Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 06:39
Static task
static1
Behavioral task
behavioral1
Sample
0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe
-
Size
153KB
-
MD5
0567b4eb2f5c00044a3d337af8849364
-
SHA1
20b59deab88910f098df451801d2556e379bad75
-
SHA256
059cf6f00c8c11d3bb2deae0b3aebf2e101b8c010731b0c0dc33db47eed05d88
-
SHA512
361f88d728846af28f974b7512fe0c84b43ca58df8cf3d3e5ba5fe1a7b4e95861fee44752cd478493daf8e2f2232d207d1923994ee2dea9d33a0e58141ce3ce6
-
SSDEEP
3072:iP/tBIr9b7BZ+pTQ4tawCzWWQFL6NFpIv51pBX6HvtB+DS8+:4/PIr57BZCTQ4ta/NQFLQFpE70viS8+
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
Processes:
wnpxc2.exepid process 2652 wnpxc2.exe -
Executes dropped EXE 46 IoCs
Processes:
wnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exepid process 2556 wnpxc2.exe 2652 wnpxc2.exe 2696 wnpxc2.exe 2464 wnpxc2.exe 1796 wnpxc2.exe 2760 wnpxc2.exe 384 wnpxc2.exe 1952 wnpxc2.exe 2184 wnpxc2.exe 2424 wnpxc2.exe 2056 wnpxc2.exe 2272 wnpxc2.exe 1252 wnpxc2.exe 684 wnpxc2.exe 448 wnpxc2.exe 2204 wnpxc2.exe 1872 wnpxc2.exe 2824 wnpxc2.exe 780 wnpxc2.exe 2952 wnpxc2.exe 2812 wnpxc2.exe 2112 wnpxc2.exe 908 wnpxc2.exe 2592 wnpxc2.exe 2764 wnpxc2.exe 2448 wnpxc2.exe 2196 wnpxc2.exe 2900 wnpxc2.exe 2864 wnpxc2.exe 2544 wnpxc2.exe 1676 wnpxc2.exe 2508 wnpxc2.exe 1184 wnpxc2.exe 632 wnpxc2.exe 2368 wnpxc2.exe 2836 wnpxc2.exe 1632 wnpxc2.exe 1160 wnpxc2.exe 1272 wnpxc2.exe 1092 wnpxc2.exe 696 wnpxc2.exe 2220 wnpxc2.exe 616 wnpxc2.exe 832 wnpxc2.exe 1712 wnpxc2.exe 1604 wnpxc2.exe -
Loads dropped DLL 24 IoCs
Processes:
0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exepid process 1804 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 2556 wnpxc2.exe 2652 wnpxc2.exe 2464 wnpxc2.exe 2760 wnpxc2.exe 1952 wnpxc2.exe 2424 wnpxc2.exe 2272 wnpxc2.exe 684 wnpxc2.exe 2204 wnpxc2.exe 2824 wnpxc2.exe 2952 wnpxc2.exe 2112 wnpxc2.exe 2592 wnpxc2.exe 2448 wnpxc2.exe 2900 wnpxc2.exe 2544 wnpxc2.exe 2508 wnpxc2.exe 632 wnpxc2.exe 2836 wnpxc2.exe 1160 wnpxc2.exe 1092 wnpxc2.exe 2220 wnpxc2.exe 832 wnpxc2.exe -
Processes:
resource yara_rule behavioral1/memory/1804-3-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1804-2-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1804-4-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1804-6-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1804-7-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1804-9-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1804-8-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1804-19-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2652-30-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2652-31-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2652-32-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2652-37-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2464-48-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2464-52-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2760-63-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2760-68-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1952-80-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1952-85-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2424-94-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2424-95-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2424-96-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2424-100-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2272-111-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2272-116-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/684-127-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/684-133-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2204-143-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2204-149-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2824-160-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2824-165-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2952-175-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2952-181-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2112-187-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2112-191-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2592-202-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2592-207-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2448-219-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2448-224-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2900-234-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2900-240-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2544-250-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2544-255-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2508-266-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2508-270-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/632-279-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/632-283-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2836-292-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2836-296-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1160-306-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1160-309-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1092-319-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1092-322-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2220-332-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2220-335-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/832-344-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/832-348-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1604-357-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Drops file in System32 directory 46 IoCs
Processes:
wnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exe0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exedescription ioc process File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe -
Suspicious use of SetThreadContext 23 IoCs
Processes:
0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exedescription pid process target process PID 2796 set thread context of 1804 2796 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 2556 set thread context of 2652 2556 wnpxc2.exe wnpxc2.exe PID 2696 set thread context of 2464 2696 wnpxc2.exe wnpxc2.exe PID 1796 set thread context of 2760 1796 wnpxc2.exe wnpxc2.exe PID 384 set thread context of 1952 384 wnpxc2.exe wnpxc2.exe PID 2184 set thread context of 2424 2184 wnpxc2.exe wnpxc2.exe PID 2056 set thread context of 2272 2056 wnpxc2.exe wnpxc2.exe PID 1252 set thread context of 684 1252 wnpxc2.exe wnpxc2.exe PID 448 set thread context of 2204 448 wnpxc2.exe wnpxc2.exe PID 1872 set thread context of 2824 1872 wnpxc2.exe wnpxc2.exe PID 780 set thread context of 2952 780 wnpxc2.exe wnpxc2.exe PID 908 set thread context of 2592 908 wnpxc2.exe wnpxc2.exe PID 2764 set thread context of 2448 2764 wnpxc2.exe wnpxc2.exe PID 2196 set thread context of 2900 2196 wnpxc2.exe wnpxc2.exe PID 2864 set thread context of 2544 2864 wnpxc2.exe wnpxc2.exe PID 1676 set thread context of 2508 1676 wnpxc2.exe wnpxc2.exe PID 1184 set thread context of 632 1184 wnpxc2.exe wnpxc2.exe PID 2368 set thread context of 2836 2368 wnpxc2.exe wnpxc2.exe PID 1632 set thread context of 1160 1632 wnpxc2.exe wnpxc2.exe PID 1272 set thread context of 1092 1272 wnpxc2.exe wnpxc2.exe PID 696 set thread context of 2220 696 wnpxc2.exe wnpxc2.exe PID 616 set thread context of 832 616 wnpxc2.exe wnpxc2.exe PID 1712 set thread context of 1604 1712 wnpxc2.exe wnpxc2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exepid process 1804 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 2652 wnpxc2.exe 2464 wnpxc2.exe 2760 wnpxc2.exe 1952 wnpxc2.exe 2424 wnpxc2.exe 2272 wnpxc2.exe 684 wnpxc2.exe 2204 wnpxc2.exe 2824 wnpxc2.exe 2952 wnpxc2.exe 2112 wnpxc2.exe 2592 wnpxc2.exe 2448 wnpxc2.exe 2900 wnpxc2.exe 2544 wnpxc2.exe 2508 wnpxc2.exe 632 wnpxc2.exe 2836 wnpxc2.exe 1160 wnpxc2.exe 1092 wnpxc2.exe 2220 wnpxc2.exe 832 wnpxc2.exe 1604 wnpxc2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exedescription pid process target process PID 2796 wrote to memory of 1804 2796 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 2796 wrote to memory of 1804 2796 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 2796 wrote to memory of 1804 2796 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 2796 wrote to memory of 1804 2796 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 2796 wrote to memory of 1804 2796 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 2796 wrote to memory of 1804 2796 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 2796 wrote to memory of 1804 2796 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 1804 wrote to memory of 2556 1804 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe wnpxc2.exe PID 1804 wrote to memory of 2556 1804 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe wnpxc2.exe PID 1804 wrote to memory of 2556 1804 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe wnpxc2.exe PID 1804 wrote to memory of 2556 1804 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe wnpxc2.exe PID 2556 wrote to memory of 2652 2556 wnpxc2.exe wnpxc2.exe PID 2556 wrote to memory of 2652 2556 wnpxc2.exe wnpxc2.exe PID 2556 wrote to memory of 2652 2556 wnpxc2.exe wnpxc2.exe PID 2556 wrote to memory of 2652 2556 wnpxc2.exe wnpxc2.exe PID 2556 wrote to memory of 2652 2556 wnpxc2.exe wnpxc2.exe PID 2556 wrote to memory of 2652 2556 wnpxc2.exe wnpxc2.exe PID 2556 wrote to memory of 2652 2556 wnpxc2.exe wnpxc2.exe PID 2652 wrote to memory of 2696 2652 wnpxc2.exe wnpxc2.exe PID 2652 wrote to memory of 2696 2652 wnpxc2.exe wnpxc2.exe PID 2652 wrote to memory of 2696 2652 wnpxc2.exe wnpxc2.exe PID 2652 wrote to memory of 2696 2652 wnpxc2.exe wnpxc2.exe PID 2696 wrote to memory of 2464 2696 wnpxc2.exe wnpxc2.exe PID 2696 wrote to memory of 2464 2696 wnpxc2.exe wnpxc2.exe PID 2696 wrote to memory of 2464 2696 wnpxc2.exe wnpxc2.exe PID 2696 wrote to memory of 2464 2696 wnpxc2.exe wnpxc2.exe PID 2696 wrote to memory of 2464 2696 wnpxc2.exe wnpxc2.exe PID 2696 wrote to memory of 2464 2696 wnpxc2.exe wnpxc2.exe PID 2696 wrote to memory of 2464 2696 wnpxc2.exe wnpxc2.exe PID 2464 wrote to memory of 1796 2464 wnpxc2.exe wnpxc2.exe PID 2464 wrote to memory of 1796 2464 wnpxc2.exe wnpxc2.exe PID 2464 wrote to memory of 1796 2464 wnpxc2.exe wnpxc2.exe PID 2464 wrote to memory of 1796 2464 wnpxc2.exe wnpxc2.exe PID 1796 wrote to memory of 2760 1796 wnpxc2.exe wnpxc2.exe PID 1796 wrote to memory of 2760 1796 wnpxc2.exe wnpxc2.exe PID 1796 wrote to memory of 2760 1796 wnpxc2.exe wnpxc2.exe PID 1796 wrote to memory of 2760 1796 wnpxc2.exe wnpxc2.exe PID 1796 wrote to memory of 2760 1796 wnpxc2.exe wnpxc2.exe PID 1796 wrote to memory of 2760 1796 wnpxc2.exe wnpxc2.exe PID 1796 wrote to memory of 2760 1796 wnpxc2.exe wnpxc2.exe PID 2760 wrote to memory of 384 2760 wnpxc2.exe wnpxc2.exe PID 2760 wrote to memory of 384 2760 wnpxc2.exe wnpxc2.exe PID 2760 wrote to memory of 384 2760 wnpxc2.exe wnpxc2.exe PID 2760 wrote to memory of 384 2760 wnpxc2.exe wnpxc2.exe PID 384 wrote to memory of 1952 384 wnpxc2.exe wnpxc2.exe PID 384 wrote to memory of 1952 384 wnpxc2.exe wnpxc2.exe PID 384 wrote to memory of 1952 384 wnpxc2.exe wnpxc2.exe PID 384 wrote to memory of 1952 384 wnpxc2.exe wnpxc2.exe PID 384 wrote to memory of 1952 384 wnpxc2.exe wnpxc2.exe PID 384 wrote to memory of 1952 384 wnpxc2.exe wnpxc2.exe PID 384 wrote to memory of 1952 384 wnpxc2.exe wnpxc2.exe PID 1952 wrote to memory of 2184 1952 wnpxc2.exe wnpxc2.exe PID 1952 wrote to memory of 2184 1952 wnpxc2.exe wnpxc2.exe PID 1952 wrote to memory of 2184 1952 wnpxc2.exe wnpxc2.exe PID 1952 wrote to memory of 2184 1952 wnpxc2.exe wnpxc2.exe PID 2184 wrote to memory of 2424 2184 wnpxc2.exe wnpxc2.exe PID 2184 wrote to memory of 2424 2184 wnpxc2.exe wnpxc2.exe PID 2184 wrote to memory of 2424 2184 wnpxc2.exe wnpxc2.exe PID 2184 wrote to memory of 2424 2184 wnpxc2.exe wnpxc2.exe PID 2184 wrote to memory of 2424 2184 wnpxc2.exe wnpxc2.exe PID 2184 wrote to memory of 2424 2184 wnpxc2.exe wnpxc2.exe PID 2184 wrote to memory of 2424 2184 wnpxc2.exe wnpxc2.exe PID 2424 wrote to memory of 2056 2424 wnpxc2.exe wnpxc2.exe PID 2424 wrote to memory of 2056 2424 wnpxc2.exe wnpxc2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Users\Admin\AppData\Local\Temp\0567B4~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Users\Admin\AppData\Local\Temp\0567B4~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2056 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2272 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1252 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:684 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:448 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2204 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1872 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2824 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:780 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2952 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe23⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2112 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:908 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2592 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2764 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2448 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2196 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2900 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2864 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2544 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1676 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2508 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1184 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:632 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2368 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2836 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1632 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1160 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1272 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1092 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:696 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:616 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:832 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1712 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe48⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD50567b4eb2f5c00044a3d337af8849364
SHA120b59deab88910f098df451801d2556e379bad75
SHA256059cf6f00c8c11d3bb2deae0b3aebf2e101b8c010731b0c0dc33db47eed05d88
SHA512361f88d728846af28f974b7512fe0c84b43ca58df8cf3d3e5ba5fe1a7b4e95861fee44752cd478493daf8e2f2232d207d1923994ee2dea9d33a0e58141ce3ce6