Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 00:42
Static task
static1
Behavioral task
behavioral1
Sample
049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe
-
Size
224KB
-
MD5
049d13b6c7c9eab93bd7885d48fe9b92
-
SHA1
c90da2ea142cf336762fd1c9be1650243356407d
-
SHA256
4278f3fa1b91eda56a94cc9db2819d712aa72e7cf2d95ff1de01c228467b86e0
-
SHA512
9d959f01e955b8716a2bbfb0818ca9f6f096d84e9800df8ef2748193746be019ef227446fc2b8fdb0818bee34d38ecde024fc7c0a51bfc2e945b66a874cca817
-
SSDEEP
3072:nkMlKjJZsePl2xDrKKAMY+9f4w3fwCzlfTi17vjdHCVGg1a15AjeOfX:k+ckdEKAMT4GdzlfOjEgka1OSK
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 34 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
taskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exe049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation taskmn32.exe -
Deletes itself 1 IoCs
Processes:
taskmn32.exepid process 3356 taskmn32.exe -
Executes dropped EXE 64 IoCs
Processes:
taskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exepid process 3204 taskmn32.exe 3356 taskmn32.exe 5640 taskmn32.exe 5668 taskmn32.exe 3168 taskmn32.exe 1420 taskmn32.exe 5356 taskmn32.exe 2860 taskmn32.exe 1676 taskmn32.exe 3852 taskmn32.exe 2428 taskmn32.exe 2152 taskmn32.exe 4744 taskmn32.exe 2732 taskmn32.exe 4440 taskmn32.exe 3696 taskmn32.exe 832 taskmn32.exe 1144 taskmn32.exe 1868 taskmn32.exe 2884 taskmn32.exe 1808 taskmn32.exe 3468 taskmn32.exe 3712 taskmn32.exe 5636 taskmn32.exe 5844 taskmn32.exe 4708 taskmn32.exe 2652 taskmn32.exe 2656 taskmn32.exe 1368 taskmn32.exe 5264 taskmn32.exe 4784 taskmn32.exe 5528 taskmn32.exe 4104 taskmn32.exe 5904 taskmn32.exe 752 taskmn32.exe 3204 taskmn32.exe 3344 taskmn32.exe 5724 taskmn32.exe 2360 taskmn32.exe 5992 taskmn32.exe 4392 taskmn32.exe 5448 taskmn32.exe 212 taskmn32.exe 3520 taskmn32.exe 468 taskmn32.exe 4068 taskmn32.exe 2620 taskmn32.exe 320 taskmn32.exe 832 taskmn32.exe 5000 taskmn32.exe 5296 taskmn32.exe 2204 taskmn32.exe 3196 taskmn32.exe 5268 taskmn32.exe 2832 taskmn32.exe 3712 taskmn32.exe 4280 taskmn32.exe 3588 taskmn32.exe 5424 taskmn32.exe 6052 taskmn32.exe 5624 taskmn32.exe 244 taskmn32.exe 716 taskmn32.exe 4480 taskmn32.exe -
Processes:
resource yara_rule behavioral2/memory/5744-0-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5744-2-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5744-3-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5744-4-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5744-40-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/3356-45-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/3356-48-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5668-54-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5668-58-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/1420-65-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/2860-72-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/3852-78-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/3852-80-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/2152-86-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/2152-88-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/2732-97-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/3696-104-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/1144-110-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/1144-113-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/2884-122-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/3468-127-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5636-137-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/4708-142-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/4708-146-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/2656-149-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/2656-153-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5264-157-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5264-162-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5528-170-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5904-179-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/3204-187-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5724-195-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5992-200-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5992-204-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5448-212-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/3520-217-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/3520-221-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/4068-225-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/4068-229-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/320-233-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/320-236-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5000-242-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/2204-248-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/5268-254-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/3712-260-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/3588-266-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/6052-272-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/244-278-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/4480-281-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/4480-285-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/3592-291-0x0000000000400000-0x0000000000467000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
taskmn32.exetaskmn32.exe049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe -
Drops file in System32 directory 64 IoCs
Processes:
taskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exe049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exedescription ioc process File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe -
Suspicious use of SetThreadContext 34 IoCs
Processes:
049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exedescription pid process target process PID 3264 set thread context of 5744 3264 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 3204 set thread context of 3356 3204 taskmn32.exe taskmn32.exe PID 5640 set thread context of 5668 5640 taskmn32.exe taskmn32.exe PID 3168 set thread context of 1420 3168 taskmn32.exe taskmn32.exe PID 5356 set thread context of 2860 5356 taskmn32.exe taskmn32.exe PID 1676 set thread context of 3852 1676 taskmn32.exe taskmn32.exe PID 2428 set thread context of 2152 2428 taskmn32.exe taskmn32.exe PID 4744 set thread context of 2732 4744 taskmn32.exe taskmn32.exe PID 4440 set thread context of 3696 4440 taskmn32.exe taskmn32.exe PID 832 set thread context of 1144 832 taskmn32.exe taskmn32.exe PID 1868 set thread context of 2884 1868 taskmn32.exe taskmn32.exe PID 1808 set thread context of 3468 1808 taskmn32.exe taskmn32.exe PID 3712 set thread context of 5636 3712 taskmn32.exe taskmn32.exe PID 5844 set thread context of 4708 5844 taskmn32.exe taskmn32.exe PID 2652 set thread context of 2656 2652 taskmn32.exe taskmn32.exe PID 1368 set thread context of 5264 1368 taskmn32.exe taskmn32.exe PID 4784 set thread context of 5528 4784 taskmn32.exe taskmn32.exe PID 4104 set thread context of 5904 4104 taskmn32.exe taskmn32.exe PID 752 set thread context of 3204 752 taskmn32.exe taskmn32.exe PID 3344 set thread context of 5724 3344 taskmn32.exe taskmn32.exe PID 2360 set thread context of 5992 2360 taskmn32.exe taskmn32.exe PID 4392 set thread context of 5448 4392 taskmn32.exe taskmn32.exe PID 212 set thread context of 3520 212 taskmn32.exe taskmn32.exe PID 468 set thread context of 4068 468 taskmn32.exe taskmn32.exe PID 2620 set thread context of 320 2620 taskmn32.exe taskmn32.exe PID 832 set thread context of 5000 832 taskmn32.exe taskmn32.exe PID 5296 set thread context of 2204 5296 taskmn32.exe taskmn32.exe PID 3196 set thread context of 5268 3196 taskmn32.exe taskmn32.exe PID 2832 set thread context of 3712 2832 taskmn32.exe taskmn32.exe PID 4280 set thread context of 3588 4280 taskmn32.exe taskmn32.exe PID 5424 set thread context of 6052 5424 taskmn32.exe taskmn32.exe PID 5624 set thread context of 244 5624 taskmn32.exe taskmn32.exe PID 716 set thread context of 4480 716 taskmn32.exe taskmn32.exe PID 5988 set thread context of 3592 5988 taskmn32.exe taskmn32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 34 IoCs
Processes:
taskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exe049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ taskmn32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exepid process 5744 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 5744 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 5744 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 5744 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 3356 taskmn32.exe 3356 taskmn32.exe 3356 taskmn32.exe 3356 taskmn32.exe 5668 taskmn32.exe 5668 taskmn32.exe 5668 taskmn32.exe 5668 taskmn32.exe 1420 taskmn32.exe 1420 taskmn32.exe 1420 taskmn32.exe 1420 taskmn32.exe 2860 taskmn32.exe 2860 taskmn32.exe 2860 taskmn32.exe 2860 taskmn32.exe 3852 taskmn32.exe 3852 taskmn32.exe 3852 taskmn32.exe 3852 taskmn32.exe 2152 taskmn32.exe 2152 taskmn32.exe 2152 taskmn32.exe 2152 taskmn32.exe 2732 taskmn32.exe 2732 taskmn32.exe 2732 taskmn32.exe 2732 taskmn32.exe 3696 taskmn32.exe 3696 