Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11/08/2024, 04:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
88f608cc8b962df435952230078c4953_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
88f608cc8b962df435952230078c4953_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
88f608cc8b962df435952230078c4953_JaffaCakes118.exe
-
Size
167KB
-
MD5
88f608cc8b962df435952230078c4953
-
SHA1
fade95d2e5f0f8f97674784fb68b874b076cde93
-
SHA256
9a99dbe4da731295a5cada60b513471b9ad3c34b992889ab999ffe24765e2fff
-
SHA512
cb2289b50e760e7ed52958c64ae66d20fbecd57d3d9a04617c9f81386739c2caddaf804a00aaa8ab4904a2601f62361e3fba48d139b585ff7d379edc69f904f5
-
SSDEEP
3072:QGEEhtp++sy+rmGVCupPARbC4HbYObKhHvYVxWbtlmMMD8SVr6BhvDbZIVBUVB2F:QGvl4FqO4HsthHg1XD8Cr6BhvD9IVO2F
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2568 wmpfv2.exe -
Executes dropped EXE 26 IoCs
pid Process 2772 wmpfv2.exe 2568 wmpfv2.exe 2612 wmpfv2.exe 3040 wmpfv2.exe 2636 wmpfv2.exe 2776 wmpfv2.exe 1192 wmpfv2.exe 484 wmpfv2.exe 2352 wmpfv2.exe 2252 wmpfv2.exe 1616 wmpfv2.exe 1472 wmpfv2.exe 3000 wmpfv2.exe 1696 wmpfv2.exe 1692 wmpfv2.exe 1524 wmpfv2.exe 2884 wmpfv2.exe 2820 wmpfv2.exe 2624 wmpfv2.exe 2500 wmpfv2.exe 2208 wmpfv2.exe 2288 wmpfv2.exe 2812 wmpfv2.exe 856 wmpfv2.exe 1192 wmpfv2.exe 1964 wmpfv2.exe -
Loads dropped DLL 26 IoCs
pid Process 2724 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 2724 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 2568 wmpfv2.exe 2568 wmpfv2.exe 3040 wmpfv2.exe 3040 wmpfv2.exe 2776 wmpfv2.exe 2776 wmpfv2.exe 484 wmpfv2.exe 484 wmpfv2.exe 2252 wmpfv2.exe 2252 wmpfv2.exe 1472 wmpfv2.exe 1472 wmpfv2.exe 1696 wmpfv2.exe 1696 wmpfv2.exe 1524 wmpfv2.exe 1524 wmpfv2.exe 2820 wmpfv2.exe 2820 wmpfv2.exe 2500 wmpfv2.exe 2500 wmpfv2.exe 2288 wmpfv2.exe 2288 wmpfv2.exe 856 wmpfv2.exe 856 wmpfv2.exe -
resource yara_rule behavioral1/memory/2724-7-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2724-15-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2724-16-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2724-14-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2724-13-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2724-4-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2724-2-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2724-29-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2568-40-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2568-41-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2568-42-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2568-43-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2568-50-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/3040-60-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/3040-61-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/3040-62-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/3040-63-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/3040-69-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2776-79-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2776-80-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2776-82-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2776-81-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2776-87-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/484-99-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/484-107-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2252-118-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2252-126-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1472-137-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1472-145-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1696-156-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1696-164-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1524-183-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2820-194-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2820-202-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2500-213-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2500-221-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2288-233-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2288-241-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/856-252-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/856-260-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1964-272-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Drops file in System32 directory 26 IoCs
description ioc Process File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe 88f608cc8b962df435952230078c4953_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe 88f608cc8b962df435952230078c4953_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 2412 set thread context of 2724 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 30 PID 2772 set thread context of 2568 2772 wmpfv2.exe 32 PID 2612 set thread context of 3040 2612 wmpfv2.exe 34 PID 2636 set thread context of 2776 2636 wmpfv2.exe 36 PID 1192 set thread context of 484 1192 wmpfv2.exe 38 PID 2352 set thread context of 2252 2352 wmpfv2.exe 40 PID 1616 set thread context of 1472 1616 wmpfv2.exe 43 PID 3000 set thread context of 1696 3000 wmpfv2.exe 45 PID 1692 set thread context of 1524 1692 wmpfv2.exe 47 PID 2884 set thread context of 2820 2884 wmpfv2.exe 49 PID 2624 set thread context of 2500 2624 wmpfv2.exe 51 PID 2208 set thread context of 2288 2208 wmpfv2.exe 53 PID 2812 set thread context of 856 2812 wmpfv2.exe 55 PID 1192 set thread context of 1964 1192 wmpfv2.exe 57 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2724 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 