metasploit | e2fe63ffbe9f45034849ecb306e5399eb70a219758e421b3dc368be9aa4da307

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
29/11/2024, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
Size

81KB
MD5

b3e63de0ee2812b92c280e2ae78808cd
SHA1

0cc3966cd4a307f84b6a69c1aa59998e1fafd66d
SHA256

e2fe63ffbe9f45034849ecb306e5399eb70a219758e421b3dc368be9aa4da307
SHA512

f9a871880ebaa7c89fd9e6418310bf6876ffee12ec7a9974c0132a27cf55f452a3d4caf4cfc3ee12bb52e204895c256d140ee28d00ed3d2f258af9563b6fb646
SSDEEP

1536:r7Xl6xlLXtJbru/+nxylEu4y44aj9QQCVWnfr0525p:r7XlkJXHK/+nxjy4dxCqVn

Score

10^/10

metasploit backdoor defense_evasion discovery evasion execution persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmisrpd.exe = "C:\\Windows\\SysWOW64\\wmisrpd.exe:*:Enabled:Windows Live"	wmisrpd.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	wmisrpd.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmisrpd.exe = "C:\\Windows\\SysWOW64\\wmisrpd.exe:*:Enabled:Windows Live"	wmisrpd.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List	wmisrpd.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	wmisrpd.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wmisrpd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wmisrpd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	wmisrpd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wmisrpd.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	wmisrpd.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "wmisrpd.exe"	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	wmisrpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "wmisrpd.exe"	wmisrpd.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
1308	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	wmisrpd.exe
2816	wmisrpd.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ctfmon.exe = "ctfmon.exe"	wmisrpd.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ctfmon.exe = "ctfmon.exe"	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wmisrpd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wmisrpd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	wmisrpd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wmisrpd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "ctfmon.exe"	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "ctfmon.exe"	wmisrpd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrpd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmisrpd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmisrpd.exe	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmisrpd.exe	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmisrpd.exe	wmisrpd.exe
File created	C:\Windows\SysWOW64\wmisrpd.exe	wmisrpd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 2332	2156	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	30
PID 2308 set thread context of 2816	2308	wmisrpd.exe	36

