Analysis
-
max time kernel
147s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe
-
Size
204KB
-
MD5
04a95bd7e4345af91f13bae651eb26eb
-
SHA1
3226e69d6439cf983c9b87d6bc9414cfa9b05c2f
-
SHA256
0ea60e4e87ecad13abd8cbc519ab4f7935102cafa5186e3711353e2fcaa39f31
-
SHA512
6a59cc073224112db11f688c948b4c7bab5e1f7d9620a61af324a4d709510afa33dc5ac7ceefddc361703f69fe49fa86c9887ef617662adf52b848b4b663d4d7
-
SSDEEP
3072:Tjdk2pchLit819xFqIJtP/cKh7+QtUFah8e+U8hRqqT0jJ5qt89hHJ8g:322pcISFqTm7+3XUETfwJ+g
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wmpdtc32.exe -
Deletes itself 1 IoCs
Processes:
wmpdtc32.exepid process 640 wmpdtc32.exe -
Executes dropped EXE 32 IoCs
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exepid process 3708 wmpdtc32.exe 640 wmpdtc32.exe 1248 wmpdtc32.exe 4524 wmpdtc32.exe 3928 wmpdtc32.exe 3248 wmpdtc32.exe 4376 wmpdtc32.exe 4348 wmpdtc32.exe 2144 wmpdtc32.exe 2560 wmpdtc32.exe 2416 wmpdtc32.exe 4916 wmpdtc32.exe 3892 wmpdtc32.exe 3904 wmpdtc32.exe 3968 wmpdtc32.exe 2668 wmpdtc32.exe 3068 wmpdtc32.exe 1136 wmpdtc32.exe 3540 wmpdtc32.exe 1928 wmpdtc32.exe 1676 wmpdtc32.exe 2564 wmpdtc32.exe 1884 wmpdtc32.exe 2868 wmpdtc32.exe 3440 wmpdtc32.exe 3976 wmpdtc32.exe 3840 wmpdtc32.exe 2148 wmpdtc32.exe 4276 wmpdtc32.exe 3252 wmpdtc32.exe 4768 wmpdtc32.exe 4572 wmpdtc32.exe -
Processes:
resource yara_rule behavioral2/memory/5056-1-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/5056-4-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/5056-6-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/5056-5-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/640-46-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/5056-48-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/640-51-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4524-58-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/640-59-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3248-68-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4524-69-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3248-78-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4348-87-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2560-96-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3904-105-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4916-106-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3904-115-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2668-124-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1136-134-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1928-143-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2868-153-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2564-156-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3976-164-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2868-167-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2148-175-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3976-178-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2148-188-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3252-198-0x0000000000400000-0x0000000000456000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe -
Drops file in System32 directory 48 IoCs
Processes:
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe -
Suspicious use of SetThreadContext 17 IoCs
Processes:
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription pid process target process PID 712 set thread context of 5056 712 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 3708 set thread context of 640 3708 wmpdtc32.exe wmpdtc32.exe PID 1248 set thread context of 4524 1248 wmpdtc32.exe wmpdtc32.exe PID 3928 set thread context of 3248 3928 wmpdtc32.exe wmpdtc32.exe PID 4376 set thread context of 4348 4376 wmpdtc32.exe wmpdtc32.exe PID 2144 set thread context of 2560 2144 wmpdtc32.exe wmpdtc32.exe PID 2416 set thread context of 4916 2416 wmpdtc32.exe wmpdtc32.exe PID 3892 set thread context of 3904 3892 wmpdtc32.exe wmpdtc32.exe PID 3968 set thread context of 2668 3968 wmpdtc32.exe wmpdtc32.exe PID 3068 set thread context of 1136 3068 wmpdtc32.exe wmpdtc32.exe PID 3540 set thread context of 1928 3540 wmpdtc32.exe wmpdtc32.exe PID 1676 set thread context of 2564 1676 wmpdtc32.exe wmpdtc32.exe PID 1884 set thread context of 2868 1884 wmpdtc32.exe wmpdtc32.exe PID 3440 set thread context of 3976 3440 wmpdtc32.exe wmpdtc32.exe PID 3840 set thread context of 2148 3840 wmpdtc32.exe wmpdtc32.exe PID 4276 set thread context of 3252 4276 wmpdtc32.exe wmpdtc32.exe PID 4768 set thread context of 4572 4768 wmpdtc32.exe wmpdtc32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 16 IoCs