2568 wmpfv2.exe 3040 wmpfv2.exe 2776 wmpfv2.exe 484 wmpfv2.exe 2252 wmpfv2.exe 1472 wmpfv2.exe 1696 wmpfv2.exe 1524 wmpfv2.exe 2820 wmpfv2.exe 2500 wmpfv2.exe 2288 wmpfv2.exe 856 wmpfv2.exe 1964 wmpfv2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2772 wmpfv2.exe Token: SeSecurityPrivilege 2772 wmpfv2.exe Token: SeSecurityPrivilege 2772 wmpfv2.exe Token: SeSecurityPrivilege 2772 wmpfv2.exe Token: SeSecurityPrivilege 2772 wmpfv2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2724 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 30 PID 2412 wrote to memory of 2724 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 30 PID 2412 wrote to memory of 2724 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 30 PID 2412 wrote to memory of 2724 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 30 PID 2412 wrote to memory of 2724 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 30 PID 2412 wrote to memory of 2724 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 30 PID 2412 wrote to memory of 2724 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 30 PID 2412 wrote to memory of 2724 2412 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 30 PID 2724 wrote to memory of 2772 2724 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 31 PID 2724 wrote to memory of 2772 2724 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 31 PID 2724 wrote to memory of 2772 2724 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 31 PID 2724 wrote to memory of 2772 2724 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 31 PID 2772 wrote to memory of 2568 2772 wmpfv2.exe 32 PID 2772 wrote to memory of 2568 2772 wmpfv2.exe 32 PID 2772 wrote to memory of 2568 2772 wmpfv2.exe 32 PID 2772 wrote to memory of 2568 2772 wmpfv2.exe 32 PID 2772 wrote to memory of 2568 2772 wmpfv2.exe 32 PID 2772 wrote to memory of 2568 2772 wmpfv2.exe 32 PID 2772 wrote to memory of 2568 2772 wmpfv2.exe 32 PID 2772 wrote to memory of 2568 2772 wmpfv2.exe 32 PID 2568 wrote to memory of 2612 2568 wmpfv2.exe 33 PID 2568 wrote to memory of 2612 2568 wmpfv2.exe 33 PID 2568 wrote to memory of 2612 2568 wmpfv2.exe 33 PID 2568 wrote to memory of 2612 2568 wmpfv2.exe 33 PID 2612 wrote to memory of 3040 2612 wmpfv2.exe 34 PID 2612 wrote to memory of 3040 2612 wmpfv2.exe 34 PID 2612 wrote to memory of 3040 2612 wmpfv2.exe 34 PID 2612 wrote to memory of 3040 2612 wmpfv2.exe 34 PID 2612 wrote to memory of 3040 2612 wmpfv2.exe 34 PID 2612 wrote to memory of 3040 2612 wmpfv2.exe 34 PID 2612 wrote to memory of 3040 2612 wmpfv2.exe 34 PID 2612 wrote to memory of 3040 2612 wmpfv2.exe 34 PID 3040 wrote to memory of 2636 3040 wmpfv2.exe 35 PID 3040 wrote to memory of 2636 3040 wmpfv2.exe 35 PID 3040 wrote to memory of 2636 3040 wmpfv2.exe 35 PID 3040 wrote to memory of 2636 3040 wmpfv2.exe 35 PID 2636 wrote to memory of 2776 2636 wmpfv2.exe 36 PID 2636 wrote to memory of 2776 2636 wmpfv2.exe 36 PID 2636 wrote to memory of 2776 2636 wmpfv2.exe 36 PID 2636 wrote to memory of 2776 2636 wmpfv2.exe 36 PID 2636 wrote to memory of 2776 2636 wmpfv2.exe 36 PID 2636 wrote to memory of 2776 2636 wmpfv2.exe 36 PID 2636 wrote to memory of 2776 2636 wmpfv2.exe 36 PID 2636 wrote to memory of 2776 2636 wmpfv2.exe 36 PID 2776 wrote to memory of 1192 2776 wmpfv2.exe 37 PID 2776 wrote to memory of 1192 2776 wmpfv2.exe 37 PID 2776 wrote to memory of 1192 2776 wmpfv2.exe 37 PID 2776 wrote to memory of 1192 2776 wmpfv2.exe 37 PID 1192 wrote to memory of 484 1192 wmpfv2.exe 38 PID 1192 wrote to memory of 484 1192 wmpfv2.exe 38 PID 1192 wrote to memory of 484 1192 wmpfv2.exe 38 PID 1192 wrote to memory of 484 1192 wmpfv2.exe 38 PID 1192 wrote to memory of 484 1192 wmpfv2.exe 38 PID 1192 wrote to memory of 484 1192 wmpfv2.exe 38 PID 1192 wrote to memory of 484 1192 wmpfv2.exe 38 PID 1192 wrote to memory of 484 1192 wmpfv2.exe 38 PID 484 wrote to memory of 2352 484 wmpfv2.exe 39 PID 484 wrote to memory of 2352 484 wmpfv2.exe 39 PID 484 wrote to memory of 2352 484 wmpfv2.exe 39 PID 484 wrote to memory of 2352 484 wmpfv2.exe 39 PID 2352 wrote to memory of 2252 2352 wmpfv2.exe 40 PID 2352 wrote to memory of 2252 2352 wmpfv2.exe 40 PID 2352 wrote to memory of 2252 2352 wmpfv2.exe 40 PID 2352 wrote to memory of 2252 2352 wmpfv2.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\88f608cc8b962df435952230078c4953_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88f608cc8b962df435952230078c4953_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\88f608cc8b962df435952230078c4953_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88f608cc8b962df435952230078c4953_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Users\Admin\AppData\Local\Temp\88F608~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Users\Admin\AppData\Local\Temp\88F608~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2252 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1472 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1696 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1524 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2820 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2500 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2288 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:856 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167KB
MD588f608cc8b962df435952230078c4953
SHA1fade95d2e5f0f8f97674784fb68b874b076cde93
SHA2569a99dbe4da731295a5cada60b513471b9ad3c34b992889ab999ffe24765e2fff
SHA512cb2289b50e760e7ed52958c64ae66d20fbecd57d3d9a04617c9f81386739c2caddaf804a00aaa8ab4904a2601f62361e3fba48d139b585ff7d379edc69f904f5