Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe
-
Size
204KB
-
MD5
04a95bd7e4345af91f13bae651eb26eb
-
SHA1
3226e69d6439cf983c9b87d6bc9414cfa9b05c2f
-
SHA256
0ea60e4e87ecad13abd8cbc519ab4f7935102cafa5186e3711353e2fcaa39f31
-
SHA512
6a59cc073224112db11f688c948b4c7bab5e1f7d9620a61af324a4d709510afa33dc5ac7ceefddc361703f69fe49fa86c9887ef617662adf52b848b4b663d4d7
-
SSDEEP
3072:Tjdk2pchLit819xFqIJtP/cKh7+QtUFah8e+U8hRqqT0jJ5qt89hHJ8g:322pcISFqTm7+3XUETfwJ+g
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
Processes:
wmpdtc32.exepid process 2904 wmpdtc32.exe -
Executes dropped EXE 32 IoCs
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exepid process 2808 wmpdtc32.exe 2904 wmpdtc32.exe 2976 wmpdtc32.exe 2200 wmpdtc32.exe 552 wmpdtc32.exe 1036 wmpdtc32.exe 2748 wmpdtc32.exe 584 wmpdtc32.exe 1116 wmpdtc32.exe 1284 wmpdtc32.exe 1148 wmpdtc32.exe 2300 wmpdtc32.exe 1888 wmpdtc32.exe 1936 wmpdtc32.exe 2212 wmpdtc32.exe 2416 wmpdtc32.exe 1716 wmpdtc32.exe 2852 wmpdtc32.exe 2644 wmpdtc32.exe 2780 wmpdtc32.exe 2396 wmpdtc32.exe 1972 wmpdtc32.exe 2204 wmpdtc32.exe 316 wmpdtc32.exe 1008 wmpdtc32.exe 824 wmpdtc32.exe 2504 wmpdtc32.exe 2432 wmpdtc32.exe 828 wmpdtc32.exe 864 wmpdtc32.exe 2368 wmpdtc32.exe 848 wmpdtc32.exe -
Loads dropped DLL 64 IoCs
Processes:
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exepid process 1968 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 1968 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 2808 wmpdtc32.exe 2808 wmpdtc32.exe 2904 wmpdtc32.exe 2904 wmpdtc32.exe 2976 wmpdtc32.exe 2976 wmpdtc32.exe 2200 wmpdtc32.exe 2200 wmpdtc32.exe 552 wmpdtc32.exe 552 wmpdtc32.exe 1036 wmpdtc32.exe 1036 wmpdtc32.exe 2748 wmpdtc32.exe 2748 wmpdtc32.exe 584 wmpdtc32.exe 584 wmpdtc32.exe 1116 wmpdtc32.exe 1116 wmpdtc32.exe 1284 wmpdtc32.exe 1284 wmpdtc32.exe 1148 wmpdtc32.exe 1148 wmpdtc32.exe 2300 wmpdtc32.exe 2300 wmpdtc32.exe 1888 wmpdtc32.exe 1888 wmpdtc32.exe 1936 wmpdtc32.exe 1936 wmpdtc32.exe 2212 wmpdtc32.exe 2212 wmpdtc32.exe 2416 wmpdtc32.exe 2416 wmpdtc32.exe 1716 wmpdtc32.exe 1716 wmpdtc32.exe 2852 wmpdtc32.exe 2852 wmpdtc32.exe 2644 wmpdtc32.exe 2644 wmpdtc32.exe 2780 wmpdtc32.exe 2780 wmpdtc32.exe 2396 wmpdtc32.exe 2396 wmpdtc32.exe 1972 wmpdtc32.exe 1972 wmpdtc32.exe 2204 wmpdtc32.exe 2204 wmpdtc32.exe 316 wmpdtc32.exe 316 wmpdtc32.exe 1008 wmpdtc32.exe 1008 wmpdtc32.exe 824 wmpdtc32.exe 824 wmpdtc32.exe 2504 wmpdtc32.exe 2504 wmpdtc32.exe 2432 wmpdtc32.exe 2432 wmpdtc32.exe 828 wmpdtc32.exe 828 wmpdtc32.exe 864 wmpdtc32.exe 864 wmpdtc32.exe 2368 wmpdtc32.exe 2368 wmpdtc32.exe -
Processes:
resource yara_rule behavioral1/memory/1968-5-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1968-9-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1968-10-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1968-6-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1968-11-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1968-4-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1968-12-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1968-13-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2904-40-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1968-39-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1968-45-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2904-47-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2200-66-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2904-69-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1036-89-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2200-81-0x00000000030D0000-0x0000000003119000-memory.dmp upx behavioral1/memory/2200-91-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1036-112-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1284-134-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/584-137-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1284-158-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2300-181-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2416-198-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1936-202-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2852-218-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2416-223-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2852-240-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1972-253-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2780-257-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/316-270-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1972-274-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/824-285-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/316-289-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/824-303-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2432-318-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/864-334-0x0000000000400000-0x0000000000456000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe -
