metasploit | 1d7cee63803dcd2695a0495e91a8a116cf57c2fcea60233ab15a3dc60d26bae1

General

Target

fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe
Size

596KB
MD5

fc1707fcb742d93bf0f7808fb8d2e556
SHA1

c0ca459a87ec8a5257108876bc8e7acf42638126
SHA256

1d7cee63803dcd2695a0495e91a8a116cf57c2fcea60233ab15a3dc60d26bae1
SHA512

1d37de1f777adb7b3a3ce89fa165410178c3f125de53a24f7f622f128c0ac35d94133ff0b9932a11aa6203849b964799007a6a4ddf18608726062860d2747fd7
SSDEEP

6144:3f3KJtXH9d13vggfomhE2UfMxebJtgx+bqcmN9RZX5NQ3B7O:3mtNd1RQm6NKGJaxUAN5X5qx

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wmpdf3.exe

Deletes itself 1 IoCs

Processes:

wmpdf3.exe

pid process

4024 wmpdf3.exe

Executes dropped EXE 18 IoCs

Processes:

wmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exe

pid	process
4024	wmpdf3.exe
4960	wmpdf3.exe
3660	wmpdf3.exe
2228	wmpdf3.exe
2200	wmpdf3.exe
4588	wmpdf3.exe
1060	wmpdf3.exe
4616	wmpdf3.exe
1520	wmpdf3.exe
4588	wmpdf3.exe
980	wmpdf3.exe
208	wmpdf3.exe
2188	wmpdf3.exe
4828	wmpdf3.exe
4548	wmpdf3.exe
2588	wmpdf3.exe
1476	wmpdf3.exe
3092	wmpdf3.exe

Maps connected drives based on registry 3 TTPs 36 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exefc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exewmpdf3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdf3.exe

Drops file in System32 directory 36 IoCs

Processes:

wmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exefc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File opened for modification	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe
File created	C:\Windows\SysWOW64\wmpdf3.exe	wmpdf3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

Processes:

fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exe

pid	process
968	fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe
4024	wmpdf3.exe
4960	wmpdf3.exe
3660	wmpdf3.exe
2228	wmpdf3.exe
2200	wmpdf3.exe
4588	wmpdf3.exe
1060	wmpdf3.exe
4616	wmpdf3.exe
1520	wmpdf3.exe
4588	wmpdf3.exe
980	wmpdf3.exe
208	wmpdf3.exe
2188	wmpdf3.exe
4828	wmpdf3.exe
4548	wmpdf3.exe
2588	wmpdf3.exe
1476	wmpdf3.exe
3092	wmpdf3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 18 IoCs

Processes:

wmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exefc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdf3.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exe

pid	process
968	fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe
968	fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe
4024	wmpdf3.exe
4024	wmpdf3.exe
4960	wmpdf3.exe
4960	wmpdf3.exe
3660	wmpdf3.exe
3660	wmpdf3.exe
2228	wmpdf3.exe
2228	wmpdf3.exe
2200	wmpdf3.exe
2200	wmpdf3.exe
4588	wmpdf3.exe
4588	wmpdf3.exe
1060	wmpdf3.exe
1060	wmpdf3.exe
4616	wmpdf3.exe
4616	wmpdf3.exe
1520	wmpdf3.exe
1520	wmpdf3.exe
4588	wmpdf3.exe
4588	wmpdf3.exe
980	wmpdf3.exe
980	wmpdf3.exe
208	wmpdf3.exe
208	wmpdf3.exe
2188	wmpdf3.exe
2188	wmpdf3.exe
4828	wmpdf3.exe
4828	wmpdf3.exe
4548	wmpdf3.exe
4548	wmpdf3.exe
2588	wmpdf3.exe
2588	wmpdf3.exe
1476	wmpdf3.exe
1476	wmpdf3.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exewmpdf3.exe