Launches sc.exe 27 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1012	sc.exe
708	sc.exe
1768	sc.exe
2072	sc.exe
2264	sc.exe
1704	sc.exe
444	sc.exe
2924	sc.exe
2664	sc.exe
2096	sc.exe
2164	sc.exe
2524	sc.exe
1284	sc.exe
2324	sc.exe
772	sc.exe
2936	sc.exe
2280	sc.exe
1964	sc.exe
2660	sc.exe
2888	sc.exe
2424	sc.exe
1164	sc.exe
848	sc.exe
908	sc.exe
2984	sc.exe
2452	sc.exe
1268	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2204	ipconfig.exe
1780	ipconfig.exe
2460	ipconfig.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
2816	wmisrpd.exe
2816	wmisrpd.exe
2816	wmisrpd.exe
2816	wmisrpd.exe
2816	wmisrpd.exe
2816	wmisrpd.exe
2816	wmisrpd.exe
2816	wmisrpd.exe
2816	wmisrpd.exe
2816	wmisrpd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2816	wmisrpd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2332	2156	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2332	2156	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2332	2156	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2332	2156	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2332	2156	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2332	2156	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2308	2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	31
PID 2332 wrote to memory of 2308	2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	31
PID 2332 wrote to memory of 2308	2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	31
PID 2332 wrote to memory of 2308	2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	31
PID 2332 wrote to memory of 2484	2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	32
PID 2332 wrote to memory of 2484	2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	32
PID 2332 wrote to memory of 2484	2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	32
PID 2332 wrote to memory of 2484	2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	32
PID 2332 wrote to memory of 1308	2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	34
PID 2332 wrote to memory of 1308	2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	34
PID 2332 wrote to memory of 1308	2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	34
PID 2332 wrote to memory of 1308	2332	b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe	34
PID 2308 wrote to memory of 2816	2308	wmisrpd.exe	36
PID 2308 wrote to memory of 2816	2308	wmisrpd.exe	36
PID 2308 wrote to memory of 2816	2308	wmisrpd.exe	36
PID 2308 wrote to memory of 2816	2308	wmisrpd.exe	36
PID 2308 wrote to memory of 2816	2308	wmisrpd.exe	36
PID 2308 wrote to memory of 2816	2308	wmisrpd.exe	36
PID 2816 wrote to memory of 1216	2816	wmisrpd.exe	21
PID 2816 wrote to memory of 1216	2816	wmisrpd.exe	21
PID 2816 wrote to memory of 2692	2816	wmisrpd.exe	37
PID 2816 wrote to memory of 2692	2816	wmisrpd.exe	37
PID 2816 wrote to memory of 2692	2816	wmisrpd.exe	37
PID 2816 wrote to memory of 2692	2816	wmisrpd.exe	37
PID 2816 wrote to memory of 2688	2816	wmisrpd.exe	38
PID 2816 wrote to memory of 2688	2816	wmisrpd.exe	38
PID 2816 wrote to memory of 2688	2816	wmisrpd.exe	38
PID 2816 wrote to memory of 2688	2816	wmisrpd.exe	38
PID 2816 wrote to memory of 2880	2816	wmisrpd.exe	39
PID 2816 wrote to memory of 2880	2816	wmisrpd.exe	39
PID 2816 wrote to memory of 2880	2816	wmisrpd.exe	39
PID 2816 wrote to memory of 2880	2816	wmisrpd.exe	39
PID 2692 wrote to memory of 2728	2692	CMD.exe	43
PID 2692 wrote to memory of 2728	2692	CMD.exe	43
PID 2692 wrote to memory of 2728	2692	CMD.exe	43
PID 2692 wrote to memory of 2728	2692	CMD.exe	43
PID 2880 wrote to memory of 2664	2880	CMD.exe	44
PID 2880 wrote to memory of 2664	2880	CMD.exe	44
PID 2880 wrote to memory of 2664	2880	CMD.exe	44
PID 2880 wrote to memory of 2664	2880	CMD.exe	44
PID 2688 wrote to memory of 2660	2688	CMD.exe	45
PID 2688 wrote to memory of 2660	2688	CMD.exe	45
PID 2688 wrote to memory of 2660	2688	CMD.exe	45
PID 2688 wrote to memory of 2660	2688	CMD.exe	45
PID 2728 wrote to memory of 2696	2728	net.exe	46
PID 2728 wrote to memory of 2696	2728	net.exe	46
PID 2728 wrote to memory of 2696	2728	net.exe	46
PID 2728 wrote to memory of 2696	2728	net.exe	46
PID 2816 wrote to memory of 2460	2816	wmisrpd.exe	47
PID 2816 wrote to memory of 2460	2816	wmisrpd.exe	47
PID 2816 wrote to memory of 2460	2816	wmisrpd.exe	47
PID 2816 wrote to memory of 2460	2816	wmisrpd.exe	47
PID 2816 wrote to memory of 2328	2816	wmisrpd.exe	49
PID 2816 wrote to memory of 2328	2816	wmisrpd.exe	49
PID 2816 wrote to memory of 2328	2816	wmisrpd.exe	49
PID 2816 wrote to memory of 2328	2816	wmisrpd.exe	49
PID 2328 wrote to memory of 2072	2328	CMD.exe	51
PID 2328 wrote to memory of 2072	2328	CMD.exe	51

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118.exe
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Impair Defenses: Safe Mode Boot
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\wmisrpd.exe
      "C:\Windows\system32\wmisrpd.exe"
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\SysWOW64\wmisrpd.exe
        
        C:\Windows\SysWOW64\wmisrpd.exe
        5⤵
        Modifies firewall policy service
        Modifies security service
        Windows security bypass
        Drops file in Drivers directory
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop "avast! Antivirus"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "avast! Antivirus"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "avast! Antivirus"
        8⤵
        
