Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 03:36
Static task
static1
Behavioral task
behavioral1
Sample
05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe
-
Size
199KB
-
MD5
05171987fef579a9d8cdbd0d55a0cd2a
-
SHA1
9f544cea0983f681ff2692849af58cb0a986ed8b
-
SHA256
e9f3b699944a582ef2718d6e361daa54fee2ea06abe0806cdbbe739a58199ee4
-
SHA512
03542059fed2061dff3b9321e6fc579b15c939b7070d4ec5afa66923082f3fdd73bc29e86734291b95c378429d8f2344b0737be6eb6a25675740a366e2d32de6
-
SSDEEP
3072:XdmO0+1JiNRHw7PX6faRK+IhPqC/csULzqzUoj3NDSdzGD/9ZDYKT3XVlK:tSrRHw7JIECklzYUA3NDAzA3x3XV4
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
Processes:
wmpdtc32.exepid process 2576 wmpdtc32.exe -
Executes dropped EXE 26 IoCs
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exepid process 2956 wmpdtc32.exe 2576 wmpdtc32.exe 2488 wmpdtc32.exe 3012 wmpdtc32.exe 2896 wmpdtc32.exe 3036 wmpdtc32.exe 2792 wmpdtc32.exe 1648 wmpdtc32.exe 1280 wmpdtc32.exe 1776 wmpdtc32.exe 2240 wmpdtc32.exe 2236 wmpdtc32.exe 752 wmpdtc32.exe 1492 wmpdtc32.exe 1076 wmpdtc32.exe 1092 wmpdtc32.exe 2196 wmpdtc32.exe 1768 wmpdtc32.exe 1604 wmpdtc32.exe 2300 wmpdtc32.exe 2652 wmpdtc32.exe 2908 wmpdtc32.exe 2468 wmpdtc32.exe 2348 wmpdtc32.exe 2876 wmpdtc32.exe 2824 wmpdtc32.exe -
Loads dropped DLL 26 IoCs
Processes:
05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exepid process 2412 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 2956 wmpdtc32.exe 2576 wmpdtc32.exe 2488 wmpdtc32.exe 3012 wmpdtc32.exe 2896 wmpdtc32.exe 3036 wmpdtc32.exe 2792 wmpdtc32.exe 1648 wmpdtc32.exe 1280 wmpdtc32.exe 1776 wmpdtc32.exe 2240 wmpdtc32.exe 2236 wmpdtc32.exe 752 wmpdtc32.exe 1492 wmpdtc32.exe 1076 wmpdtc32.exe 1092 wmpdtc32.exe 2196 wmpdtc32.exe 1768 wmpdtc32.exe 1604 wmpdtc32.exe 2300 wmpdtc32.exe 2652 wmpdtc32.exe 2908 wmpdtc32.exe 2468 wmpdtc32.exe 2348 wmpdtc32.exe 2876 wmpdtc32.exe -
Processes:
resource yara_rule behavioral1/memory/2412-3-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2412-6-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2412-4-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2412-2-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2412-7-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2412-9-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2412-8-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2412-19-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2576-29-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2576-31-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2576-32-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2576-30-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2576-35-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/3012-46-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/3012-48-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/3012-47-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/3012-53-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/3036-65-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/3036-71-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1648-83-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1648-88-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1776-100-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1776-106-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2236-122-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1492-133-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1492-140-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1092-152-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1092-157-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1768-169-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1768-174-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2300-185-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2300-191-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2908-202-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2908-208-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2348-218-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2348-225-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2824-236-0x0000000000400000-0x0000000000456000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 28 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe -
Drops file in System32 directory 39 IoCs
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exe05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe -
Suspicious use of SetThreadContext 14 IoCs
Processes:
05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription pid process target process PID 2384 set thread context of 2412 2384 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 2956 set thread context of 2576 2956 wmpdtc32.exe wmpdtc32.exe PID 2488 set thread context of 3012 2488 wmpdtc32.exe wmpdtc32.exe PID 2896 set thread context of 3036 2896 wmpdtc32.exe wmpdtc32.exe PID 2792 set thread context of 1648 2792 wmpdtc32.exe wmpdtc32.exe PID 1280 set thread context of 1776 1280 wmpdtc32.exe wmpdtc32.exe PID 2240 set thread context of 2236 2240 wmpdtc32.exe wmpdtc32.exe PID 752 set thread context of 1492 752 wmpdtc32.exe wmpdtc32.exe PID 1076 set thread context of 1092 1076 wmpdtc32.exe wmpdtc32.exe PID 2196 set thread context of 1768 2196 wmpdtc32.exe wmpdtc32.exe PID 1604 set thread context of 2300 1604 wmpdtc32.exe wmpdtc32.exe PID 2652 set thread context of 2908 2652 wmpdtc32.exe wmpdtc32.exe PID 2468 set thread context of 2348 2468 wmpdtc32.exe wmpdtc32.exe PID 2876 set thread context of 2824 2876 wmpdtc32.exe wmpdtc32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exepid process 2412 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 2412 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 2576 wmpdtc32.exe 2576 wmpdtc32.exe 3012 wmpdtc32.exe 3012 wmpdtc32.exe 3036 wmpdtc32.exe 3036 wmpdtc32.exe 1648 wmpdtc32.exe 1648 wmpdtc32.exe 1776 wmpdtc32.exe 1776 wmpdtc32.exe 2236 wmpdtc32.exe 2236 wmpdtc32.exe 1492 wmpdtc32.exe 1492 wmpdtc32.exe 1092 wmpdtc32.exe 1092 wmpdtc32.exe 1768 wmpdtc32.exe 1768 wmpdtc32.exe 2300 wmpdtc32.exe 2300 wmpdtc32.exe 2908 wmpdtc32.exe 2908 wmpdtc32.exe 2348 wmpdtc32.exe 2348 wmpdtc32.exe 2824 wmpdtc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription pid process target process PID 2384 wrote to memory of 2412 2384 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 2384 wrote to memory of 2412 2384 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 2384 wrote to memory of 2412 2384 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 2384 wrote to memory of 2412 2384 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 2384 wrote to memory of 2412 2384 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 2384 wrote to memory of 2412 2384 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 2384 wrote to memory of 2412 2384 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 2412 wrote to memory of 2956 2412 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe wmpdtc32.exe PID 2412 wrote to memory of 2956 2412 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe wmpdtc32.exe PID 2412 wrote to memory of 2956 2412 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe wmpdtc32.exe PID 2412 wrote to memory of 2956 2412 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe wmpdtc32.exe PID 2956 wrote to memory of 2576 2956 wmpdtc32.exe wmpdtc32.exe PID 2956 wrote to memory of 2576 2956 wmpdtc32.exe wmpdtc32.exe PID 2956 wrote to memory of 2576 2956 wmpdtc32.exe wmpdtc32.exe PID 2956 wrote to memory of 2576 2956 wmpdtc32.exe wmpdtc32.exe PID 2956 wrote to memory of 2576 2956 wmpdtc32.exe wmpdtc32.exe PID 2956 wrote to memory of 2576 2956 wmpdtc32.exe wmpdtc32.exe PID 2956 wrote to memory of 2576 2956 wmpdtc32.exe wmpdtc32.exe PID 2576 wrote to memory of 2488 2576 wmpdtc32.exe wmpdtc32.exe PID 2576 wrote to memory of 2488 2576 wmpdtc32.exe wmpdtc32.exe PID 2576 wrote to memory of 2488 2576 wmpdtc32.exe wmpdtc32.exe PID 2576 wrote to memory of 2488 2576 wmpdtc32.exe wmpdtc32.exe PID 2488 