description	pid	process	target process
PID 968 wrote to memory of 4024	968	fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe	wmpdf3.exe
PID 968 wrote to memory of 4024	968	fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe	wmpdf3.exe
PID 968 wrote to memory of 4024	968	fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe	wmpdf3.exe
PID 4024 wrote to memory of 4960	4024	wmpdf3.exe	wmpdf3.exe
PID 4024 wrote to memory of 4960	4024	wmpdf3.exe	wmpdf3.exe
PID 4024 wrote to memory of 4960	4024	wmpdf3.exe	wmpdf3.exe
PID 4960 wrote to memory of 3660	4960	wmpdf3.exe	wmpdf3.exe
PID 4960 wrote to memory of 3660	4960	wmpdf3.exe	wmpdf3.exe
PID 4960 wrote to memory of 3660	4960	wmpdf3.exe	wmpdf3.exe
PID 3660 wrote to memory of 2228	3660	wmpdf3.exe	wmpdf3.exe
PID 3660 wrote to memory of 2228	3660	wmpdf3.exe	wmpdf3.exe
PID 3660 wrote to memory of 2228	3660	wmpdf3.exe	wmpdf3.exe
PID 2228 wrote to memory of 2200	2228	wmpdf3.exe	wmpdf3.exe
PID 2228 wrote to memory of 2200	2228	wmpdf3.exe	wmpdf3.exe
PID 2228 wrote to memory of 2200	2228	wmpdf3.exe	wmpdf3.exe
PID 2200 wrote to memory of 4588	2200	wmpdf3.exe	wmpdf3.exe
PID 2200 wrote to memory of 4588	2200	wmpdf3.exe	wmpdf3.exe
PID 2200 wrote to memory of 4588	2200	wmpdf3.exe	wmpdf3.exe
PID 4588 wrote to memory of 1060	4588	wmpdf3.exe	wmpdf3.exe
PID 4588 wrote to memory of 1060	4588	wmpdf3.exe	wmpdf3.exe
PID 4588 wrote to memory of 1060	4588	wmpdf3.exe	wmpdf3.exe
PID 1060 wrote to memory of 4616	1060	wmpdf3.exe	wmpdf3.exe
PID 1060 wrote to memory of 4616	1060	wmpdf3.exe	wmpdf3.exe
PID 1060 wrote to memory of 4616	1060	wmpdf3.exe	wmpdf3.exe
PID 4616 wrote to memory of 1520	4616	wmpdf3.exe	wmpdf3.exe
PID 4616 wrote to memory of 1520	4616	wmpdf3.exe	wmpdf3.exe
PID 4616 wrote to memory of 1520	4616	wmpdf3.exe	wmpdf3.exe
PID 1520 wrote to memory of 4588	1520	wmpdf3.exe	wmpdf3.exe
PID 1520 wrote to memory of 4588	1520	wmpdf3.exe	wmpdf3.exe
PID 1520 wrote to memory of 4588	1520	wmpdf3.exe	wmpdf3.exe
PID 4588 wrote to memory of 980	4588	wmpdf3.exe	wmpdf3.exe
PID 4588 wrote to memory of 980	4588	wmpdf3.exe	wmpdf3.exe
PID 4588 wrote to memory of 980	4588	wmpdf3.exe	wmpdf3.exe
PID 980 wrote to memory of 208	980	wmpdf3.exe	wmpdf3.exe
PID 980 wrote to memory of 208	980	wmpdf3.exe	wmpdf3.exe
PID 980 wrote to memory of 208	980	wmpdf3.exe	wmpdf3.exe
PID 208 wrote to memory of 2188	208	wmpdf3.exe	wmpdf3.exe
PID 208 wrote to memory of 2188	208	wmpdf3.exe	wmpdf3.exe
PID 208 wrote to memory of 2188	208	wmpdf3.exe	wmpdf3.exe
PID 2188 wrote to memory of 4828	2188	wmpdf3.exe	wmpdf3.exe
PID 2188 wrote to memory of 4828	2188	wmpdf3.exe	wmpdf3.exe
PID 2188 wrote to memory of 4828	2188	wmpdf3.exe	wmpdf3.exe
PID 4828 wrote to memory of 4548	4828	wmpdf3.exe	wmpdf3.exe
PID 4828 wrote to memory of 4548	4828	wmpdf3.exe	wmpdf3.exe
PID 4828 wrote to memory of 4548	4828	wmpdf3.exe	wmpdf3.exe
PID 4548 wrote to memory of 2588	4548	wmpdf3.exe	wmpdf3.exe
PID 4548 wrote to memory of 2588	4548	wmpdf3.exe	wmpdf3.exe
PID 4548 wrote to memory of 2588	4548	wmpdf3.exe	wmpdf3.exe
PID 2588 wrote to memory of 1476	2588	wmpdf3.exe	wmpdf3.exe
PID 2588 wrote to memory of 1476	2588	wmpdf3.exe	wmpdf3.exe
PID 2588 wrote to memory of 1476	2588	wmpdf3.exe	wmpdf3.exe
PID 1476 wrote to memory of 3092	1476	wmpdf3.exe	wmpdf3.exe
PID 1476 wrote to memory of 3092	1476	wmpdf3.exe	wmpdf3.exe
PID 1476 wrote to memory of 3092	1476	wmpdf3.exe	wmpdf3.exe

C:\Users\Admin\AppData\Local\Temp\fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Users\Admin\AppData\Local\Temp\FC1707~1.EXE
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
11⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
13⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
15⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
17⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\wmpdf3.exe
"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe
19⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmpdf3.exe
Filesize
596KB

MD5
fc1707fcb742d93bf0f7808fb8d2e556

SHA1
c0ca459a87ec8a5257108876bc8e7acf42638126

SHA256
1d7cee63803dcd2695a0495e91a8a116cf57c2fcea60233ab15a3dc60d26bae1

SHA512
1d37de1f777adb7b3a3ce89fa165410178c3f125de53a24f7f622f128c0ac35d94133ff0b9932a11aa6203849b964799007a6a4ddf18608726062860d2747fd7

Download Submit
memory/208-82-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/208-78-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/968-0-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/968-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/968-2-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/968-38-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/968-35-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/980-79-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/980-77-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/980-75-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1060-62-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1060-60-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1060-66-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1476-97-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1476-94-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1520-72-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1520-70-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1520-69-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2188-84-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2188-86-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2188-81-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2200-56-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2200-54-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2228-51-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2228-53-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2228-49-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2588-95-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3660-47-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3660-45-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3660-50-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4024-41-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4024-39-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4024-37-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4548-91-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4548-92-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4588-74-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4588-61-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4588-57-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4588-58-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4616-68-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4616-65-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4616-64-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4828-87-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4828-89-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4828-85-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4960-42-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4960-43-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4960-46-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads