Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 04:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
88f608cc8b962df435952230078c4953_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
88f608cc8b962df435952230078c4953_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
88f608cc8b962df435952230078c4953_JaffaCakes118.exe
-
Size
167KB
-
MD5
88f608cc8b962df435952230078c4953
-
SHA1
fade95d2e5f0f8f97674784fb68b874b076cde93
-
SHA256
9a99dbe4da731295a5cada60b513471b9ad3c34b992889ab999ffe24765e2fff
-
SHA512
cb2289b50e760e7ed52958c64ae66d20fbecd57d3d9a04617c9f81386739c2caddaf804a00aaa8ab4904a2601f62361e3fba48d139b585ff7d379edc69f904f5
-
SSDEEP
3072:QGEEhtp++sy+rmGVCupPARbC4HbYObKhHvYVxWbtlmMMD8SVr6BhvDbZIVBUVB2F:QGvl4FqO4HsthHg1XD8Cr6BhvD9IVO2F
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wmpfv2.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wmpfv2.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wmpfv2.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wmpfv2.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wmpfv2.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wmpfv2.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wmpfv2.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wmpfv2.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wmpfv2.exe -
Deletes itself 1 IoCs
pid Process 3500 wmpfv2.exe -
Executes dropped EXE 19 IoCs
pid Process 3428 wmpfv2.exe 3500 wmpfv2.exe 976 wmpfv2.exe 4304 wmpfv2.exe 3260 wmpfv2.exe 4992 wmpfv2.exe 3028 wmpfv2.exe 3872 wmpfv2.exe 3660 wmpfv2.exe 4508 wmpfv2.exe 4040 wmpfv2.exe 4944 wmpfv2.exe 1112 wmpfv2.exe 4988 wmpfv2.exe 4428 wmpfv2.exe 3808 wmpfv2.exe 1504 wmpfv2.exe 3012 wmpfv2.exe 4920 wmpfv2.exe -
resource yara_rule behavioral2/memory/1408-0-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1408-3-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1408-1-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1408-5-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1408-7-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1408-8-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1408-6-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1408-44-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3500-50-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3500-52-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3500-54-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3500-53-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3500-55-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3500-57-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4304-64-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4304-66-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4304-67-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4304-70-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4992-81-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4992-83-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3872-91-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3872-96-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4508-104-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4508-110-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4944-120-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4944-125-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4988-134-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4988-139-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3808-153-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3012-161-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3012-167-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe 88f608cc8b962df435952230078c4953_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe 88f608cc8b962df435952230078c4953_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File created C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe File opened for modification C:\Windows\SysWOW64\wmpfv2.exe wmpfv2.exe -
Suspicious use of SetThreadContext 10 IoCs
description pid Process procid_target PID 2884 set thread context of 1408 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 92 PID 3428 set thread context of 3500 3428 wmpfv2.exe 96 PID 976 set thread context of 4304 976 wmpfv2.exe 101 PID 3260 set thread context of 4992 3260 wmpfv2.exe 103 PID 3028 set thread context of 3872 3028 wmpfv2.exe 105 PID 3660 set thread context of 4508 3660 wmpfv2.exe 108 PID 4040 set thread context of 4944 4040 wmpfv2.exe 110 PID 1112 set thread context of 4988 1112 wmpfv2.exe 119 PID 4428 set thread context of 3808 4428 wmpfv2.exe 121 PID 1504 set thread context of 3012 1504 wmpfv2.exe 126 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpfv2.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpfv2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpfv2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpfv2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpfv2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpfv2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpfv2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpfv2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpfv2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpfv2.