Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 03:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe
-
Size
142KB
-
MD5
e19a22e76089eb77565c7fd8f685b88b
-
SHA1
ae012a2b0a19aa837a841e1f63beb99024c8999a
-
SHA256
6219e4ec2189499c1ea6307e2578ea3d64a62550bc7206dd8d2ce507f5e2f556
-
SHA512
2bb642c3a0a47df8eab47d09530347ccd9e9a97864cff0bee5c09da6bf1d56ffe2d41f718443c28e12592784ab36367b9994bb97fff2f5911a6041076e8a7d51
-
SSDEEP
3072:evEZzUAal8HNu2dY5g5E+K4DBKwAsVMvMjWdpB6D2HgYDm:eCzBHN3b5EsdKdPvpBXu
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 376 wmpdtk32.exe -
Executes dropped EXE 32 IoCs
pid Process 2352 wmpdtk32.exe 376 wmpdtk32.exe 2896 wmpdtk32.exe 2740 wmpdtk32.exe 2516 wmpdtk32.exe 2608 wmpdtk32.exe 1980 wmpdtk32.exe 1692 wmpdtk32.exe 1820 wmpdtk32.exe 1068 wmpdtk32.exe 2952 wmpdtk32.exe 2792 wmpdtk32.exe 956 wmpdtk32.exe 696 wmpdtk32.exe 2912 wmpdtk32.exe 2864 wmpdtk32.exe 1452 wmpdtk32.exe 2220 wmpdtk32.exe 2312 wmpdtk32.exe 1732 wmpdtk32.exe 2688 wmpdtk32.exe 2704 wmpdtk32.exe 2636 wmpdtk32.exe 2684 wmpdtk32.exe 1780 wmpdtk32.exe 1788 wmpdtk32.exe 292 wmpdtk32.exe 620 wmpdtk32.exe 308 wmpdtk32.exe 348 wmpdtk32.exe 2836 wmpdtk32.exe 2952 wmpdtk32.exe -
Loads dropped DLL 64 IoCs
pid Process 3048 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 3048 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 2352 wmpdtk32.exe 2352 wmpdtk32.exe 376 wmpdtk32.exe 376 wmpdtk32.exe 2896 wmpdtk32.exe 2896 wmpdtk32.exe 2740 wmpdtk32.exe 2740 wmpdtk32.exe 2516 wmpdtk32.exe 2516 wmpdtk32.exe 2608 wmpdtk32.exe 2608 wmpdtk32.exe 1980 wmpdtk32.exe 1980 wmpdtk32.exe 1692 wmpdtk32.exe 1692 wmpdtk32.exe 1820 wmpdtk32.exe 1820 wmpdtk32.exe 1068 wmpdtk32.exe 1068 wmpdtk32.exe 2952 wmpdtk32.exe 2952 wmpdtk32.exe 2792 wmpdtk32.exe 2792 wmpdtk32.exe 956 wmpdtk32.exe 956 wmpdtk32.exe 696 wmpdtk32.exe 696 wmpdtk32.exe 2912 wmpdtk32.exe 2912 wmpdtk32.exe 2864 wmpdtk32.exe 2864 wmpdtk32.exe 1452 wmpdtk32.exe 1452 wmpdtk32.exe 2220 wmpdtk32.exe 2220 wmpdtk32.exe 2312 wmpdtk32.exe 2312 wmpdtk32.exe 1732 wmpdtk32.exe 1732 wmpdtk32.exe 2688 wmpdtk32.exe 2688 wmpdtk32.exe 2704 wmpdtk32.exe 2704 wmpdtk32.exe 2636 wmpdtk32.exe 2636 wmpdtk32.exe 2684 wmpdtk32.exe 2684 wmpdtk32.exe 1780 wmpdtk32.exe 1780 wmpdtk32.exe 1788 wmpdtk32.exe 1788 wmpdtk32.exe 292 wmpdtk32.exe 292 wmpdtk32.exe 620 wmpdtk32.exe 620 wmpdtk32.exe 308 wmpdtk32.exe 308 wmpdtk32.exe 348 wmpdtk32.exe 348 wmpdtk32.exe 2836 wmpdtk32.exe 2836 wmpdtk32.exe -
resource yara_rule behavioral1/memory/3048-4-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3048-7-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3048-6-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3048-3-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3048-2-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3048-8-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3048-9-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/376-31-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3048-36-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/376-37-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2740-52-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/376-55-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2740-71-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2740-73-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1692-90-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2608-89-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2608-94-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1068-110-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1692-109-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1692-111-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2792-129-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1068-128-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1068-133-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/696-148-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2792-152-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2864-168-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/696-167-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/696-172-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2220-187-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2864-186-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2864-192-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1732-203-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2220-202-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2220-207-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2704-217-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1732-216-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1732-221-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2684-231-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2704-230-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2704-235-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1788-245-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2684-244-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2684-249-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/620-259-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1788-258-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1788-263-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/348-273-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/620-272-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/620-277-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2952-287-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/348-286-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/348-291-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtk32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtk32.exe File created C:\Windows\SysWOW64\wmpdtk32.exe e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 2948 set thread context of 3048 2948 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 28 PID 2352 set thread context of 376 2352 wmpdtk32.exe 32 PID 2896 set thread context of 2740 2896 wmpdtk32.exe 34 PID 2516 set thread context of 2608 2516 wmpdtk32.exe 36 PID 1980 set thread context of 1692 1980 wmpdtk32.exe 38 PID 1820 set thread context of 1068 1820 wmpdtk32.exe 40 PID 2952 set thread context of 2792 2952 wmpdtk32.exe 42 PID 956 set thread context of 696 956 wmpdtk32.exe 44 PID 2912 set thread context of 2864 2912 wmpdtk32.exe 46 PID 1452 set thread context of 2220 1452 wmpdtk32.exe 48 PID 2312 set thread context of 1732 2312 wmpdtk32.exe 50 PID 2688 set thread context of 2704 2688 wmpdtk32.exe 52 PID 2636 set thread context of 2684 2636 wmpdtk32.exe 54 PID 1780 set thread context of 1788 1780 wmpdtk32.exe 56 PID 292 set thread context of 620 292 wmpdtk32.exe 58 PID 308 set thread context of 348 308 wmpdtk32.exe 60 PID 2836 set thread context of 2952 2836 wmpdtk32.exe 62 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtk32.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 3048 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 3048 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 376 wmpdtk32.exe 376 wmpdtk32.exe 2740 wmpdtk32.exe 2740 wmpdtk32.exe 2608 wmpdtk32.exe 2608 wmpdtk32.exe 1692 wmpdtk32.exe 1692 wmpdtk32.exe 1068 wmpdtk32.exe 1068 wmpdtk32.exe 2792 wmpdtk32.exe 2792 wmpdtk32.exe 696 wmpdtk32.exe 696 wmpdtk32.exe 2864 wmpdtk32.exe 2864 wmpdtk32.exe 2220 wmpdtk32.exe 2220 wmpdtk32.exe 1732 wmpdtk32.exe 1732 wmpdtk32.exe 2704 wmpdtk32.exe 2704 wmpdtk32.exe 2684 wmpdtk32.exe 2684 wmpdtk32.exe 1788 wmpdtk32.exe 1788 wmpdtk32.exe 620 wmpdtk32.exe 620 wmpdtk32.exe 348 wmpdtk32.exe 348 wmpdtk32.exe 2952 wmpdtk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2948 wrote to memory of 3048 2948 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 28 PID 2948 wrote to memory of 3048 2948 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 28 PID 2948 wrote to memory of 3048 2948 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 28 PID 2948 wrote to memory of 3048 2948 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 28 PID 2948 wrote to memory of 3048 2948 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 28 PID 2948 wrote to memory of 3048 2948 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 28 PID 2948 wrote to memory of 3048 2948 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 28 PID 3048 wrote to memory of 2352 3048 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 31 PID 3048 wrote to memory of 2352 3048 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 31 PID 3048 wrote to memory of 2352 3048 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 31 PID 3048 wrote to memory of 2352 3048 e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe 31 PID 2352 wrote to memory of 376 2352 wmpdtk32.exe 32 PID 2352 wrote to memory of 376 2352 wmpdtk32.exe 32 PID 2352 wrote to memory of 376 2352 wmpdtk32.exe 32 PID 2352 wrote to memory of 376 2352 wmpdtk32.exe 32 PID 2352 wrote to memory of 376 2352 wmpdtk32.exe 32 PID 2352 wrote to memory of 376 2352 wmpdtk32.exe 32 PID 2352 wrote to memory of 376 2352 wmpdtk32.exe 32 PID 376 wrote to memory of 2896 376 wmpdtk32.exe 33 PID 376 wrote to memory of 2896 376 wmpdtk32.exe 33 PID 376 wrote to memory of 2896 376 wmpdtk32.exe 33 PID 376 wrote to memory of 2896 376 wmpdtk32.exe 33 PID 2896 wrote to memory of 2740 2896 wmpdtk32.exe 34 PID 2896 wrote to memory of 2740 2896 wmpdtk32.exe 34 PID 2896 wrote to memory of 2740 2896 wmpdtk32.exe 34 PID 2896 wrote to memory of 2740 2896 wmpdtk32.exe 34 PID 2896 wrote to memory of 2740 2896 wmpdtk32.exe 34 PID 2896 wrote to memory of 2740 2896 wmpdtk32.exe 34 PID 2896 wrote to memory of 2740 2896 wmpdtk32.exe 34 PID 2740 wrote to memory of 2516 2740 wmpdtk32.exe 35 PID 2740 wrote to memory of 2516 2740 wmpdtk32.exe 35 PID 2740 wrote to memory of 2516 2740 wmpdtk32.exe 35 PID 2740 wrote to memory of 2516 2740 wmpdtk32.exe 35 PID 2516 wrote to memory of 2608 2516 wmpdtk32.exe 36 PID 2516 wrote to memory of 2608 2516 wmpdtk32.exe 36 PID 2516 wrote to memory of 2608 2516 wmpdtk32.exe 36 PID 2516 wrote to memory of 2608 2516 wmpdtk32.exe 36 PID 2516 wrote to memory of 2608 2516 wmpdtk32.exe 36 PID 2516 wrote to memory of 2608 2516 wmpdtk32.exe 36 PID 2516 wrote to memory of 2608 2516 wmpdtk32.exe 36 PID 2608 wrote to memory of 1980 2608 wmpdtk32.exe 37 PID 2608 wrote to memory of 1980 2608 wmpdtk32.exe 37 PID 2608 wrote to memory of 1980 2608 wmpdtk32.exe 37 PID 2608 wrote to memory of 1980 2608 wmpdtk32.exe 37 PID 1980 wrote to memory of 1692 1980 wmpdtk32.exe 38 PID 1980 wrote to memory of 1692 1980 wmpdtk32.exe 38 PID 1980 wrote to memory of 1692 1980 wmpdtk32.exe 38 PID 1980 wrote to memory of 1692 1980 wmpdtk32.exe 38 PID 1980 wrote to memory of 1692 1980 wmpdtk32.exe 38 PID 1980 wrote to memory of 1692 1980 wmpdtk32.exe 38 PID 1980 wrote to memory of 1692 1980 wmpdtk32.exe 38 PID 1692 wrote to memory of 1820 1692 wmpdtk32.exe 39 PID 1692 wrote to memory of 1820 1692 wmpdtk32.exe 39 PID 1692 wrote to memory of 1820 1692 wmpdtk32.exe 39 PID 1692 wrote to memory of 1820 1692 wmpdtk32.exe 39 PID 1820 wrote to memory of 1068 1820 wmpdtk32.exe 40 PID 1820 wrote to memory of 1068 1820 wmpdtk32.exe 40 PID 1820 wrote to memory of 1068 1820 wmpdtk32.exe 40 PID 1820 wrote to memory of 1068 1820 wmpdtk32.exe 40 PID 1820 wrote to memory of 1068 1820 wmpdtk32.exe 40 PID 1820 wrote to memory of 1068 1820 wmpdtk32.exe 40 PID 1820 wrote to memory of 1068 1820 wmpdtk32.exe 40 PID 1068 wrote to memory of 2952 1068 wmpdtk32.exe 41 PID 1068 wrote to memory of 2952 1068 wmpdtk32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e19a22e76089eb77565c7fd8f685b88b_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Users\Admin\AppData\Local\Temp\E19A22~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Users\Admin\AppData\Local\Temp\E19A22~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2792 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:696 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2864 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1732 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2704 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2684 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1788 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:292 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:620 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:308 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:348 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\wmpdtk32.exe"C:\Windows\system32\wmpdtk32.exe" C:\Windows\SysWOW64\wmpdtk32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD5e19a22e76089eb77565c7fd8f685b88b
SHA1ae012a2b0a19aa837a841e1f63beb99024c8999a
SHA2566219e4ec2189499c1ea6307e2578ea3d64a62550bc7206dd8d2ce507f5e2f556
SHA5122bb642c3a0a47df8eab47d09530347ccd9e9a97864cff0bee5c09da6bf1d56ffe2d41f718443c28e12592784ab36367b9994bb97fff2f5911a6041076e8a7d51