processes:

wmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exe

pid	process
1180	wmpfv1.exe
4916	wmpfv1.exe
3128	wmpfv1.exe
1852	wmpfv1.exe
440	wmpfv1.exe
3388	wmpfv1.exe
2748	wmpfv1.exe
3204	wmpfv1.exe
4224	wmpfv1.exe
3496	wmpfv1.exe
4084	wmpfv1.exe
2736	wmpfv1.exe
928	wmpfv1.exe
2012	wmpfv1.exe
2276	wmpfv1.exe
3380	wmpfv1.exe
4588	wmpfv1.exe
4336	wmpfv1.exe
3828	wmpfv1.exe
4172	wmpfv1.exe
3032	wmpfv1.exe
2924	wmpfv1.exe
764	wmpfv1.exe
1324	wmpfv1.exe
3952	wmpfv1.exe
4552	wmpfv1.exe
4700	wmpfv1.exe
4332	wmpfv1.exe
3584	wmpfv1.exe
2448	wmpfv1.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2552-0-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2552-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2552-1-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2552-5-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2552-6-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2552-7-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2552-8-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2552-9-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2552-43-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4916-51-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4916-52-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4916-53-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4916-54-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4916-55-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4916-56-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1852-66-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1852-68-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1852-67-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1852-69-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1852-70-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1852-72-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3388-83-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3388-85-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3204-95-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3204-97-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3204-99-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3496-110-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3496-112-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2736-121-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2736-124-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2736-128-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2012-136-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2012-139-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2012-143-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3380-151-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3380-154-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3380-158-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4336-167-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4336-169-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4336-173-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4172-181-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4172-184-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4172-188-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2924-196-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2924-199-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2924-203-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1324-211-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1324-214-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1324-218-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4552-226-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4552-229-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4552-233-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4332-243-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4332-247-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2448-256-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2448-258-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Drops file in System32 directory 30 IoCs

Processes:

wmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exef514765530986c23a91058653a7a6eff_JaffaCakes118.exewmpfv1.exewmpfv1.exewmpfv1.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe

Suspicious use of SetThreadContext 16 IoCs

Processes:

f514765530986c23a91058653a7a6eff_JaffaCakes118.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exe

description	pid	process	target process
PID 2448 set thread context of 2552	2448	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 1180 set thread context of 4916	1180	wmpfv1.exe	wmpfv1.exe
PID 3128 set thread context of 1852	3128	wmpfv1.exe	wmpfv1.exe
PID 440 set thread context of 3388	440	wmpfv1.exe	wmpfv1.exe
PID 2748 set thread context of 3204	2748	wmpfv1.exe	wmpfv1.exe
PID 4224 set thread context of 3496	4224	wmpfv1.exe	wmpfv1.exe
PID 4084 set thread context of 2736	4084	wmpfv1.exe	wmpfv1.exe
PID 928 set thread context of 2012	928	wmpfv1.exe	wmpfv1.exe
PID 2276 set thread context of 3380	2276	wmpfv1.exe	wmpfv1.exe
PID 4588 set thread context of 4336	4588	wmpfv1.exe	wmpfv1.exe
PID 3828 set thread context of 4172	3828	wmpfv1.exe	wmpfv1.exe
PID 3032 set thread context of 2924	3032	wmpfv1.exe	wmpfv1.exe
PID 764 set thread context of 1324	764	wmpfv1.exe	wmpfv1.exe
PID 3952 set thread context of 4552	3952	wmpfv1.exe	wmpfv1.exe
PID 4700 set thread context of 4332	4700	wmpfv1.exe	wmpfv1.exe
PID 3584 set thread context of 2448	3584	wmpfv1.exe	wmpfv1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

Processes:

wmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exef514765530986c23a91058653a7a6eff_JaffaCakes118.exewmpfv1.exewmpfv1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv1.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

f514765530986c23a91058653a7a6eff_JaffaCakes118.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exe

pid	process
2552	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
2552	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
4916	wmpfv1.exe
4916	wmpfv1.exe
1852	wmpfv1.exe
1852	wmpfv1.exe
3388	wmpfv1.exe
3388	wmpfv1.exe
3204	wmpfv1.exe
3204	wmpfv1.exe
3496	wmpfv1.exe
3496	wmpfv1.exe
2736	wmpfv1.exe
2736	wmpfv1.exe
2012	wmpfv1.exe
2012	wmpfv1.exe
3380	wmpfv1.exe
3380	wmpfv1.exe
4336	wmpfv1.exe
4336	wmpfv1.exe
4172	wmpfv1.exe
4172	wmpfv1.exe
2924	wmpfv1.exe
2924	wmpfv1.exe
1324	wmpfv1.exe
1324	wmpfv1.exe
4552	wmpfv1.exe
4552	wmpfv1.exe
4332	wmpfv1.exe
4332	wmpfv1.exe
2448	wmpfv1.exe
2448	wmpfv1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f514765530986c23a91058653a7a6eff_JaffaCakes118.exef514765530986c23a91058653a7a6eff_JaffaCakes118.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exewmpfv1.exe

description	pid	process	target process
PID 2448 wrote to memory of 2552	2448	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2448 wrote to memory of 2552	2448	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2448 wrote to memory of 2552	2448	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2448 wrote to memory of 2552	2448	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2448 wrote to memory of 2552	2448	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2448 wrote to memory of 2552	2448	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2448 wrote to memory of 2552	2448	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2448 wrote to memory of 2552	2448	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
PID 2552 wrote to memory of 1180	2552	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	wmpfv1.exe
PID 2552 wrote to memory of 1180	2552	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	wmpfv1.exe
PID 2552 wrote to memory of 1180	2552	f514765530986c23a91058653a7a6eff_JaffaCakes118.exe	wmpfv1.exe
PID 1180 wrote to memory of 4916	1180	wmpfv1.exe	wmpfv1.exe
PID 1180 wrote to memory of 4916	1180	wmpfv1.exe	wmpfv1.exe
PID 1180 wrote to memory of 4916	1180	wmpfv1.exe	wmpfv1.exe
PID 1180 wrote to memory of 4916	1180	wmpfv1.exe	wmpfv1.exe
PID 1180 wrote to memory of 4916	1180	wmpfv1.exe	wmpfv1.exe
PID 1180 wrote to memory of 4916	1180	wmpfv1.exe	wmpfv1.exe
PID 1180 wrote to memory of 4916	1180	wmpfv1.exe	wmpfv1.exe
PID 1180 wrote to memory of 4916	1180	wmpfv1.exe	wmpfv1.exe
PID 4916 wrote to memory of 3128	4916	wmpfv1.exe	wmpfv1.exe
PID 4916 wrote to memory of 3128	4916	wmpfv1.exe	wmpfv1.exe
PID 4916 wrote to memory of 3128	4916	wmpfv1.exe	wmpfv1.exe
PID 3128 wrote to memory of 1852	3128	wmpfv1.exe	wmpfv1.exe
PID 3128 wrote to memory of 1852	3128	wmpfv1.exe	wmpfv1.exe
PID 3128 wrote to memory of 1852	3128	wmpfv1.exe	wmpfv1.exe
PID 3128 wrote to memory of 1852	3128	wmpfv1.exe	wmpfv1.exe
PID 3128 wrote to memory of 1852	3128	wmpfv1.exe	wmpfv1.exe
PID 3128 wrote to memory of 1852	3128	wmpfv1.exe	wmpfv1.exe
PID 3128 wrote to memory of 1852	3128	wmpfv1.exe	wmpfv1.exe
PID 3128 wrote to memory of 1852	3128	wmpfv1.exe	wmpfv1.exe
PID 1852 wrote to memory of 440	1852	wmpfv1.exe	wmpfv1.exe
PID 1852 wrote to memory of 440	1852	wmpfv1.exe	wmpfv1.exe
PID 1852 wrote to memory of 440	1852	wmpfv1.exe	wmpfv1.exe
PID 440 wrote to memory of 3388	440	wmpfv1.exe	wmpfv1.exe
PID 440 wrote to memory of 3388	440	wmpfv1.exe	wmpfv1.exe
PID 440 wrote to memory of 3388	440	wmpfv1.exe	wmpfv1.exe
PID 440 wrote to memory of 3388	440	wmpfv1.exe	wmpfv1.exe
PID 440 wrote to memory of 3388	440	wmpfv1.exe	wmpfv1.exe
PID 440 wrote to memory of 3388	440	wmpfv1.exe	wmpfv1.exe
PID 440 wrote to memory of 3388	440	wmpfv1.exe	wmpfv1.exe
PID 440 wrote to memory of 3388	440	wmpfv1.exe	wmpfv1.exe
PID 3388 wrote to memory of 2748	3388	wmpfv1.exe	wmpfv1.exe
PID 3388 wrote to memory of 2748	3388	wmpfv1.exe	wmpfv1.exe
PID 3388 wrote to memory of 2748	3388	wmpfv1.exe	wmpfv1.exe
PID 2748 wrote to memory of 3204	2748	wmpfv1.exe	wmpfv1.exe
PID 2748 wrote to memory of 3204	2748	wmpfv1.exe	wmpfv1.exe
PID 2748 wrote to memory of 3204	2748	wmpfv1.exe	wmpfv1.exe
PID 2748 wrote to memory of 3204	2748	wmpfv1.exe	wmpfv1.exe
PID 2748 wrote to memory of 3204	2748	wmpfv1.exe	wmpfv1.exe
PID 2748 wrote to memory of 3204	2748	wmpfv1.exe	wmpfv1.exe
PID 2748 wrote to memory of 3204	2748	wmpfv1.exe	wmpfv1.exe
PID 2748 wrote to memory of 3204	2748	wmpfv1.exe	wmpfv1.exe
PID 3204 wrote to memory of 4224	3204	wmpfv1.exe	wmpfv1.exe
PID 3204 wrote to memory of 4224	3204	wmpfv1.exe	wmpfv1.exe
PID 3204 wrote to memory of 4224	3204	wmpfv1.exe	wmpfv1.exe
PID 4224 wrote to memory of 3496	4224	wmpfv1.exe	wmpfv1.exe
PID 4224 wrote to memory of 3496	4224	wmpfv1.exe	wmpfv1.exe
PID 4224 wrote to memory of 3496	4224	wmpfv1.exe	wmpfv1.exe
PID 4224 wrote to memory of 3496	4224	wmpfv1.exe	wmpfv1.exe
PID 4224 wrote to memory of 3496	4224	wmpfv1.exe	wmpfv1.exe
PID 4224 wrote to memory of 3496	4224	wmpfv1.exe	wmpfv1.exe
PID 4224 wrote to memory of 3496	4224	wmpfv1.exe	wmpfv1.exe
PID 4224 wrote to memory of 3496	4224	wmpfv1.exe	wmpfv1.exe
PID 3496 wrote to memory of 4084	3496	wmpfv1.exe	wmpfv1.exe