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1408 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 1408 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 3500 wmpfv2.exe 3500 wmpfv2.exe 4304 wmpfv2.exe 4304 wmpfv2.exe 4992 wmpfv2.exe 4992 wmpfv2.exe 3872 wmpfv2.exe 3872 wmpfv2.exe 4508 wmpfv2.exe 4508 wmpfv2.exe 4944 wmpfv2.exe 4944 wmpfv2.exe 4988 wmpfv2.exe 4988 wmpfv2.exe 3808 wmpfv2.exe 3808 wmpfv2.exe 3012 wmpfv2.exe 3012 wmpfv2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe Token: SeSecurityPrivilege 3428 wmpfv2.exe Token: SeSecurityPrivilege 3428 wmpfv2.exe Token: SeSecurityPrivilege 3428 wmpfv2.exe Token: SeSecurityPrivilege 3428 wmpfv2.exe Token: SeSecurityPrivilege 3428 wmpfv2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2884 wrote to memory of 1408 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 92 PID 2884 wrote to memory of 1408 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 92 PID 2884 wrote to memory of 1408 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 92 PID 2884 wrote to memory of 1408 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 92 PID 2884 wrote to memory of 1408 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 92 PID 2884 wrote to memory of 1408 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 92 PID 2884 wrote to memory of 1408 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 92 PID 2884 wrote to memory of 1408 2884 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 92 PID 1408 wrote to memory of 3428 1408 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 95 PID 1408 wrote to memory of 3428 1408 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 95 PID 1408 wrote to memory of 3428 1408 88f608cc8b962df435952230078c4953_JaffaCakes118.exe 95 PID 3428 wrote to memory of 3500 3428 wmpfv2.exe 96 PID 3428 wrote to memory of 3500 3428 wmpfv2.exe 96 PID 3428 wrote to memory of 3500 3428 wmpfv2.exe 96 PID 3428 wrote to memory of 3500 3428 wmpfv2.exe 96 PID 3428 wrote to memory of 3500 3428 wmpfv2.exe 96 PID 3428 wrote to memory of 3500 3428 wmpfv2.exe 96 PID 3428 wrote to memory of 3500 3428 wmpfv2.exe 96 PID 3428 wrote to memory of 3500 3428 wmpfv2.exe 96 PID 3500 wrote to memory of 976 3500 wmpfv2.exe 97 PID 3500 wrote to memory of 976 3500 wmpfv2.exe 97 PID 3500 wrote to memory of 976 3500 wmpfv2.exe 97 PID 976 wrote to memory of 4304 976 wmpfv2.exe 101 PID 976 wrote to memory of 4304 976 wmpfv2.exe 101 PID 976 wrote to memory of 4304 976 wmpfv2.exe 101 PID 976 wrote to memory of 4304 976 wmpfv2.exe 101 PID 976 wrote to memory of 4304 976 wmpfv2.exe 101 PID 976 wrote to memory of 4304 976 wmpfv2.exe 101 PID 976 wrote to memory of 4304 976 wmpfv2.exe 101 PID 976 wrote to memory of 4304 976 wmpfv2.exe 101 PID 4304 wrote to memory of 3260 4304 wmpfv2.exe 102 PID 4304 wrote to memory of 3260 4304 wmpfv2.exe 102 PID 4304 wrote to memory of 3260 4304 wmpfv2.exe 102 PID 3260 wrote to memory of 4992 3260 wmpfv2.exe 103 PID 3260 wrote to memory of 4992 3260 wmpfv2.exe 103 PID 3260 wrote to memory of 4992 3260 wmpfv2.exe 103 PID 3260 wrote to memory of 4992 3260 wmpfv2.exe 103 PID 3260 wrote to memory of 4992 3260 wmpfv2.exe 103 PID 3260 wrote to memory of 4992 3260 wmpfv2.exe 103 PID 3260 wrote to memory of 4992 3260 wmpfv2.exe 103 PID 3260 wrote to memory of 4992 3260 wmpfv2.exe 103 PID 4992 wrote to memory of 3028 4992 wmpfv2.exe 104 PID 4992 wrote to memory of 3028 4992 wmpfv2.exe 104 PID 4992 wrote to memory of 3028 4992 wmpfv2.exe 104 PID 3028 wrote to memory of 3872 3028 wmpfv2.exe 105 PID 3028 wrote to memory of 3872 3028 wmpfv2.exe 105 PID 3028 wrote to memory of 3872 3028 wmpfv2.exe 105 PID 3028 wrote to memory of 3872 3028 wmpfv2.exe 105 PID 3028 wrote to memory of 3872 3028 wmpfv2.exe 105 PID 3028 wrote to memory of 3872 3028 wmpfv2.exe 105 PID 3028 wrote to memory of 3872 3028 wmpfv2.exe 105 PID 3028 wrote to memory of 3872 3028 wmpfv2.exe 105 PID 3872 wrote to memory of 3660 3872 wmpfv2.exe 107 PID 3872 wrote to memory of 3660 3872 wmpfv2.exe 107 PID 3872 wrote to memory of 3660 3872 wmpfv2.exe 107 PID 3660 wrote to memory of 4508 3660 wmpfv2.exe 108 PID 3660 wrote to memory of 4508 3660 wmpfv2.exe 108 PID 3660 wrote to memory of 4508 3660 wmpfv2.exe 108 PID 3660 wrote to memory of 4508 3660 wmpfv2.exe 108 PID 3660 wrote to memory of 4508 3660 wmpfv2.exe 108 PID 3660 wrote to memory of 4508 3660 wmpfv2.exe 108 PID 3660 wrote to memory of 4508 3660 wmpfv2.exe 108 PID 3660 wrote to memory of 4508 3660 wmpfv2.exe 108 PID 4508 wrote to memory of 4040 4508 wmpfv2.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\88f608cc8b962df435952230078c4953_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88f608cc8b962df435952230078c4953_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\88f608cc8b962df435952230078c4953_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88f608cc8b962df435952230078c4953_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Users\Admin\AppData\Local\Temp\88F608~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Users\Admin\AppData\Local\Temp\88F608~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4040 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4944 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1112 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4988 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3808 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3012 -
C:\Windows\SysWOW64\wmpfv2.exe"C:\Windows\system32\wmpfv2.exe" C:\Windows\SysWOW64\wmpfv2.exe21⤵
- Executes dropped EXE
PID:4920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167KB
MD588f608cc8b962df435952230078c4953
SHA1fade95d2e5f0f8f97674784fb68b874b076cde93
SHA2569a99dbe4da731295a5cada60b513471b9ad3c34b992889ab999ffe24765e2fff
SHA512cb2289b50e760e7ed52958c64ae66d20fbecd57d3d9a04617c9f81386739c2caddaf804a00aaa8ab4904a2601f62361e3fba48d139b585ff7d379edc69f904f5