Drops file in System32 directory 48 IoCs
Processes:
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe -
Suspicious use of SetThreadContext 17 IoCs
Processes:
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription pid process target process PID 2116 set thread context of 1968 2116 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 2808 set thread context of 2904 2808 wmpdtc32.exe wmpdtc32.exe PID 2976 set thread context of 2200 2976 wmpdtc32.exe wmpdtc32.exe PID 552 set thread context of 1036 552 wmpdtc32.exe wmpdtc32.exe PID 2748 set thread context of 584 2748 wmpdtc32.exe wmpdtc32.exe PID 1116 set thread context of 1284 1116 wmpdtc32.exe wmpdtc32.exe PID 1148 set thread context of 2300 1148 wmpdtc32.exe wmpdtc32.exe PID 1888 set thread context of 1936 1888 wmpdtc32.exe wmpdtc32.exe PID 2212 set thread context of 2416 2212 wmpdtc32.exe wmpdtc32.exe PID 1716 set thread context of 2852 1716 wmpdtc32.exe wmpdtc32.exe PID 2644 set thread context of 2780 2644 wmpdtc32.exe wmpdtc32.exe PID 2396 set thread context of 1972 2396 wmpdtc32.exe wmpdtc32.exe PID 2204 set thread context of 316 2204 wmpdtc32.exe wmpdtc32.exe PID 1008 set thread context of 824 1008 wmpdtc32.exe wmpdtc32.exe PID 2504 set thread context of 2432 2504 wmpdtc32.exe wmpdtc32.exe PID 828 set thread context of 864 828 wmpdtc32.exe wmpdtc32.exe PID 2368 set thread context of 848 2368 wmpdtc32.exe wmpdtc32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exepid process 1968 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 1968 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 2904 wmpdtc32.exe 2904 wmpdtc32.exe 2200 wmpdtc32.exe 2200 wmpdtc32.exe 1036 wmpdtc32.exe 1036 wmpdtc32.exe 584 wmpdtc32.exe 584 wmpdtc32.exe 1284 wmpdtc32.exe 1284 wmpdtc32.exe 2300 wmpdtc32.exe 2300 wmpdtc32.exe 1936 wmpdtc32.exe 1936 wmpdtc32.exe 2416 wmpdtc32.exe 2416 wmpdtc32.exe 2852 wmpdtc32.exe 2852 wmpdtc32.exe 2780 wmpdtc32.exe 2780 wmpdtc32.exe 1972 wmpdtc32.exe 1972 wmpdtc32.exe 316 wmpdtc32.exe 316 wmpdtc32.exe 824 wmpdtc32.exe 824 wmpdtc32.exe 2432 wmpdtc32.exe 2432 wmpdtc32.exe 864 wmpdtc32.exe 864 wmpdtc32.exe 848 wmpdtc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription pid process target process PID 2116 wrote to memory of 1968 2116 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 2116 wrote to memory of 1968 2116 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 2116 wrote to memory of 1968 2116 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 2116 wrote to memory of 1968 2116 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 2116 wrote to memory of 1968 2116 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 2116 wrote to memory of 1968 2116 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 2116 wrote to memory of 1968 2116 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 1968 wrote to memory of 2808 1968 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe wmpdtc32.exe PID 1968 wrote to memory of 2808 1968 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe wmpdtc32.exe PID 1968 wrote to memory of 2808 1968 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe wmpdtc32.exe PID 1968 wrote to memory of 2808 1968 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe wmpdtc32.exe PID 2808 wrote to memory of 2904 2808 wmpdtc32.exe wmpdtc32.exe PID 2808 wrote to memory of 2904 2808 wmpdtc32.exe wmpdtc32.exe PID 2808 wrote to memory of 2904 2808 wmpdtc32.exe wmpdtc32.exe PID 2808 wrote to memory of 2904 2808 wmpdtc32.exe wmpdtc32.exe PID 2808 wrote to memory of 2904 2808 wmpdtc32.exe wmpdtc32.exe PID 2808 wrote to memory of 2904 2808 wmpdtc32.exe wmpdtc32.exe PID 2808 wrote to memory of 2904 2808 wmpdtc32.exe wmpdtc32.exe PID 2904 wrote to memory of 2976 2904 wmpdtc32.exe wmpdtc32.exe PID 2904 wrote to memory of 2976 2904 wmpdtc32.exe wmpdtc32.exe PID 2904 wrote to memory of 