Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2024, 04:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe
-
Size
134KB
-
MD5
993a393bac58bcd1152e0c8f9ed81d64
-
SHA1
c275ecc1e6a56b68a81c4429805de5e03b7836ac
-
SHA256
ede0bece9f446543e867d2f5988f68a0d1ca2a3906025b7c72561204bee26787
-
SHA512
924249a5779d664b3c5b5720aeb9a4416644ebefcac1eefc27064014e69293e0320e2bd49121ea2e04ea8faa245599c9507c32d326770ca4d5f7ef054c6616a5
-
SSDEEP
3072:azQ5+gB4jMhYeIQf6djqn0t4+2sredD7FfPB2pdRV8o0r:2QpnOeIQf6djqn0t4XDBn0pd0om
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnpvk2.exe -
Deletes itself 1 IoCs
pid Process 3392 wnpvk2.exe -
Executes dropped EXE 34 IoCs
pid Process 3988 wnpvk2.exe 3392 wnpvk2.exe 2952 wnpvk2.exe 5024 wnpvk2.exe 4820 wnpvk2.exe 3300 wnpvk2.exe 736 wnpvk2.exe 3660 wnpvk2.exe 2988 wnpvk2.exe 3688 wnpvk2.exe 3624 wnpvk2.exe 1028 wnpvk2.exe 4896 wnpvk2.exe 4940 wnpvk2.exe 1372 wnpvk2.exe 3076 wnpvk2.exe 1100 wnpvk2.exe 4680 wnpvk2.exe 1900 wnpvk2.exe 4900 wnpvk2.exe 2556 wnpvk2.exe 2932 wnpvk2.exe 428 wnpvk2.exe 2184 wnpvk2.exe 3160 wnpvk2.exe 3924 wnpvk2.exe 2324 wnpvk2.exe 1428 wnpvk2.exe 1740 wnpvk2.exe 3412 wnpvk2.exe 760 wnpvk2.exe 1896 wnpvk2.exe 4320 wnpvk2.exe 5044 wnpvk2.exe -
Maps connected drives based on registry 3 TTPs 36 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpvk2.exe -
Drops file in System32 directory 34 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File opened for modification C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe File created C:\Windows\SysWOW64\wnpvk2.exe 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe File created C:\Windows\SysWOW64\wnpvk2.exe wnpvk2.exe -
Suspicious use of SetThreadContext 18 IoCs
description pid Process procid_target PID 1100 set thread context of 3772 1100 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe 90 PID 3988 set thread context of 3392 3988 wnpvk2.exe 98 PID 2952 set thread context of 5024 2952 wnpvk2.exe 100 PID 4820 set thread context of 3300 4820 wnpvk2.exe 102 PID 736 set thread context of 3660 736 wnpvk2.exe 107 PID 2988 set thread context of 3688 2988 wnpvk2.exe 109 PID 3624 set thread context of 1028 3624 wnpvk2.exe 111 PID 4896 set thread context of 4940 4896 wnpvk2.exe 113 PID 1372 set thread context of 3076 1372 wnpvk2.exe 115 PID 1100 set thread context of 4680 1100 wnpvk2.exe 117 PID 1900 set thread context of 4900 1900 wnpvk2.exe 119 PID 2556 set thread context of 2932 2556 wnpvk2.exe 121 PID 428 set thread context of 2184 428 wnpvk2.exe 123 PID 3160 set thread context of 3924 3160 wnpvk2.exe 125 PID 2324 set thread context of 1428 2324 wnpvk2.exe 127 PID 1740 set thread context of 3412 1740 wnpvk2.exe 129 PID 760 set thread context of 1896 760 wnpvk2.exe 131 PID 4320 set thread context of 5044 4320 wnpvk2.exe 133 -
resource yara_rule behavioral2/memory/3772-0-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3772-2-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3772-3-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3772-4-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3772-40-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3392-44-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3392-45-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3392-46-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3392-48-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/5024-55-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3300-61-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3660-68-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3660-70-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3688-77-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1028-82-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1028-85-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4940-92-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3076-97-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3076-99-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4680-107-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4900-113-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/2932-121-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/2184-126-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/2184-131-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3924-135-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3924-141-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1428-149-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3412-157-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1896-165-0x0000000000400000-0x0000000000457000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 35 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnpvk2.exe -
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpvk2.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 3772 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe 3772 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe 3392 wnpvk2.exe 3392 wnpvk2.exe 5024 wnpvk2.exe 5024 wnpvk2.exe 3300 wnpvk2.exe 3300 wnpvk2.exe 3660 wnpvk2.exe 3660 wnpvk2.exe 3688 wnpvk2.exe 3688 wnpvk2.exe 1028 wnpvk2.exe 1028 wnpvk2.exe 4940 wnpvk2.exe 4940 wnpvk2.exe 3076 wnpvk2.exe 3076 wnpvk2.exe 4680 wnpvk2.exe 4680 wnpvk2.exe 4900 wnpvk2.exe 4900 wnpvk2.exe 2932 wnpvk2.exe 2932 wnpvk2.exe 2184 wnpvk2.exe 2184 wnpvk2.exe 3924 wnpvk2.exe 3924 wnpvk2.exe 1428 wnpvk2.exe 1428 wnpvk2.exe 3412 wnpvk2.exe 3412 wnpvk2.exe 1896 wnpvk2.exe 1896 wnpvk2.exe 5044 wnpvk2.exe 5044 wnpvk2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1100 wrote to memory of 3772 1100 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe 90 PID 1100 wrote to memory of 3772 1100 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe 90 PID 1100 wrote to memory of 3772 1100 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe 90 PID 1100 wrote to memory of 3772 1100 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe 90 PID 1100 wrote to memory of 3772 1100 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe 90 PID 1100 wrote to memory of 3772 1100 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe 90 PID 1100 wrote to memory of 3772 1100 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe 90 PID 3772 wrote to memory of 3988 3772 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe 93 PID 3772 wrote to memory of 3988 3772 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe 93 PID 3772 wrote to memory of 3988 3772 993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe 93 PID 3988 wrote to memory of 3392 3988 wnpvk2.exe 98 PID 3988 wrote to memory of 3392 3988 wnpvk2.exe 98 PID 3988 wrote to memory of 3392 3988 wnpvk2.exe 98 PID 3988 wrote to memory of 3392 3988 wnpvk2.exe 98 PID 3988 wrote to memory of 3392 3988 wnpvk2.exe 98 PID 3988 wrote to memory of 3392 3988 wnpvk2.exe 98 PID 3988 wrote to memory of 3392 3988 wnpvk2.exe 98 PID 3392 wrote to memory of 2952 3392 wnpvk2.exe 99 PID 3392 wrote to memory of 2952 3392 wnpvk2.exe 99 PID 3392 wrote to memory of 2952 3392 wnpvk2.exe 99 PID 2952 wrote to memory of 5024 2952 wnpvk2.exe 100 PID 2952 wrote to memory of 5024 2952 wnpvk2.exe 100 PID 2952 wrote to memory of 5024 2952 wnpvk2.exe 100 PID 2952 wrote to memory of 5024 2952 wnpvk2.exe 100 PID 2952 wrote to memory of 5024 2952 wnpvk2.exe 100 PID 2952 wrote to memory of 5024 2952 wnpvk2.exe 100 PID 2952 wrote to memory of 5024 2952 wnpvk2.exe 100 PID 5024 wrote to memory of 4820 5024 wnpvk2.exe 101 PID 5024 wrote to memory of 4820 5024 wnpvk2.exe 101 PID 5024 wrote to memory of 4820 5024 wnpvk2.exe 101 PID 4820 wrote to memory of 3300 4820 wnpvk2.exe 102 PID 4820 wrote to memory of 3300 4820 wnpvk2.exe 102 PID 4820 wrote to memory of 3300 4820 wnpvk2.exe 102 PID 4820 wrote to memory of 3300 4820 wnpvk2.exe 102 PID 4820 wrote to memory of 3300 4820 wnpvk2.exe 102 PID 4820 wrote to memory of 3300 4820 wnpvk2.exe 102 PID 4820 wrote to memory of 3300 4820 wnpvk2.exe 102 PID 3300 wrote to memory of 736 3300 wnpvk2.exe 105 PID 3300 wrote to memory of 736 3300 wnpvk2.exe 105 PID 3300 wrote to memory of 736 3300 wnpvk2.exe 105 PID 736 wrote to memory of 3660 736 wnpvk2.exe 107 PID 736 wrote to memory of 3660 736 wnpvk2.exe 107 PID 736 wrote to memory of 3660 736 wnpvk2.exe 107 PID 736 wrote to memory of 3660 736 wnpvk2.exe 107 PID 736 wrote to memory of 3660 736 wnpvk2.exe 107 PID 736 wrote to memory of 3660 736 wnpvk2.exe 107 PID 736 wrote to memory of 3660 736 wnpvk2.exe 107 PID 3660 wrote to memory of 2988 3660 wnpvk2.exe 108 PID 3660 wrote to memory of 2988 3660 wnpvk2.exe 108 PID 3660 wrote to memory of 2988 3660 wnpvk2.exe 108 PID 2988 wrote to memory of 3688 2988 wnpvk2.exe 109 PID 2988 wrote to memory of 3688 2988 wnpvk2.exe 109 PID 2988 wrote to memory of 3688 2988 wnpvk2.exe 109 PID 2988 wrote to memory of 3688 2988 wnpvk2.exe 109 PID 2988 wrote to memory of 3688 2988 wnpvk2.exe 109 PID 2988 wrote to memory of 3688 2988 wnpvk2.exe 109 PID 2988 wrote to memory of 3688 2988 wnpvk2.exe 109 PID 3688 wrote to memory of 3624 3688 wnpvk2.exe 110 PID 3688 wrote to memory of 3624 3688 wnpvk2.exe 110 PID 3688 wrote to memory of 3624 3688 wnpvk2.exe 110 PID 3624 wrote to memory of 1028 3624 wnpvk2.exe 111 PID 3624 wrote to memory of 1028 3624 wnpvk2.exe 111 PID 3624 wrote to memory of 1028 3624 wnpvk2.exe 111 PID 3624 wrote to memory of 1028 3624 wnpvk2.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\993a393bac58bcd1152e0c8f9ed81d64_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Users\Admin\AppData\Local\Temp\993A39~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Users\Admin\AppData\Local\Temp\993A39~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1028 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4896 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4940 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3076 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4680 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4900 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2932 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:428 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2184 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3160 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3924 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1428 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3412 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1896 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4320 -
C:\Windows\SysWOW64\wnpvk2.exe"C:\Windows\system32\wnpvk2.exe" C:\Windows\SysWOW64\wnpvk2.exe36⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:5044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5993a393bac58bcd1152e0c8f9ed81d64
SHA1c275ecc1e6a56b68a81c4429805de5e03b7836ac
SHA256ede0bece9f446543e867d2f5988f68a0d1ca2a3906025b7c72561204bee26787
SHA512924249a5779d664b3c5b5720aeb9a4416644ebefcac1eefc27064014e69293e0320e2bd49121ea2e04ea8faa245599c9507c32d326770ca4d5f7ef054c6616a5