taskmn32.exe 3696 taskmn32.exe 3696 taskmn32.exe 1144 taskmn32.exe 1144 taskmn32.exe 1144 taskmn32.exe 1144 taskmn32.exe 2884 taskmn32.exe 2884 taskmn32.exe 2884 taskmn32.exe 2884 taskmn32.exe 3468 taskmn32.exe 3468 taskmn32.exe 3468 taskmn32.exe 3468 taskmn32.exe 5636 taskmn32.exe 5636 taskmn32.exe 5636 taskmn32.exe 5636 taskmn32.exe 4708 taskmn32.exe 4708 taskmn32.exe 4708 taskmn32.exe 4708 taskmn32.exe 5264 taskmn32.exe 5264 taskmn32.exe 5264 taskmn32.exe 5264 taskmn32.exe 5528 taskmn32.exe 5528 taskmn32.exe 5528 taskmn32.exe 5528 taskmn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exedescription pid process target process PID 3264 wrote to memory of 5744 3264 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 3264 wrote to memory of 5744 3264 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 3264 wrote to memory of 5744 3264 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 3264 wrote to memory of 5744 3264 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 3264 wrote to memory of 5744 3264 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 3264 wrote to memory of 5744 3264 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 3264 wrote to memory of 5744 3264 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 5744 wrote to memory of 3204 5744 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe taskmn32.exe PID 5744 wrote to memory of 3204 5744 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe taskmn32.exe PID 5744 wrote to memory of 3204 5744 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe taskmn32.exe PID 3204 wrote to memory of 3356 3204 taskmn32.exe taskmn32.exe PID 3204 wrote to memory of 3356 3204 taskmn32.exe taskmn32.exe PID 3204 wrote to memory of 3356 3204 taskmn32.exe taskmn32.exe PID 3204 wrote to memory of 3356 3204 taskmn32.exe taskmn32.exe PID 3204 wrote to memory of 3356 3204 taskmn32.exe taskmn32.exe PID 3204 wrote to memory of 3356 3204 taskmn32.exe taskmn32.exe PID 3204 wrote to memory of 3356 3204 taskmn32.exe taskmn32.exe PID 3356 wrote to memory of 5640 3356 taskmn32.exe taskmn32.exe PID 3356 wrote to memory of 5640 3356 taskmn32.exe taskmn32.exe PID 3356 wrote to memory of 5640 3356 taskmn32.exe taskmn32.exe PID 5640 wrote to memory of 5668 5640 taskmn32.exe taskmn32.exe PID 5640 wrote to memory of 5668 5640 taskmn32.exe taskmn32.exe PID 5640 wrote to memory of 5668 5640 taskmn32.exe taskmn32.exe PID 5640 wrote to memory of 5668 5640 taskmn32.exe taskmn32.exe PID 5640 wrote to memory of 5668 5640 taskmn32.exe taskmn32.exe PID 5640 wrote to memory of 5668 5640 taskmn32.exe taskmn32.exe PID 5640 wrote to memory of 5668 5640 taskmn32.exe taskmn32.exe PID 5668 wrote to memory of 3168 5668 taskmn32.exe taskmn32.exe PID 5668 wrote to memory of 3168 5668 taskmn32.exe taskmn32.exe PID 5668 wrote to memory of 3168 5668 taskmn32.exe taskmn32.exe PID 3168 wrote to memory of 1420 3168 taskmn32.exe taskmn32.exe PID 3168 wrote to memory of 1420 3168 taskmn32.exe taskmn32.exe PID 3168 wrote to memory of 1420 3168 taskmn32.exe taskmn32.exe PID 3168 wrote to memory of 1420 3168 taskmn32.exe taskmn32.exe PID 3168 wrote to memory of 1420 3168 taskmn32.exe taskmn32.exe PID 3168 wrote to memory of 1420 3168 taskmn32.exe taskmn32.exe PID 3168 wrote to memory of 1420 3168 taskmn32.exe taskmn32.exe PID 1420 wrote to memory of 5356 1420 taskmn32.exe taskmn32.exe PID 1420 wrote to memory of 5356 1420 taskmn32.exe taskmn32.exe PID 1420 wrote to memory of 5356 1420 taskmn32.exe taskmn32.exe PID 5356 wrote to memory of 2860 5356 taskmn32.exe taskmn32.exe PID 5356 wrote to memory of 2860 5356 taskmn32.exe taskmn32.exe PID 5356 wrote to memory of 2860 5356 taskmn32.exe taskmn32.exe PID 5356 wrote to memory of 2860 5356 taskmn32.exe taskmn32.exe PID 5356 wrote to memory of 2860 5356 taskmn32.exe taskmn32.exe PID 5356 wrote to memory of 2860 5356 taskmn32.exe taskmn32.exe PID 5356 wrote to memory of 2860 5356 taskmn32.exe taskmn32.exe PID 2860 wrote to memory of 1676 2860 taskmn32.exe taskmn32.exe PID 2860 wrote to memory of 1676 2860 taskmn32.exe taskmn32.exe PID 2860 wrote to memory of 1676 2860 taskmn32.exe taskmn32.exe PID 1676 wrote to memory of 3852 1676 taskmn32.exe taskmn32.exe PID 1676 wrote to memory of 3852 1676 taskmn32.exe taskmn32.exe PID 1676 wrote to memory of 3852 1676 taskmn32.exe taskmn32.exe PID 1676 wrote to memory of 3852 1676 taskmn32.exe taskmn32.exe PID 1676 wrote to memory of 3852 1676 taskmn32.exe taskmn32.exe PID 1676 wrote to memory of 3852 1676 taskmn32.exe taskmn32.exe PID 1676 wrote to memory of 3852 1676 taskmn32.exe taskmn32.exe PID 3852 wrote to memory of 2428 3852 taskmn32.exe taskmn32.exe PID 3852 wrote to memory of 2428 3852 taskmn32.exe taskmn32.exe PID 3852 wrote to memory of 2428 3852 taskmn32.exe taskmn32.exe PID 2428 wrote to memory of 2152 2428 taskmn32.exe taskmn32.exe PID 2428 wrote to memory of 2152 2428 taskmn32.exe taskmn32.exe PID 2428 wrote to memory of 2152 2428 taskmn32.exe taskmn32.exe PID 2428 wrote to memory of 2152 2428 taskmn32.exe taskmn32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5744 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Users\Admin\AppData\Local\Temp\049D13~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Users\Admin\AppData\Local\Temp\049D13~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5640 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5668 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5356 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2152 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4744 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2732 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4440 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3696 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:832 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1144 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1868 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2884 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1808 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3468 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3712 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5636 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5844 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4708 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2652 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1368 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5264 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4784 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5528 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4104 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:5904 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:752 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3204 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3344 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:5724 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2360 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:5992 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4392 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:212 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe46⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3520 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:468 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe48⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2620 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:832 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe52⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:5000 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5296 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe54⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3196 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe56⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2832 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe58⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4280 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe60⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5424 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe62⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5624 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe64⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:244 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:716 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe66⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4480 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe67⤵
- Suspicious use of SetThreadContext
PID:5988 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe68⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3592 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe69⤵PID:4236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5049d13b6c7c9eab93bd7885d48fe9b92
SHA1c90da2ea142cf336762fd1c9be1650243356407d
SHA2564278f3fa1b91eda56a94cc9db2819d712aa72e7cf2d95ff1de01c228467b86e0
SHA5129d959f01e955b8716a2bbfb0818ca9f6f096d84e9800df8ef2748193746be019ef227446fc2b8fdb0818bee34d38ecde024fc7c0a51bfc2e945b66a874cca817
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e