Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 03:36
Static task
static1
Behavioral task
behavioral1
Sample
05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe
-
Size
199KB
-
MD5
05171987fef579a9d8cdbd0d55a0cd2a
-
SHA1
9f544cea0983f681ff2692849af58cb0a986ed8b
-
SHA256
e9f3b699944a582ef2718d6e361daa54fee2ea06abe0806cdbbe739a58199ee4
-
SHA512
03542059fed2061dff3b9321e6fc579b15c939b7070d4ec5afa66923082f3fdd73bc29e86734291b95c378429d8f2344b0737be6eb6a25675740a366e2d32de6
-
SSDEEP
3072:XdmO0+1JiNRHw7PX6faRK+IhPqC/csULzqzUoj3NDSdzGD/9ZDYKT3XVlK:tSrRHw7JIECklzYUA3NDAzA3x3XV4
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wmpdtc32.exe -
Deletes itself 1 IoCs
Processes:
wmpdtc32.exepid process 3160 wmpdtc32.exe -
Executes dropped EXE 30 IoCs
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exepid process 1624 wmpdtc32.exe 3160 wmpdtc32.exe 1548 wmpdtc32.exe 1748 wmpdtc32.exe 3408 wmpdtc32.exe 4680 wmpdtc32.exe 2468 wmpdtc32.exe 892 wmpdtc32.exe 2540 wmpdtc32.exe 3728 wmpdtc32.exe 1520 wmpdtc32.exe 4408 wmpdtc32.exe 1116 wmpdtc32.exe 412 wmpdtc32.exe 3984 wmpdtc32.exe 1776 wmpdtc32.exe 1944 wmpdtc32.exe 3552 wmpdtc32.exe 4772 wmpdtc32.exe 1580 wmpdtc32.exe 1404 wmpdtc32.exe 4564 wmpdtc32.exe 3472 wmpdtc32.exe 1988 wmpdtc32.exe 3796 wmpdtc32.exe 1164 wmpdtc32.exe 3224 wmpdtc32.exe 3428 wmpdtc32.exe 4640 wmpdtc32.exe 2524 wmpdtc32.exe -
Processes:
resource yara_rule behavioral2/memory/764-0-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/764-2-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/764-3-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/764-4-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/764-38-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3160-43-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3160-44-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3160-45-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3160-49-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1748-55-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1748-59-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4680-67-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/892-75-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3728-83-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4408-91-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/412-95-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/412-100-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1776-105-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1776-109-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3552-118-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1580-124-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4564-133-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1988-141-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1164-149-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3428-154-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3428-158-0x0000000000400000-0x0000000000456000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exewmpdtc32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtc32.exe -
Drops file in System32 directory 45 IoCs
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exewmpdtc32.exedescription ioc process File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File created C:\Windows\SysWOW64\wmpdtc32.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpdtc32.exe wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtc32.exe -
Suspicious use of SetThreadContext 16 IoCs
Processes:
05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription pid process target process PID 4592 set thread context of 764 4592 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 1624 set thread context of 3160 1624 wmpdtc32.exe wmpdtc32.exe PID 1548 set thread context of 1748 1548 wmpdtc32.exe wmpdtc32.exe PID 3408 set thread context of 4680 3408 wmpdtc32.exe wmpdtc32.exe PID 2468 set thread context of 892 2468 wmpdtc32.exe wmpdtc32.exe PID 2540 set thread context of 3728 2540 wmpdtc32.exe wmpdtc32.exe PID 1520 set thread context of 4408 1520 wmpdtc32.exe wmpdtc32.exe PID 1116 set thread context of 412 1116 wmpdtc32.exe wmpdtc32.exe PID 3984 set thread context of 1776 3984 wmpdtc32.exe wmpdtc32.exe PID 1944 set thread context of 3552 1944 wmpdtc32.exe wmpdtc32.exe PID 4772 set thread context of 1580 4772 wmpdtc32.exe wmpdtc32.exe PID 1404 set thread context of 4564 1404 wmpdtc32.exe wmpdtc32.exe PID 3472 set thread context of 1988 3472 wmpdtc32.exe wmpdtc32.exe PID 3796 set thread context of 1164 3796 wmpdtc32.exe wmpdtc32.exe PID 3224 set thread context of 3428 3224 wmpdtc32.exe wmpdtc32.exe PID 4640 set thread context of 2524 4640 wmpdtc32.exe wmpdtc32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 15 IoCs
Processes:
wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtc32.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exepid process 764 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 764 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 764 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 764 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 3160 wmpdtc32.exe 3160 wmpdtc32.exe 3160 wmpdtc32.exe 3160 wmpdtc32.exe 1748 wmpdtc32.exe 1748 wmpdtc32.exe 1748 wmpdtc32.exe 1748 wmpdtc32.exe 4680 wmpdtc32.exe 4680 wmpdtc32.exe 4680 wmpdtc32.exe 4680 wmpdtc32.exe 892 wmpdtc32.exe 892 wmpdtc32.exe 892 wmpdtc32.exe 892 wmpdtc32.exe 3728 wmpdtc32.exe 3728 wmpdtc32.exe 3728 wmpdtc32.exe 3728 wmpdtc32.exe 4408 wmpdtc32.exe 4408 wmpdtc32.exe 4408 wmpdtc32.exe 4408 wmpdtc32.exe 412 wmpdtc32.exe 412 wmpdtc32.exe 412 wmpdtc32.exe 412 wmpdtc32.exe 1776 wmpdtc32.exe 1776 wmpdtc32.exe 1776 wmpdtc32.exe 1776 wmpdtc32.exe 3552 wmpdtc32.exe 3552 wmpdtc32.exe 3552 wmpdtc32.exe 3552 wmpdtc32.exe 1580 wmpdtc32.exe 1580 wmpdtc32.exe 1580 wmpdtc32.exe 1580 wmpdtc32.exe 4564 wmpdtc32.exe 4564 wmpdtc32.exe 4564 wmpdtc32.exe 4564 wmpdtc32.exe 1988 wmpdtc32.exe 1988 wmpdtc32.exe 1988 wmpdtc32.exe 1988 wmpdtc32.exe 1164 wmpdtc32.exe 1164 wmpdtc32.exe 1164 wmpdtc32.exe 1164 wmpdtc32.exe 3428 wmpdtc32.exe 3428 wmpdtc32.exe 3428 wmpdtc32.exe 3428 wmpdtc32.exe 2524 wmpdtc32.exe 2524 wmpdtc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exedescription pid process target process PID 4592 wrote to memory of 764 4592 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 4592 wrote to memory of 764 4592 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 4592 wrote to memory of 764 4592 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 4592 wrote to memory of 764 4592 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 4592 wrote to memory of 764 4592 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 4592 wrote to memory of 764 4592 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 4592 wrote to memory of 764 4592 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe PID 764 wrote to memory of 1624 764 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe wmpdtc32.exe PID 764 wrote to memory of 1624 764 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe wmpdtc32.exe PID 764 wrote to memory of 1624 764 05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe wmpdtc32.exe PID 1624 wrote to memory of 3160 1624 wmpdtc32.exe wmpdtc32.exe PID 1624 wrote to memory of 3160 1624 wmpdtc32.exe wmpdtc32.exe PID 1624 wrote to memory of 3160 1624 wmpdtc32.exe wmpdtc32.exe PID 1624 wrote to memory of 3160 1624 wmpdtc32.exe wmpdtc32.exe PID 1624 wrote to memory of 3160 1624 wmpdtc32.exe wmpdtc32.exe PID 1624 wrote to memory of 3160 1624 wmpdtc32.exe wmpdtc32.exe PID 1624 wrote to memory of 3160 1624 wmpdtc32.exe wmpdtc32.exe PID 3160 wrote to memory of 1548 3160 wmpdtc32.exe wmpdtc32.exe PID 3160 wrote to memory of 1548 3160 wmpdtc32.exe wmpdtc32.exe PID 3160 wrote to memory of 1548 3160 wmpdtc32.exe wmpdtc32.exe PID 1548 wrote to memory of 1748 1548 wmpdtc32.exe wmpdtc32.exe PID 1548 wrote to memory of 1748 1548 wmpdtc32.exe wmpdtc32.exe PID 1548 wrote to memory of 1748 1548 wmpdtc32.exe wmpdtc32.exe PID 1548 wrote to memory of 1748 1548 wmpdtc32.exe wmpdtc32.exe PID 1548 wrote to memory of 1748 1548 wmpdtc32.exe wmpdtc32.exe PID 1548 wrote to memory of 1748 1548 wmpdtc32.exe wmpdtc32.exe PID 1548 wrote to memory of 1748 1548 wmpdtc32.exe wmpdtc32.exe PID 1748 wrote to memory of 3408 1748 wmpdtc32.exe