Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 03:55
Static task
static1
Behavioral task
behavioral1
Sample
0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
-
Size
152KB
-
MD5
0521e318661e12962ec8241369f2168e
-
SHA1
0029f82f3d33d7f34eaa248eb3fd4d45bff5ef8f
-
SHA256
a645525176dc50a4957defdc3bb8a7dce27a64c099dfe6b2aeb00a9309266647
-
SHA512
41093c8320126682846b75bec3c2673c740a5eed0471407e258feb63dbc58a103c2ffc290857079907b13b3d9edfa367b60566aac48676bb7f8fb9fc63643fa3
-
SSDEEP
3072:WbEM+BtAG0HrXABZIOY35GFUtEbBqqJKCPNsu9UKnti48j:6xGQDAHOGFQqAku36Mj
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
Processes:
wmpdlp32.exepid process 2072 wmpdlp32.exe -
Executes dropped EXE 34 IoCs
Processes:
wmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exepid process 2248 wmpdlp32.exe 2072 wmpdlp32.exe 2872 wmpdlp32.exe 2996 wmpdlp32.exe 2420 wmpdlp32.exe 1100 wmpdlp32.exe 1064 wmpdlp32.exe 1876 wmpdlp32.exe 2736 wmpdlp32.exe 548 wmpdlp32.exe 600 wmpdlp32.exe 960 wmpdlp32.exe 2916 wmpdlp32.exe 844 wmpdlp32.exe 944 wmpdlp32.exe 1256 wmpdlp32.exe 1724 wmpdlp32.exe 1200 wmpdlp32.exe 2112 wmpdlp32.exe 1640 wmpdlp32.exe 2776 wmpdlp32.exe 2200 wmpdlp32.exe 2572 wmpdlp32.exe 2528 wmpdlp32.exe 1316 wmpdlp32.exe 1672 wmpdlp32.exe 1948 wmpdlp32.exe 1328 wmpdlp32.exe 632 wmpdlp32.exe 2736 wmpdlp32.exe 596 wmpdlp32.exe 580 wmpdlp32.exe 1708 wmpdlp32.exe 2056 wmpdlp32.exe -
Loads dropped DLL 64 IoCs
Processes:
0521e318661e12962ec8241369f2168e_JaffaCakes118.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exepid process 1692 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 1692 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 2248 wmpdlp32.exe 2248 wmpdlp32.exe 2072 wmpdlp32.exe 2072 wmpdlp32.exe 2872 wmpdlp32.exe 2872 wmpdlp32.exe 2996 wmpdlp32.exe 2996 wmpdlp32.exe 2420 wmpdlp32.exe 2420 wmpdlp32.exe 1100 wmpdlp32.exe 1100 wmpdlp32.exe 1064 wmpdlp32.exe 1064 wmpdlp32.exe 1876 wmpdlp32.exe 1876 wmpdlp32.exe 2736 wmpdlp32.exe 2736 wmpdlp32.exe 548 wmpdlp32.exe 548 wmpdlp32.exe 600 wmpdlp32.exe 600 wmpdlp32.exe 960 wmpdlp32.exe 960 wmpdlp32.exe 2916 wmpdlp32.exe 2916 wmpdlp32.exe 844 wmpdlp32.exe 844 wmpdlp32.exe 944 wmpdlp32.exe 944 wmpdlp32.exe 1256 wmpdlp32.exe 1256 wmpdlp32.exe 1724 wmpdlp32.exe 1724 wmpdlp32.exe 1200 wmpdlp32.exe 1200 wmpdlp32.exe 2112 wmpdlp32.exe 2112 wmpdlp32.exe 1640 wmpdlp32.exe 1640 wmpdlp32.exe 2776 wmpdlp32.exe 2776 wmpdlp32.exe 2200 wmpdlp32.exe 2200 wmpdlp32.exe 2572 wmpdlp32.exe 2572 wmpdlp32.exe 2528 wmpdlp32.exe 2528 wmpdlp32.exe 1316 wmpdlp32.exe 1316 wmpdlp32.exe 1672 wmpdlp32.exe 1672 wmpdlp32.exe 1948 wmpdlp32.exe 1948 wmpdlp32.exe 1328 wmpdlp32.exe 1328 wmpdlp32.exe 632 wmpdlp32.exe 632 wmpdlp32.exe 2736 wmpdlp32.exe 2736 wmpdlp32.exe 596 wmpdlp32.exe 596 wmpdlp32.exe -
Processes:
resource yara_rule behavioral1/memory/1692-3-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1692-8-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1692-9-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1692-7-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1692-6-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1692-2-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1692-4-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2072-33-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1692-36-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2996-55-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2072-54-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1100-71-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2996-72-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1876-89-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1100-90-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/548-107-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1876-110-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/960-126-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/548-129-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/844-146-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/960-149-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1256-165-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/844-168-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1200-184-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1256-187-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1640-200-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1200-203-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2200-213-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1640-216-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2528-226-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2200-229-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1672-239-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2528-242-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1328-252-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1672-255-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2736-265-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1328-268-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/580-278-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2736-281-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2056-291-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/580-294-0x0000000000400000-0x0000000000456000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 36 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exe0521e318661e12962ec8241369f2168e_JaffaCakes118.exewmpdlp32.exewmpdlp32.exewmpdlp32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlp32.exe -
Drops file in System32 directory 51 IoCs
Processes:
wmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exe0521e318661e12962ec8241369f2168e_JaffaCakes118.exewmpdlp32.exewmpdlp32.exedescription ioc process File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe -
Suspicious use of SetThreadContext 18 IoCs
Processes:
0521e318661e12962ec8241369f2168e_JaffaCakes118.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exedescription pid process target process PID 2128 set thread context of 1692 2128 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 2248 set thread context of 2072 2248 wmpdlp32.exe wmpdlp32.exe PID 2872 set thread context of 2996 2872 wmpdlp32.exe wmpdlp32.exe PID 2420 set thread context of 1100 2420 wmpdlp32.exe wmpdlp32.exe PID 1064 set thread context of 1876 1064 wmpdlp32.exe wmpdlp32.exe PID 2736 set thread context of 548 2736 wmpdlp32.exe wmpdlp32.exe PID 600 set thread context of 960 600 wmpdlp32.exe wmpdlp32.exe PID 2916 set thread context of 844 2916 wmpdlp32.exe wmpdlp32.exe PID 944 set thread context of 1256 944 wmpdlp32.exe wmpdlp32.exe PID 1724 set thread context of 1200 1724 wmpdlp32.exe wmpdlp32.exe PID 2112 set thread context of 1640 2112 wmpdlp32.exe wmpdlp32.exe PID 2776 set thread context of 2200 2776 wmpdlp32.exe wmpdlp32.exe PID 2572 set thread context of 2528 2572 wmpdlp32.exe wmpdlp32.exe PID 1316 set thread context of 1672 1316 wmpdlp32.exe wmpdlp32.exe PID 1948 set thread context of 1328 1948 wmpdlp32.exe wmpdlp32.exe PID 632 set thread context of 2736 632 wmpdlp32.exe wmpdlp32.exe PID 596 set thread context of 580 596 wmpdlp32.exe wmpdlp32.exe PID 1708 set thread context of 2056 1708 wmpdlp32.exe wmpdlp32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
0521e318661e12962ec8241369f2168e_JaffaCakes118.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exepid process 1692 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 1692 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 2072 wmpdlp32.exe 2072 wmpdlp32.exe 2996 wmpdlp32.exe 2996 wmpdlp32.exe 1100 wmpdlp32.exe 1100 wmpdlp32.exe 1876 wmpdlp32.exe 1876 wmpdlp32.exe 548 wmpdlp32.exe 548 wmpdlp32.exe 960 wmpdlp32.exe 960 wmpdlp32.exe 844 wmpdlp32.exe 844 wmpdlp32.exe 1256 wmpdlp32.exe 1256 wmpdlp32.exe 1200 wmpdlp32.exe 1200 wmpdlp32.exe 1640 wmpdlp32.exe 1640 wmpdlp32.exe 2200 wmpdlp32.exe 2200 wmpdlp32.exe 2528 wmpdlp32.exe 2528 wmpdlp32.exe 1672 wmpdlp32.exe 1672 wmpdlp32.exe 1328 wmpdlp32.exe 1328 wmpdlp32.exe 2736 wmpdlp32.exe 2736 wmpdlp32.exe 580 wmpdlp32.exe 580 wmpdlp32.exe 2056 wmpdlp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0521e318661e12962ec8241369f2168e_JaffaCakes118.exe0521e318661e12962ec8241369f2168e_JaffaCakes118.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exedescription pid process target process PID 2128 wrote to memory of 1692 2128 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 2128 wrote to memory of 1692 2128 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 2128 wrote to memory of 1692 2128 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 2128 wrote to memory of 1692 2128 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 2128 wrote to memory of 1692 2128 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 2128 wrote to memory of 1692 2128 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 2128 wrote to memory of 1692 2128 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 1692 wrote to memory of 2248 1692 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe wmpdlp32.exe PID 1692 wrote to memory of 2248 1692 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe wmpdlp32.exe PID 1692 wrote to memory of 2248 1692 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe wmpdlp32.exe PID 1692 wrote to memory of 2248 1692 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe wmpdlp32.exe PID 2248 wrote to memory of 2072 2248 wmpdlp32.exe wmpdlp32.exe PID 2248 wrote to memory of 2072 2248 wmpdlp32.exe wmpdlp32.exe PID 2248 wrote to memory of 2072 2248 wmpdlp32.exe wmpdlp32.exe PID 2248 wrote to memory of 2072 2248 wmpdlp32.exe wmpdlp32.exe PID 2248 wrote to memory of 2072 2248 wmpdlp32.exe wmpdlp32.exe PID 2248 wrote to memory of 2072 2248 wmpdlp32.exe wmpdlp32.exe PID 2248 wrote to memory of 2072 2248 wmpdlp32.exe wmpdlp32.exe PID 2072 wrote to memory of 2872 2072 wmpdlp32.exe wmpdlp32.exe PID 2072 wrote to memory of 2872 2072 wmpdlp32.exe wmpdlp32.exe PID 2072 wrote to memory of 2872 2072 wmpdlp32.exe wmpdlp32.exe PID 2072 wrote to memory of 2872 2072 wmpdlp32.exe wmpdlp32.exe PID 2872 wrote to memory of 2996 2872 wmpdlp32.exe wmpdlp32.exe PID 2872 wrote to memory of 2996 2872 wmpdlp32.exe wmpdlp32.exe PID 2872 wrote to memory of 2996 2872 wmpdlp32.exe wmpdlp32.exe PID 2872 wrote to memory of 2996 2872 wmpdlp32.exe wmpdlp32.exe PID 2872 wrote to memory of 2996 2872 wmpdlp32.exe wmpdlp32.exe PID 2872 wrote to memory of 2996 2872 wmpdlp32.exe wmpdlp32.exe PID 2872 wrote to memory of 2996 2872 wmpdlp32.exe wmpdlp32.exe PID 2996 wrote to memory of 2420 2996 wmpdlp32.exe wmpdlp32.exe PID 2996 wrote to memory of 2420 2996 wmpdlp32.exe wmpdlp32.exe PID 2996 wrote to memory of 2420 2996 wmpdlp32.exe wmpdlp32.exe PID 2996 wrote to memory of 2420 2996 wmpdlp32.exe wmpdlp32.exe PID 2420 wrote to memory of 1100 2420 wmpdlp32.exe wmpdlp32.exe PID 2420 wrote to memory of 1100 2420 wmpdlp32.exe wmpdlp32.exe PID 2420 wrote to memory of 1100 2420 wmpdlp32.exe wmpdlp32.exe PID 2420 wrote to memory of 1100 2420 wmpdlp32.exe wmpdlp32.exe PID 2420 wrote to memory of 1100 2420 wmpdlp32.exe wmpdlp32.exe PID 2420 wrote to memory of 1100 2420 wmpdlp32.exe wmpdlp32.exe PID 2420 wrote to memory of 1100 2420 wmpdlp32.exe wmpdlp32.exe PID 1100 wrote to memory of 1064 1100 wmpdlp32.exe wmpdlp32.exe PID 1100 wrote to memory of 1064 1100 wmpdlp32.exe wmpdlp32.exe PID 1100 wrote to memory of 1064 1100 wmpdlp32.exe wmpdlp32.exe PID 1100 wrote to memory of 1064 1100 wmpdlp32.exe wmpdlp32.exe PID 1064 wrote to memory of 1876 1064 wmpdlp32.exe wmpdlp32.exe PID 1064 wrote to memory of 1876 1064 wmpdlp32.exe wmpdlp32.exe PID 1064 wrote to memory of 1876 1064 wmpdlp32.exe wmpdlp32.exe PID 1064 wrote to memory of 1876 1064 wmpdlp32.exe wmpdlp32.exe PID 1064 wrote to memory of 1876 1064 wmpdlp32.exe wmpdlp32.exe PID 1064 wrote to memory of 1876 1064 wmpdlp32.exe wmpdlp32.exe PID 1064 wrote to memory of 1876 1064 wmpdlp32.exe wmpdlp32.exe PID 1876 wrote to memory of 2736 1876 wmpdlp32.exe wmpdlp32.exe PID 1876 wrote to memory of 2736 1876 wmpdlp32.exe wmpdlp32.exe PID 1876 wrote to memory of 2736 1876 wmpdlp32.exe wmpdlp32.exe PID 1876 wrote to memory of 2736 1876 wmpdlp32.exe wmpdlp32.exe PID 2736 wrote to memory of 548 2736 wmpdlp32.exe wmpdlp32.exe PID 2736 wrote to memory of 548 2736 wmpdlp32.exe wmpdlp32.exe PID 2736 wrote to memory of 548 2736 wmpdlp32.exe wmpdlp32.exe PID 2736 wrote to memory of 548 2736 wmpdlp32.exe wmpdlp32.exe PID 2736 wrote to memory of 548 2736 wmpdlp32.exe wmpdlp32.exe PID 2736 wrote to memory of 548 2736 wmpdlp32.exe wmpdlp32.exe PID 2736 wrote to memory of 548 2736 wmpdlp32.exe wmpdlp32.exe PID 548 wrote to memory of 600 548 wmpdlp32.exe wmpdlp32.exe PID 548 wrote to memory of 600 548 wmpdlp32.exe wmpdlp32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Users\Admin\AppData\Local\Temp\0521E3~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Users\Admin\AppData\Local\Temp\0521E3~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:600 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:960 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2916 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:844 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:944 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1256 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1724 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1200 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2112 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1640 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2776 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2200 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2572 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2528 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1316 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1672 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1948 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1328 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:632 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2736 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:596 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:580 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1708 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe36⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
152KB
MD50521e318661e12962ec8241369f2168e
SHA10029f82f3d33d7f34eaa248eb3fd4d45bff5ef8f
SHA256a645525176dc50a4957defdc3bb8a7dce27a64c099dfe6b2aeb00a9309266647
SHA51241093c8320126682846b75bec3c2673c740a5eed0471407e258feb63dbc58a103c2ffc290857079907b13b3d9edfa367b60566aac48676bb7f8fb9fc63643fa3