2976 2904 wmpdtc32.exe wmpdtc32.exe PID 2904 wrote to memory of 2976 2904 wmpdtc32.exe wmpdtc32.exe PID 2976 wrote to memory of 2200 2976 wmpdtc32.exe wmpdtc32.exe PID 2976 wrote to memory of 2200 2976 wmpdtc32.exe wmpdtc32.exe PID 2976 wrote to memory of 2200 2976 wmpdtc32.exe wmpdtc32.exe PID 2976 wrote to memory of 2200 2976 wmpdtc32.exe wmpdtc32.exe PID 2976 wrote to memory of 2200 2976 wmpdtc32.exe wmpdtc32.exe PID 2976 wrote to memory of 2200 2976 wmpdtc32.exe wmpdtc32.exe PID 2976 wrote to memory of 2200 2976 wmpdtc32.exe wmpdtc32.exe PID 2200 wrote to memory of 552 2200 wmpdtc32.exe wmpdtc32.exe PID 2200 wrote to memory of 552 2200 wmpdtc32.exe wmpdtc32.exe PID 2200 wrote to memory of 552 2200 wmpdtc32.exe wmpdtc32.exe PID 2200 wrote to memory of 552 2200 wmpdtc32.exe wmpdtc32.exe PID 552 wrote to memory of 1036 552 wmpdtc32.exe wmpdtc32.exe PID 552 wrote to memory of 1036 552 wmpdtc32.exe wmpdtc32.exe PID 552 wrote to memory of 1036 552 wmpdtc32.exe wmpdtc32.exe PID 552 wrote to memory of 1036 552 wmpdtc32.exe wmpdtc32.exe PID 552 wrote to memory of 1036 552 wmpdtc32.exe wmpdtc32.exe PID 552 wrote to memory of 1036 552 wmpdtc32.exe wmpdtc32.exe PID 552 wrote to memory of 1036 552 wmpdtc32.exe wmpdtc32.exe PID 1036 wrote to memory of 2748 1036 wmpdtc32.exe wmpdtc32.exe PID 1036 wrote to memory of 2748 1036 wmpdtc32.exe wmpdtc32.exe PID 1036 wrote to memory of 2748 1036 wmpdtc32.exe wmpdtc32.exe PID 1036 wrote to memory of 2748 1036 wmpdtc32.exe wmpdtc32.exe PID 2748 wrote to memory of 584 2748 wmpdtc32.exe wmpdtc32.exe PID 2748 wrote to memory of 584 2748 wmpdtc32.exe wmpdtc32.exe PID 2748 wrote to memory of 584 2748 wmpdtc32.exe wmpdtc32.exe PID 2748 wrote to memory of 584 2748 wmpdtc32.exe wmpdtc32.exe PID 2748 wrote to memory of 584 2748 wmpdtc32.exe wmpdtc32.exe PID 2748 wrote to memory of 584 2748 wmpdtc32.exe wmpdtc32.exe PID 2748 wrote to memory of 584 2748 wmpdtc32.exe wmpdtc32.exe PID 584 wrote to memory of 1116 584 wmpdtc32.exe wmpdtc32.exe PID 584 wrote to memory of 1116 584 wmpdtc32.exe wmpdtc32.exe PID 584 wrote to memory of 1116 584 wmpdtc32.exe wmpdtc32.exe PID 584 wrote to memory of 1116 584 wmpdtc32.exe wmpdtc32.exe PID 1116 wrote to memory of 1284 1116 wmpdtc32.exe wmpdtc32.exe PID 1116 wrote to memory of 1284 1116 wmpdtc32.exe wmpdtc32.exe PID 1116 wrote to memory of 1284 1116 wmpdtc32.exe wmpdtc32.exe PID 1116 wrote to memory of 1284 1116 wmpdtc32.exe wmpdtc32.exe PID 1116 wrote to memory of 1284 1116 wmpdtc32.exe wmpdtc32.exe PID 1116 wrote to memory of 1284 1116 wmpdtc32.exe wmpdtc32.exe PID 1116 wrote to memory of 1284 1116 wmpdtc32.exe wmpdtc32.exe PID 1284 wrote to memory of 1148 1284 wmpdtc32.exe wmpdtc32.exe PID 1284 wrote to memory of 1148 1284 wmpdtc32.exe wmpdtc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\04A95B~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\04A95B~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1148 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1888 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1936 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2212 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2416 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1716 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2852 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2644 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2780 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2396 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1972 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2204 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:316 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1008 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:824 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2504 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2432 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:828 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:864 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2368 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
204KB
MD504a95bd7e4345af91f13bae651eb26eb
SHA13226e69d6439cf983c9b87d6bc9414cfa9b05c2f
SHA2560ea60e4e87ecad13abd8cbc519ab4f7935102cafa5186e3711353e2fcaa39f31
SHA5126a59cc073224112db11f688c948b4c7bab5e1f7d9620a61af324a4d709510afa33dc5ac7ceefddc361703f69fe49fa86c9887ef617662adf52b848b4b663d4d7