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exepid process 5056 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 5056 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 5056 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 5056 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 640 wmpdtc32.exe 640 wmpdtc32.exe 640 wmpdtc32.exe 640 wmpdtc32.exe 4524 wmpdtc32.exe 4524 wmpdtc32.exe 4524 wmpdtc32.exe 4524 wmpdtc32.exe 3248 wmpdtc32.exe 3248 wmpdtc32.exe 3248 wmpdtc32.exe 3248 wmpdtc32.exe 4348 wmpdtc32.exe 4348 wmpdtc32.exe 4348 wmpdtc32.exe 4348 wmpdtc32.exe 2560 wmpdtc32.exe 2560 wmpdtc32.exe 2560 wmpdtc32.exe 2560 wmpdtc32.exe 4916 wmpdtc32.exe 4916 wmpdtc32.exe 4916 wmpdtc32.exe 4916 wmpdtc32.exe 3904 wmpdtc32.exe 3904 wmpdtc32.exe 3904 wmpdtc32.exe 3904 wmpdtc32.exe 2668 wmpdtc32.exe 2668 wmpdtc32.exe 2668 wmpdtc32.exe 2668 wmpdtc32.exe 1136 wmpdtc32.exe 1136 wmpdtc32.exe 1136 wmpdtc32.exe 1136 wmpdtc32.exe 1928 wmpdtc32.exe 1928 wmpdtc32.exe 1928 wmpdtc32.exe 1928 wmpdtc32.exe 2564 wmpdtc32.exe 2564 wmpdtc32.exe 2564 wmpdtc32.exe 2564 wmpdtc32.exe 2868 wmpdtc32.exe 2868 wmpdtc32.exe 2868 wmpdtc32.exe 2868 wmpdtc32.exe 3976 wmpdtc32.exe 3976 wmpdtc32.exe 3976 wmpdtc32.exe 3976 wmpdtc32.exe 2148 wmpdtc32.exe 2148 wmpdtc32.exe 2148 wmpdtc32.exe 2148 wmpdtc32.exe 3252 wmpdtc32.exe 3252 wmpdtc32.exe 3252 wmpdtc32.exe 3252 wmpdtc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription pid process target process PID 712 wrote to memory of 5056 712 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 712 wrote to memory of 5056 712 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 712 wrote to memory of 5056 712 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 712 wrote to memory of 5056 712 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 712 wrote to memory of 5056 712 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 712 wrote to memory of 5056 712 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 712 wrote to memory of 5056 712 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe PID 5056 wrote to memory of 3708 5056 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe wmpdtc32.exe PID 5056 wrote to memory of 3708 5056 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe wmpdtc32.exe PID 5056 wrote to memory of 3708 5056 04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe wmpdtc32.exe PID 3708 wrote to memory of 640 3708 wmpdtc32.exe wmpdtc32.exe PID 3708 wrote to memory of 640 3708 wmpdtc32.exe wmpdtc32.exe PID 3708 wrote to memory of 640 3708 wmpdtc32.exe wmpdtc32.exe PID 3708 wrote to memory of 640 3708 wmpdtc32.exe wmpdtc32.exe PID 3708 wrote to memory of 640 3708 wmpdtc32.exe wmpdtc32.exe PID 3708 wrote to memory of 640 3708 wmpdtc32.exe wmpdtc32.exe PID 3708 wrote to memory of 640 3708 wmpdtc32.exe wmpdtc32.exe PID 640 wrote to memory of 1248 640 wmpdtc32.exe wmpdtc32.exe PID 640 wrote to memory of 1248 640 wmpdtc32.exe wmpdtc32.exe PID 640 wrote to memory of 1248 640 wmpdtc32.exe wmpdtc32.exe PID 1248 wrote to memory of 4524 1248 wmpdtc32.exe wmpdtc32.exe PID 1248 wrote to memory of 4524 1248 wmpdtc32.exe wmpdtc32.exe PID 1248 wrote to memory of 4524 1248 wmpdtc32.exe wmpdtc32.exe PID 1248 wrote to memory of 4524 1248 wmpdtc32.exe wmpdtc32.exe PID 1248 wrote to memory of 4524 1248 wmpdtc32.exe wmpdtc32.exe PID 1248 wrote to memory of 4524 1248 wmpdtc32.exe wmpdtc32.exe PID 1248 wrote to memory of 4524 1248 wmpdtc32.exe wmpdtc32.exe PID 4524 wrote to memory of 3928 4524 wmpdtc32.exe wmpdtc32.exe PID 4524 wrote to memory of 3928 4524 wmpdtc32.exe wmpdtc32.exe PID 4524 wrote to memory of 3928 