wmpdtc32.exe PID 1748 wrote to memory of 3408 1748 wmpdtc32.exe wmpdtc32.exe PID 1748 wrote to memory of 3408 1748 wmpdtc32.exe wmpdtc32.exe PID 3408 wrote to memory of 4680 3408 wmpdtc32.exe wmpdtc32.exe PID 3408 wrote to memory of 4680 3408 wmpdtc32.exe wmpdtc32.exe PID 3408 wrote to memory of 4680 3408 wmpdtc32.exe wmpdtc32.exe PID 3408 wrote to memory of 4680 3408 wmpdtc32.exe wmpdtc32.exe PID 3408 wrote to memory of 4680 3408 wmpdtc32.exe wmpdtc32.exe PID 3408 wrote to memory of 4680 3408 wmpdtc32.exe wmpdtc32.exe PID 3408 wrote to memory of 4680 3408 wmpdtc32.exe wmpdtc32.exe PID 4680 wrote to memory of 2468 4680 wmpdtc32.exe wmpdtc32.exe PID 4680 wrote to memory of 2468 4680 wmpdtc32.exe wmpdtc32.exe PID 4680 wrote to memory of 2468 4680 wmpdtc32.exe wmpdtc32.exe PID 2468 wrote to memory of 892 2468 wmpdtc32.exe wmpdtc32.exe PID 2468 wrote to memory of 892 2468 wmpdtc32.exe wmpdtc32.exe PID 2468 wrote to memory of 892 2468 wmpdtc32.exe wmpdtc32.exe PID 2468 wrote to memory of 892 2468 wmpdtc32.exe wmpdtc32.exe PID 2468 wrote to memory of 892 2468 wmpdtc32.exe wmpdtc32.exe PID 2468 wrote to memory of 892 2468 wmpdtc32.exe wmpdtc32.exe PID 2468 wrote to memory of 892 2468 wmpdtc32.exe wmpdtc32.exe PID 892 wrote to memory of 2540 892 wmpdtc32.exe wmpdtc32.exe PID 892 wrote to memory of 2540 892 wmpdtc32.exe wmpdtc32.exe PID 892 wrote to memory of 2540 892 wmpdtc32.exe wmpdtc32.exe PID 2540 wrote to memory of 3728 2540 wmpdtc32.exe wmpdtc32.exe PID 2540 wrote to memory of 3728 2540 wmpdtc32.exe wmpdtc32.exe PID 2540 wrote to memory of 3728 2540 wmpdtc32.exe wmpdtc32.exe PID 2540 wrote to memory of 3728 2540 wmpdtc32.exe wmpdtc32.exe PID 2540 wrote to memory of 3728 2540 wmpdtc32.exe wmpdtc32.exe PID 2540 wrote to memory of 3728 2540 wmpdtc32.exe wmpdtc32.exe PID 2540 wrote to memory of 3728 2540 wmpdtc32.exe wmpdtc32.exe PID 3728 wrote to memory of 1520 3728 wmpdtc32.exe wmpdtc32.exe PID 3728 wrote to memory of 1520 3728 wmpdtc32.exe wmpdtc32.exe PID 3728 wrote to memory of 1520 3728 wmpdtc32.exe wmpdtc32.exe PID 1520 wrote to memory of 4408 1520 wmpdtc32.exe wmpdtc32.exe PID 1520 wrote to memory of 4408 1520 wmpdtc32.exe wmpdtc32.exe PID 1520 wrote to memory of 4408 1520 wmpdtc32.exe wmpdtc32.exe PID 1520 wrote to memory of 4408 1520 wmpdtc32.exe wmpdtc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05171987fef579a9d8cdbd0d55a0cd2a_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\051719~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\051719~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4408 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1116 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:412 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3984 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1776 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1944 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3552 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4772 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1580 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1404 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4564 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3472 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1988 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3796 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1164 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3224 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3428 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4640 -
C:\Windows\SysWOW64\wmpdtc32.exe"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe32⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4116,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:81⤵PID:3756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199KB
MD505171987fef579a9d8cdbd0d55a0cd2a
SHA19f544cea0983f681ff2692849af58cb0a986ed8b
SHA256e9f3b699944a582ef2718d6e361daa54fee2ea06abe0806cdbbe739a58199ee4
SHA51203542059fed2061dff3b9321e6fc579b15c939b7070d4ec5afa66923082f3fdd73bc29e86734291b95c378429d8f2344b0737be6eb6a25675740a366e2d32de6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e