wrote to memory of 3012 2488 wmpdtc32.exe wmpdtc32.exe PID 2488 wrote to memory of 3012 2488 wmpdtc32.exe wmpdtc32.exe PID 2488 wrote to memory of 3012 2488 wmpdtc32.exe wmpdtc32.exe PID 2488 wrote to memory of 3012 2488 wmpdtc32.exe wmpdtc32.exe PID 2488 wrote to memory of 3012 2488 wmpdtc32.exe wmpdtc32.exe PID 2488 wrote to memory of 3012 2488 wmpdtc32.exe wmpdtc32.exe PID 2488 wrote to memory of 3012 2488 wmpdtc32.exe wmpdtc32.exe PID 3012 wrote to memory of 2896 3012 wmpdtc32.exe wmpdtc32.exe PID 3012 wrote to memory of 2896 3012 wmpdtc32.exe wmpdtc32.exe PID 3012 wrote to memory of 2896 3012 wmpdtc32.exe wmpdtc32.exe PID 3012 wrote to memory of 2896 3012 wmpdtc32.exe wmpdtc32.exe PID 2896 wrote to memory of 3036 2896 wmpdtc32.exe wmpdtc32.exe PID 2896 wrote to memory of 3036 2896 wmpdtc32.exe wmpdtc32.exe PID 2896 wrote to memory of 3036 2896 wmpdtc32.exe wmpdtc32.exe PID 2896 wrote to memory of 3036 2896 wmpdtc32.exe wmpdtc32.exe PID 2896 wrote to memory of 3036 2896 wmpdtc32.exe wmpdtc32.exe PID 2896 wrote to memory of 3036 2896 wmpdtc32.exe wmpdtc32.exe PID 2896 wrote to memory of 3036 2896 wmpdtc32.exe wmpdtc32.exe PID 3036 wrote to memory of 2792 3036 wmpdtc32.exe wmpdtc32.exe PID 3036 wrote to memory of 2792 3036 wmpdtc32.exe wmpdtc32.exe PID 3036 wrote to memory of 2792 3036 wmpdtc32.exe wmpdtc32.exe PID 3036 wrote to memory of 2792 3036 wmpdtc32.exe wmpdtc32.exe PID 2792 wrote to memory of 1648 2792 wmpdtc32.exe wmpdtc32.exe PID 2792 wrote to memory of 1648 2792 wmpdtc32.exe wmpdtc32.exe PID 2792 wrote to memory of 1648 2792 wmpdtc32.exe wmpdtc32.exe PID 2792 wrote to memory of 1648 2792 wmpdtc32.exe wmpdtc32.exe PID 2792 wrote to memory of 1648 2792 wmpdtc32.exe wmpdtc32.exe PID 2792 wrote to memory of 1648 2792 wmpdtc32.exe wmpdtc32.exe PID 2792 wrote to memory of 1648 2792 wmpdtc32.exe wmpdtc32.exe PID 1648 wrote to memory of 1280 1648 wmpdtc32.exe wmpdtc32.exe PID 1648 wrote to memory of 1280 1648 wmpdtc32.exe wmpdtc32.exe PID 1648 wrote to memory of 1280 1648 wmpdtc32.exe wmpdtc32.exe PID 1648 wrote to memory of 1280 1648 wmpdtc32.exe wmpdtc32.exe PID 1280 wrote to memory of 1776 1280 wmpdtc32.exe wmpdtc32.exe PID 1280 wrote to memory of 1776 1280 wmpdtc32.exe wmpdtc32.exe PID 1280 wrote to memory of 1776 1280 wmpdtc32.exe wmpdtc32.exe PID 1280 wrote to memory of 1776 1280 wmpdtc32.exe wmpdtc32.exe PID 1280 wrote to memory of 1776 1280 wmpdtc32.exe wmpdtc32.exe PID 1280 wrote to memory of 1776 1280 wmpdtc32.exe wmpdtc32.exe PID 1280 wrote to memory of 1776 1280 wmpdtc32.exe wmpdtc32.exe PID 1776 wrote to memory of 2240 1776 wmpdtc32.exe wmpdtc32.exe PID 1776 wrote to memory of 2240 1776 wmpdtc32.exe wmpdtc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\051719~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\051719~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2240 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2236 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:752 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1492 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1076 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1092 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2196 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1768 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1604 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2652 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2908 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2468 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2348 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2876 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe28⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
199KB
MD505171987fef579a9d8cdbd0d55a0cd2a
SHA19f544cea0983f681ff2692849af58cb0a986ed8b
SHA256e9f3b699944a582ef2718d6e361daa54fee2ea06abe0806cdbbe739a58199ee4
SHA51203542059fed2061dff3b9321e6fc579b15c939b7070d4ec5afa66923082f3fdd73bc29e86734291b95c378429d8f2344b0737be6eb6a25675740a366e2d32de6