C:\Users\Admin\AppData\Local\Temp\f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f514765530986c23a91058653a7a6eff_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\f514765530986c23a91058653a7a6eff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f514765530986c23a91058653a7a6eff_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Users\Admin\AppData\Local\Temp\F51476~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Users\Admin\AppData\Local\Temp\F51476~1.EXE
4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4084

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:928

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2276

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3380

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4588

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4336

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3828

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4172

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3032

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:764

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1324

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3952

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4552

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4700

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4332

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3584

C:\Windows\SysWOW64\wmpfv1.exe
"C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmpfv1.exe
Filesize
167KB

MD5
f514765530986c23a91058653a7a6eff

SHA1
e6bedcdecdacd57424d7749a1e37ed1435fbaa39

SHA256
7de4139f6a85b50229330443e20993dc94fa106fa66002673d03a6b5e92d58d9

SHA512
4390acc9d8c4ccb94797865557073145ddfe57fe6df3ef382d4d46b8b95ffab0715dc3d2106e724a057acf5eed414c99aef6ea5f66c4817c607cbb8fb8f61bc3

Download Submit
memory/440-79-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1180-50-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1324-218-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1324-211-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1324-214-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1852-72-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1852-70-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1852-69-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1852-67-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1852-68-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1852-66-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2012-136-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2012-139-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2012-143-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2448-258-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2448-256-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2448-4-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2552-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2552-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2552-6-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2552-43-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2552-9-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2552-8-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2552-7-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2552-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2552-5-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2736-124-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2736-121-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2736-128-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2748-92-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2924-203-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2924-196-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2924-199-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3128-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3204-95-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3204-97-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3204-99-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3380-158-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3380-151-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3380-154-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3388-85-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3388-83-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3496-110-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3496-112-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4172-181-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4172-184-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4172-188-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4224-106-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4332-247-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4332-243-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4336-169-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4336-173-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4336-167-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4552-226-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4552-229-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4552-233-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4916-56-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4916-55-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4916-54-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4916-53-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4916-52-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4916-51-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads