Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 06:39
Static task
static1
Behavioral task
behavioral1
Sample
0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe
-
Size
153KB
-
MD5
0567b4eb2f5c00044a3d337af8849364
-
SHA1
20b59deab88910f098df451801d2556e379bad75
-
SHA256
059cf6f00c8c11d3bb2deae0b3aebf2e101b8c010731b0c0dc33db47eed05d88
-
SHA512
361f88d728846af28f974b7512fe0c84b43ca58df8cf3d3e5ba5fe1a7b4e95861fee44752cd478493daf8e2f2232d207d1923994ee2dea9d33a0e58141ce3ce6
-
SSDEEP
3072:iP/tBIr9b7BZ+pTQ4tawCzWWQFL6NFpIv51pBX6HvtB+DS8+:4/PIr57BZCTQ4ta/NQFLQFpE70viS8+
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exe0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation wnpxc2.exe -
Deletes itself 1 IoCs
Processes:
wnpxc2.exepid process 3784 wnpxc2.exe -
Executes dropped EXE 34 IoCs
Processes:
wnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exepid process 5076 wnpxc2.exe 3784 wnpxc2.exe 3724 wnpxc2.exe 4260 wnpxc2.exe 1556 wnpxc2.exe 2148 wnpxc2.exe 3756 wnpxc2.exe 2920 wnpxc2.exe 4708 wnpxc2.exe 4744 wnpxc2.exe 2892 wnpxc2.exe 4456 wnpxc2.exe 2576 wnpxc2.exe 4964 wnpxc2.exe 3780 wnpxc2.exe 4556 wnpxc2.exe 984 wnpxc2.exe 816 wnpxc2.exe 4904 wnpxc2.exe 4292 wnpxc2.exe 464 wnpxc2.exe 2396 wnpxc2.exe 4836 wnpxc2.exe 2960 wnpxc2.exe 728 wnpxc2.exe 1184 wnpxc2.exe 3488 wnpxc2.exe 3944 wnpxc2.exe 3272 wnpxc2.exe 1556 wnpxc2.exe 1568 wnpxc2.exe 5100 wnpxc2.exe 552 wnpxc2.exe 3696 wnpxc2.exe -
Processes:
resource yara_rule behavioral2/memory/3140-0-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3140-2-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3140-3-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3140-4-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3140-38-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3784-43-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3784-44-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3784-45-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3784-47-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4260-53-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4260-55-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2148-62-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2920-68-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4744-75-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4744-76-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4456-81-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4456-82-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4456-83-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4456-85-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4964-92-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4964-94-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4556-101-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/816-107-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/816-109-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4292-115-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4292-117-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2396-124-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2960-131-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2960-135-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1184-143-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3944-148-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3944-152-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1556-157-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1556-161-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5100-166-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5100-170-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Drops file in System32 directory 34 IoCs
Processes:
wnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exe0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exedescription ioc process File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File opened for modification C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe File created C:\Windows\SysWOW64\wnpxc2.exe wnpxc2.exe -
Suspicious use of SetThreadContext 18 IoCs
Processes:
0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exedescription pid process target process PID 464 set thread context of 3140 464 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 5076 set thread context of 3784 5076 wnpxc2.exe wnpxc2.exe PID 3724 set thread context of 4260 3724 wnpxc2.exe wnpxc2.exe PID 1556 set thread context of 2148 1556 wnpxc2.exe wnpxc2.exe PID 3756 set thread context of 2920 3756 wnpxc2.exe wnpxc2.exe PID 4708 set thread context of 4744 4708 wnpxc2.exe wnpxc2.exe PID 2892 set thread context of 4456 2892 wnpxc2.exe wnpxc2.exe PID 2576 set thread context of 4964 2576 wnpxc2.exe wnpxc2.exe PID 3780 set thread context of 4556 3780 wnpxc2.exe wnpxc2.exe PID 984 set thread context of 816 984 wnpxc2.exe wnpxc2.exe PID 4904 set thread context of 4292 4904 wnpxc2.exe wnpxc2.exe PID 464 set thread context of 2396 464 wnpxc2.exe wnpxc2.exe PID 4836 set thread context of 2960 4836 wnpxc2.exe wnpxc2.exe PID 728 set thread context of 1184 728 wnpxc2.exe wnpxc2.exe PID 3488 set thread context of 3944 3488 wnpxc2.exe wnpxc2.exe PID 3272 set thread context of 1556 3272 wnpxc2.exe wnpxc2.exe PID 1568 set thread context of 5100 1568 wnpxc2.exe wnpxc2.exe PID 552 set thread context of 3696 552 wnpxc2.exe wnpxc2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 17 IoCs
Processes:
wnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exe0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpxc2.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exepid process 3140 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 3140 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 3784 wnpxc2.exe 3784 wnpxc2.exe 4260 wnpxc2.exe 4260 wnpxc2.exe 2148 wnpxc2.exe 2148 wnpxc2.exe 2920 wnpxc2.exe 2920 wnpxc2.exe 4744 wnpxc2.exe 4744 wnpxc2.exe 4456 wnpxc2.exe 4456 wnpxc2.exe 4964 wnpxc2.exe 4964 wnpxc2.exe 4556 wnpxc2.exe 4556 wnpxc2.exe 816 wnpxc2.exe 816 wnpxc2.exe 4292 wnpxc2.exe 4292 wnpxc2.exe 2396 wnpxc2.exe 2396 wnpxc2.exe 2960 wnpxc2.exe 2960 wnpxc2.exe 1184 wnpxc2.exe 1184 wnpxc2.exe 3944 wnpxc2.exe 3944 wnpxc2.exe 1556 wnpxc2.exe 1556 wnpxc2.exe 5100 wnpxc2.exe 5100 wnpxc2.exe 3696 wnpxc2.exe 3696 wnpxc2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exewnpxc2.exedescription pid process target process PID 464 wrote to memory of 3140 464 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 464 wrote to memory of 3140 464 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 464 wrote to memory of 3140 464 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 464 wrote to memory of 3140 464 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 464 wrote to memory of 3140 464 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 464 wrote to memory of 3140 464 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 464 wrote to memory of 3140 464 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe PID 3140 wrote to memory of 5076 3140 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe wnpxc2.exe PID 3140 wrote to memory of 5076 3140 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe wnpxc2.exe PID 3140 wrote to memory of 5076 3140 0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe wnpxc2.exe PID 5076 wrote to memory of 3784 5076 wnpxc2.exe wnpxc2.exe PID 5076 wrote to memory of 3784 5076 wnpxc2.exe wnpxc2.exe PID 5076 wrote to memory of 3784 5076 wnpxc2.exe wnpxc2.exe PID 5076 wrote to memory of 3784 5076 wnpxc2.exe wnpxc2.exe PID 5076 wrote to memory of 3784 5076 wnpxc2.exe wnpxc2.exe PID 5076 wrote to memory of 3784 5076 wnpxc2.exe wnpxc2.exe PID 5076 wrote to memory of 3784 5076 wnpxc2.exe wnpxc2.exe PID 3784 wrote to memory of 3724 3784 wnpxc2.exe wnpxc2.exe PID 3784 wrote to memory of 3724 3784 wnpxc2.exe wnpxc2.exe PID 3784 wrote to memory of 3724 3784 wnpxc2.exe wnpxc2.exe PID 3724 wrote to memory of 4260 3724 wnpxc2.exe wnpxc2.exe PID 3724 wrote to memory of 4260 3724 wnpxc2.exe wnpxc2.exe PID 3724 wrote to memory of 4260 3724 wnpxc2.exe wnpxc2.exe PID 3724 wrote to memory of 4260 3724 wnpxc2.exe wnpxc2.exe PID 3724 wrote to memory of 4260 3724 wnpxc2.exe wnpxc2.exe PID 3724 wrote to memory of 4260 3724 wnpxc2.exe wnpxc2.exe PID 3724 wrote to memory of 4260 3724 wnpxc2.exe wnpxc2.exe PID 4260 wrote to memory of 1556 4260 wnpxc2.exe wnpxc2.exe PID 4260 wrote to memory of 1556 4260 wnpxc2.exe wnpxc2.exe PID 4260 wrote to memory of 1556 4260 wnpxc2.exe wnpxc2.exe PID 1556 wrote to memory of 2148 1556 wnpxc2.exe wnpxc2.exe PID 1556 wrote to memory of 2148 1556 wnpxc2.exe wnpxc2.exe PID 1556 wrote to memory of 2148 1556 wnpxc2.exe wnpxc2.exe PID 1556 wrote to memory of 2148 1556 wnpxc2.exe wnpxc2.exe PID 1556 wrote to memory of 2148 1556 wnpxc2.exe wnpxc2.exe PID 1556 wrote to memory of 2148 1556 wnpxc2.exe wnpxc2.exe PID 1556 wrote to memory of 2148 1556 wnpxc2.exe wnpxc2.exe PID 2148 wrote to memory of 3756 2148 wnpxc2.exe wnpxc2.exe PID 2148 wrote to memory of 3756 2148 wnpxc2.exe wnpxc2.exe PID 2148 wrote to memory of 3756 2148 wnpxc2.exe wnpxc2.exe PID 3756 wrote to memory of 2920 3756 wnpxc2.exe wnpxc2.exe PID 3756 wrote to memory of 2920 3756 wnpxc2.exe wnpxc2.exe PID 3756 wrote to memory of 2920 3756 wnpxc2.exe wnpxc2.exe PID 3756 wrote to memory of 2920 3756 wnpxc2.exe wnpxc2.exe PID 3756 wrote to memory of 2920 3756 wnpxc2.exe wnpxc2.exe PID 3756 wrote to memory of 2920 3756 wnpxc2.exe wnpxc2.exe PID 3756 wrote to memory of 2920 3756 wnpxc2.exe wnpxc2.exe PID 2920 wrote to memory of 4708 2920 wnpxc2.exe wnpxc2.exe PID 2920 wrote to memory of 4708 2920 wnpxc2.exe wnpxc2.exe PID 2920 wrote to memory of 4708 2920 wnpxc2.exe wnpxc2.exe PID 4708 wrote to memory of 4744 4708 wnpxc2.exe wnpxc2.exe PID 4708 wrote to memory of 4744 4708 wnpxc2.exe wnpxc2.exe PID 4708 wrote to memory of 4744 4708 wnpxc2.exe wnpxc2.exe PID 4708 wrote to memory of 4744 4708 wnpxc2.exe wnpxc2.exe PID 4708 wrote to memory of 4744 4708 wnpxc2.exe wnpxc2.exe PID 4708 wrote to memory of 4744 4708 wnpxc2.exe wnpxc2.exe PID 4708 wrote to memory of 4744 4708 wnpxc2.exe wnpxc2.exe PID 4744 wrote to memory of 2892 4744 wnpxc2.exe wnpxc2.exe PID 4744 wrote to memory of 2892 4744 wnpxc2.exe wnpxc2.exe PID 4744 wrote to memory of 2892 4744 wnpxc2.exe wnpxc2.exe PID 2892 wrote to memory of 4456 2892 wnpxc2.exe wnpxc2.exe PID 2892 wrote to memory of 4456 2892 wnpxc2.exe wnpxc2.exe PID 2892 wrote to memory of 4456 2892 wnpxc2.exe wnpxc2.exe PID 2892 wrote to memory of 4456 2892 wnpxc2.exe wnpxc2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0567b4eb2f5c00044a3d337af8849364_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Users\Admin\AppData\Local\Temp\0567B4~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Users\Admin\AppData\Local\Temp\0567B4~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4456 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2576 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4964 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3780 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4556 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:984 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:816 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4904 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4292 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:464 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2396 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4836 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2960 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:728 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1184 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3488 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3944 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3272 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1556 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1568 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5100 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:552 -
C:\Windows\SysWOW64\wnpxc2.exe"C:\Windows\system32\wnpxc2.exe" C:\Windows\SysWOW64\wnpxc2.exe36⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD50567b4eb2f5c00044a3d337af8849364
SHA120b59deab88910f098df451801d2556e379bad75
SHA256059cf6f00c8c11d3bb2deae0b3aebf2e101b8c010731b0c0dc33db47eed05d88
SHA512361f88d728846af28f974b7512fe0c84b43ca58df8cf3d3e5ba5fe1a7b4e95861fee44752cd478493daf8e2f2232d207d1923994ee2dea9d33a0e58141ce3ce6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e