4524 wmpdtc32.exe wmpdtc32.exe PID 3928 wrote to memory of 3248 3928 wmpdtc32.exe wmpdtc32.exe PID 3928 wrote to memory of 3248 3928 wmpdtc32.exe wmpdtc32.exe PID 3928 wrote to memory of 3248 3928 wmpdtc32.exe wmpdtc32.exe PID 3928 wrote to memory of 3248 3928 wmpdtc32.exe wmpdtc32.exe PID 3928 wrote to memory of 3248 3928 wmpdtc32.exe wmpdtc32.exe PID 3928 wrote to memory of 3248 3928 wmpdtc32.exe wmpdtc32.exe PID 3928 wrote to memory of 3248 3928 wmpdtc32.exe wmpdtc32.exe PID 3248 wrote to memory of 4376 3248 wmpdtc32.exe wmpdtc32.exe PID 3248 wrote to memory of 4376 3248 wmpdtc32.exe wmpdtc32.exe PID 3248 wrote to memory of 4376 3248 wmpdtc32.exe wmpdtc32.exe PID 4376 wrote to memory of 4348 4376 wmpdtc32.exe wmpdtc32.exe PID 4376 wrote to memory of 4348 4376 wmpdtc32.exe wmpdtc32.exe PID 4376 wrote to memory of 4348 4376 wmpdtc32.exe wmpdtc32.exe PID 4376 wrote to memory of 4348 4376 wmpdtc32.exe wmpdtc32.exe PID 4376 wrote to memory of 4348 4376 wmpdtc32.exe wmpdtc32.exe PID 4376 wrote to memory of 4348 4376 wmpdtc32.exe wmpdtc32.exe PID 4376 wrote to memory of 4348 4376 wmpdtc32.exe wmpdtc32.exe PID 4348 wrote to memory of 2144 4348 wmpdtc32.exe wmpdtc32.exe PID 4348 wrote to memory of 2144 4348 wmpdtc32.exe wmpdtc32.exe PID 4348 wrote to memory of 2144 4348 wmpdtc32.exe wmpdtc32.exe PID 2144 wrote to memory of 2560 2144 wmpdtc32.exe wmpdtc32.exe PID 2144 wrote to memory of 2560 2144 wmpdtc32.exe wmpdtc32.exe PID 2144 wrote to memory of 2560 2144 wmpdtc32.exe wmpdtc32.exe PID 2144 wrote to memory of 2560 2144 wmpdtc32.exe wmpdtc32.exe PID 2144 wrote to memory of 2560 2144 wmpdtc32.exe wmpdtc32.exe PID 2144 wrote to memory of 2560 2144 wmpdtc32.exe wmpdtc32.exe PID 2144 wrote to memory of 2560 2144 wmpdtc32.exe wmpdtc32.exe PID 2560 wrote to memory of 2416 2560 wmpdtc32.exe wmpdtc32.exe PID 2560 wrote to memory of 2416 2560 wmpdtc32.exe wmpdtc32.exe PID 2560 wrote to memory of 2416 2560 wmpdtc32.exe wmpdtc32.exe PID 2416 wrote to memory of 4916 2416 wmpdtc32.exe wmpdtc32.exe PID 2416 wrote to memory of 4916 2416 wmpdtc32.exe wmpdtc32.exe PID 2416 wrote to memory of 4916 2416 wmpdtc32.exe wmpdtc32.exe PID 2416 wrote to memory of 4916 2416 wmpdtc32.exe wmpdtc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Users\Admin\AppData\Local\Temp\04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04a95bd7e4345af91f13bae651eb26eb_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\04A95B~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\04A95B~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4916 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3892 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3904 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3968 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2668 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3068 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1136 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3540 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1928 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1676 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2564 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1884 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2868 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3440 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3976 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3840 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2148 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4276 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3252 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4768 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:4572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD504a95bd7e4345af91f13bae651eb26eb
SHA13226e69d6439cf983c9b87d6bc9414cfa9b05c2f
SHA2560ea60e4e87ecad13abd8cbc519ab4f7935102cafa5186e3711353e2fcaa39f31
SHA5126a59cc073224112db11f688c948b4c7bab5e1f7d9620a61af324a4d709510afa33dc5ac7ceefddc361703f69fe49fa86c9887ef617662adf52b848b4b663d4d7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e