Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 03:55
Static task
static1
Behavioral task
behavioral1
Sample
0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
-
Size
152KB
-
MD5
0521e318661e12962ec8241369f2168e
-
SHA1
0029f82f3d33d7f34eaa248eb3fd4d45bff5ef8f
-
SHA256
a645525176dc50a4957defdc3bb8a7dce27a64c099dfe6b2aeb00a9309266647
-
SHA512
41093c8320126682846b75bec3c2673c740a5eed0471407e258feb63dbc58a103c2ffc290857079907b13b3d9edfa367b60566aac48676bb7f8fb9fc63643fa3
-
SSDEEP
3072:WbEM+BtAG0HrXABZIOY35GFUtEbBqqJKCPNsu9UKnti48j:6xGQDAHOGFQqAku36Mj
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exe0521e318661e12962ec8241369f2168e_JaffaCakes118.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmpdlp32.exe -
Deletes itself 1 IoCs
Processes:
wmpdlp32.exepid process 4496 wmpdlp32.exe -
Executes dropped EXE 30 IoCs
Processes:
wmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exepid process 4592 wmpdlp32.exe 4496 wmpdlp32.exe 4980 wmpdlp32.exe 2616 wmpdlp32.exe 3608 wmpdlp32.exe 528 wmpdlp32.exe 4348 wmpdlp32.exe 3076 wmpdlp32.exe 1016 wmpdlp32.exe 4272 wmpdlp32.exe 1692 wmpdlp32.exe 4728 wmpdlp32.exe 384 wmpdlp32.exe 3452 wmpdlp32.exe 3392 wmpdlp32.exe 5108 wmpdlp32.exe 1920 wmpdlp32.exe 4808 wmpdlp32.exe 3608 wmpdlp32.exe 3784 wmpdlp32.exe 5064 wmpdlp32.exe 4824 wmpdlp32.exe 2284 wmpdlp32.exe 3680 wmpdlp32.exe 2008 wmpdlp32.exe 4340 wmpdlp32.exe 4308 wmpdlp32.exe 1136 wmpdlp32.exe 4064 wmpdlp32.exe 3620 wmpdlp32.exe -
Processes:
resource yara_rule behavioral2/memory/1408-0-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1408-5-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1408-4-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1408-3-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4496-44-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1408-47-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2616-54-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4496-52-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4496-55-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2616-64-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3076-72-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/528-71-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4272-78-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3076-80-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4272-86-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4728-89-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4728-90-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4728-97-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3452-107-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/5108-113-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3784-120-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4808-121-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3784-129-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4824-138-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3680-147-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4340-155-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1136-163-0x0000000000400000-0x0000000000456000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exe0521e318661e12962ec8241369f2168e_JaffaCakes118.exewmpdlp32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdlp32.exe -
Drops file in System32 directory 46 IoCs
Processes:
wmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exe0521e318661e12962ec8241369f2168e_JaffaCakes118.exewmpdlp32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlp32.exe File created C:\Windows\SysWOW64\wmpdlp32.exe wmpdlp32.exe File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe -
Suspicious use of SetThreadContext 16 IoCs
Processes:
0521e318661e12962ec8241369f2168e_JaffaCakes118.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exedescription pid process target process PID 3260 set thread context of 1408 3260 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 4592 set thread context of 4496 4592 wmpdlp32.exe wmpdlp32.exe PID 4980 set thread context of 2616 4980 wmpdlp32.exe wmpdlp32.exe PID 3608 set thread context of 528 3608 wmpdlp32.exe wmpdlp32.exe PID 4348 set thread context of 3076 4348 wmpdlp32.exe wmpdlp32.exe PID 1016 set thread context of 4272 1016 wmpdlp32.exe wmpdlp32.exe PID 1692 set thread context of 4728 1692 wmpdlp32.exe wmpdlp32.exe PID 384 set thread context of 3452 384 wmpdlp32.exe wmpdlp32.exe PID 3392 set thread context of 5108 3392 wmpdlp32.exe wmpdlp32.exe PID 1920 set thread context of 4808 1920 wmpdlp32.exe wmpdlp32.exe PID 3608 set thread context of 3784 3608 wmpdlp32.exe wmpdlp32.exe PID 5064 set thread context of 4824 5064 wmpdlp32.exe wmpdlp32.exe PID 2284 set thread context of 3680 2284 wmpdlp32.exe wmpdlp32.exe PID 2008 set thread context of 4340 2008 wmpdlp32.exe wmpdlp32.exe PID 4308 set thread context of 1136 4308 wmpdlp32.exe wmpdlp32.exe PID 4064 set thread context of 3620 4064 wmpdlp32.exe wmpdlp32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 15 IoCs
Processes:
wmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exe0521e318661e12962ec8241369f2168e_JaffaCakes118.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdlp32.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
0521e318661e12962ec8241369f2168e_JaffaCakes118.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exepid process 1408 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 1408 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 1408 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 1408 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 4496 wmpdlp32.exe 4496 wmpdlp32.exe 4496 wmpdlp32.exe 4496 wmpdlp32.exe 2616 wmpdlp32.exe 2616 wmpdlp32.exe 2616 wmpdlp32.exe 2616 wmpdlp32.exe 528 wmpdlp32.exe 528 wmpdlp32.exe 528 wmpdlp32.exe 528 wmpdlp32.exe 3076 wmpdlp32.exe 3076 wmpdlp32.exe 3076 wmpdlp32.exe 3076 wmpdlp32.exe 4272 wmpdlp32.exe 4272 wmpdlp32.exe 4272 wmpdlp32.exe 4272 wmpdlp32.exe 4728 wmpdlp32.exe 4728 wmpdlp32.exe 4728 wmpdlp32.exe 4728 wmpdlp32.exe 3452 wmpdlp32.exe 3452 wmpdlp32.exe 3452 wmpdlp32.exe 3452 wmpdlp32.exe 5108 wmpdlp32.exe 5108 wmpdlp32.exe 5108 wmpdlp32.exe 5108 wmpdlp32.exe 4808 wmpdlp32.exe 4808 wmpdlp32.exe 4808 wmpdlp32.exe 4808 wmpdlp32.exe 3784 wmpdlp32.exe 3784 wmpdlp32.exe 3784 wmpdlp32.exe 3784 wmpdlp32.exe 4824 wmpdlp32.exe 4824 wmpdlp32.exe 4824 wmpdlp32.exe 4824 wmpdlp32.exe 3680 wmpdlp32.exe 3680 wmpdlp32.exe 3680 wmpdlp32.exe 3680 wmpdlp32.exe 4340 wmpdlp32.exe 4340 wmpdlp32.exe 4340 wmpdlp32.exe 4340 wmpdlp32.exe 1136 wmpdlp32.exe 1136 wmpdlp32.exe 1136 wmpdlp32.exe 1136 wmpdlp32.exe 3620 wmpdlp32.exe 3620 wmpdlp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0521e318661e12962ec8241369f2168e_JaffaCakes118.exe0521e318661e12962ec8241369f2168e_JaffaCakes118.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exedescription pid process target process PID 3260 wrote to memory of 1408 3260 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 3260 wrote to memory of 1408 3260 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 3260 wrote to memory of 1408 3260 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 3260 wrote to memory of 1408 3260 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 3260 wrote to memory of 1408 3260 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 3260 wrote to memory of 1408 3260 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 3260 wrote to memory of 1408 3260 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe PID 1408 wrote to memory of 4592 1408 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe wmpdlp32.exe PID 1408 wrote to memory of 4592 1408 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe wmpdlp32.exe PID 1408 wrote to memory of 4592 1408 0521e318661e12962ec8241369f2168e_JaffaCakes118.exe wmpdlp32.exe PID 4592 wrote to memory of 4496 4592 wmpdlp32.exe wmpdlp32.exe PID 4592 wrote to memory of 4496 4592 wmpdlp32.exe wmpdlp32.exe PID 4592 wrote to memory of 4496 4592 wmpdlp32.exe wmpdlp32.exe PID 4592 wrote to memory of 4496 4592 wmpdlp32.exe wmpdlp32.exe PID 4592 wrote to memory of 4496 4592 wmpdlp32.exe wmpdlp32.exe PID 4592 wrote to memory of 4496 4592 wmpdlp32.exe wmpdlp32.exe PID 4592 wrote to memory of 4496 4592 wmpdlp32.exe wmpdlp32.exe PID 4496 wrote to memory of 4980 4496 wmpdlp32.exe wmpdlp32.exe PID 4496 wrote to memory of 4980 4496 wmpdlp32.exe wmpdlp32.exe PID 4496 wrote to memory of 4980 4496 wmpdlp32.exe wmpdlp32.exe PID 4980 wrote to memory of 2616 4980 wmpdlp32.exe wmpdlp32.exe PID 4980 wrote to memory of 2616 4980 wmpdlp32.exe wmpdlp32.exe PID 4980 wrote to memory of 2616 4980 wmpdlp32.exe wmpdlp32.exe PID 4980 wrote to memory of 2616 4980 wmpdlp32.exe wmpdlp32.exe PID 4980 wrote to memory of 2616 4980 wmpdlp32.exe wmpdlp32.exe PID 4980 wrote to memory of 2616 4980 wmpdlp32.exe wmpdlp32.exe PID 4980 wrote to memory of 2616 4980 wmpdlp32.exe wmpdlp32.exe PID 2616 wrote to memory of 3608 2616 wmpdlp32.exe wmpdlp32.exe PID 2616 wrote to memory of 3608 2616 wmpdlp32.exe wmpdlp32.exe PID 2616 wrote to memory of 3608 2616 wmpdlp32.exe wmpdlp32.exe PID 3608 wrote to memory of 528 3608 wmpdlp32.exe wmpdlp32.exe PID 3608 wrote to memory of 528 3608 wmpdlp32.exe wmpdlp32.exe PID 3608 wrote to memory of 528 3608 wmpdlp32.exe wmpdlp32.exe PID 3608 wrote to memory of 528 3608 wmpdlp32.exe wmpdlp32.exe PID 3608 wrote to memory of 528 3608 wmpdlp32.exe wmpdlp32.exe PID 3608 wrote to memory of 528 3608 wmpdlp32.exe wmpdlp32.exe PID 3608 wrote to memory of 528 3608 wmpdlp32.exe wmpdlp32.exe PID 528 wrote to memory of 4348 528 wmpdlp32.exe wmpdlp32.exe PID 528 wrote to memory of 4348 528 wmpdlp32.exe wmpdlp32.exe PID 528 wrote to memory of 4348 528 wmpdlp32.exe wmpdlp32.exe PID 4348 wrote to memory of 3076 4348 wmpdlp32.exe wmpdlp32.exe PID 4348 wrote to memory of 3076 4348 wmpdlp32.exe wmpdlp32.exe PID 4348 wrote to memory of 3076 4348 wmpdlp32.exe wmpdlp32.exe PID 4348 wrote to memory of 3076 4348 wmpdlp32.exe wmpdlp32.exe PID 4348 wrote to memory of 3076 4348 wmpdlp32.exe wmpdlp32.exe PID 4348 wrote to memory of 3076 4348 wmpdlp32.exe wmpdlp32.exe PID 4348 wrote to memory of 3076 4348 wmpdlp32.exe wmpdlp32.exe PID 3076 wrote to memory of 1016 3076 wmpdlp32.exe wmpdlp32.exe PID 3076 wrote to memory of 1016 3076 wmpdlp32.exe wmpdlp32.exe PID 3076 wrote to memory of 1016 3076 wmpdlp32.exe wmpdlp32.exe PID 1016 wrote to memory of 4272 1016 wmpdlp32.exe wmpdlp32.exe PID 1016 wrote to memory of 4272 1016 wmpdlp32.exe wmpdlp32.exe PID 1016 wrote to memory of 4272 1016 wmpdlp32.exe wmpdlp32.exe PID 1016 wrote to memory of 4272 1016 wmpdlp32.exe wmpdlp32.exe PID 1016 wrote to memory of 4272 1016 wmpdlp32.exe wmpdlp32.exe PID 1016 wrote to memory of 4272 1016 wmpdlp32.exe wmpdlp32.exe PID 1016 wrote to memory of 4272 1016 wmpdlp32.exe wmpdlp32.exe PID 4272 wrote to memory of 1692 4272 wmpdlp32.exe wmpdlp32.exe PID 4272 wrote to memory of 1692 4272 wmpdlp32.exe wmpdlp32.exe PID 4272 wrote to memory of 1692 4272 wmpdlp32.exe wmpdlp32.exe PID 1692 wrote to memory of 4728 1692 wmpdlp32.exe wmpdlp32.exe PID 1692 wrote to memory of 4728 1692 wmpdlp32.exe wmpdlp32.exe PID 1692 wrote to memory of 4728 1692 wmpdlp32.exe wmpdlp32.exe PID 1692 wrote to memory of 4728 1692 wmpdlp32.exe wmpdlp32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Users\Admin\AppData\Local\Temp\0521E3~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Users\Admin\AppData\Local\Temp\0521E3~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4728 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:384 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3452 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3392 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5108 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1920 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4808 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3608 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3784 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5064 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4824 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2284 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3680 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2008 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4340 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4308 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1136 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4064 -
C:\Windows\SysWOW64\wmpdlp32.exe"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe32⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD50521e318661e12962ec8241369f2168e
SHA10029f82f3d33d7f34eaa248eb3fd4d45bff5ef8f
SHA256a645525176dc50a4957defdc3bb8a7dce27a64c099dfe6b2aeb00a9309266647
SHA51241093c8320126682846b75bec3c2673c740a5eed0471407e258feb63dbc58a103c2ffc290857079907b13b3d9edfa367b60566aac48676bb7f8fb9fc63643fa3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e