        PID:2696
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop "avast! Antivirus"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "avast! Antivirus"
        7⤵
        Launches sc.exe
        
        PID:2660
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config "avast! Antivirus" start= disabled
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config "avast! Antivirus" start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2664
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:2460
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete "avast! Antivirus"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "avast! Antivirus"
        7⤵
        Launches sc.exe
        
        PID:2072
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop AntiVirService
        6⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\net.exe
        
        net stop AntiVirService
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AntiVirService
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop AntiVirService
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop AntiVirService
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2280
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config AntiVirService start= disabled
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config AntiVirService start= disabled
        7⤵
        Launches sc.exe
        
        PID:2264
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete AntiVirService
        6⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete AntiVirService
        7⤵
        Launches sc.exe
        
        PID:2424
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop PASRV
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\net.exe
        
        net stop PASRV
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop PASRV
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop PASRV
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop PASRV
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:708
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config PASRV start= disabled
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config PASRV start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2452
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete PASRV
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete PASRV
        7⤵
        Launches sc.exe
        
        PID:1704
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop VSSERV
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\net.exe
        
        net stop VSSERV
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VSSERV
        8⤵
        
        PID:2016
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop VSSERV
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop VSSERV
        7⤵
        Launches sc.exe
        
        PID:1964
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config VSSERV start= disabled
        6⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config VSSERV start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1268
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete VSSERV
        6⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete VSSERV
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1284
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop avg8wd
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\net.exe
        
        net stop avg8wd
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop avg8wd
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop avg8wd
        6⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop avg8wd
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1012
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config avg8wd start= disabled
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config avg8wd start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1164
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete avg8wd
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete avg8wd
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:772
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop NOD32krn
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\net.exe
        
        net stop NOD32krn
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop NOD32krn
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop NOD32krn
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop NOD32krn
        7⤵
        Launches sc.exe
        
        PID:848
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config NOD32krn start= disabled
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config NOD32krn start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1768
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete NOD32krn
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete NOD32krn
        7⤵
        Launches sc.exe
        
        PID:2096
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop SbPF.Launcher
        6⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SbPF.Launcher
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SbPF.Launcher
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop SbPF.Launcher
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop SbPF.Launcher
        7⤵
        Launches sc.exe
        
        PID:908
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config SbPF.Launcher start= disabled
        6⤵
        
        PID:596
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config SbPF.Launcher start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2164
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete SbPF.Launcher
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete SbPF.Launcher
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2984
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop SPF4
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SPF4
        7⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SPF4
        8⤵
        
        PID:2320
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop SPF4
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop SPF4
        7⤵
        Launches sc.exe
        
        PID:2524
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config SPF4 start= disabled
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config SPF4 start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2324
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete SPF4
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete SPF4
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:444
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop acssrv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\net.exe
        
        net stop acssrv
        7⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop acssrv
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop acssrv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop acssrv
        7⤵
        Launches sc.exe
        
        PID:2924
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config acssrv start= disabled
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config acssrv start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2936
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete acssrv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete acssrv
        7⤵
        Launches sc.exe
        
        PID:2888
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:2204
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:1780
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B3E63D~1.EXE > nul
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\drivers\etc\hosts

Filesize
15KB

MD5
96d179abc939ae4cc8f6d61cb8b6fe6d

SHA1
004f2c2f14a8d1bf66a0bf3d3e71e23b68dd5b7a

SHA256
aa2d65cfa18eac8f7f1a22ddc6b06eed4b5b6acf4de8313a3847d4c036295194

SHA512
434c54224c43710e44f700f76fcb4935216daac882cdab72d1e078e5b86f1f99342ad6d2b6aefa645277aa2fb7b06ee9c1c2f1d82b833b8517c1d5427dc78719

Download Submit
\Windows\SysWOW64\wmisrpd.exe

Filesize
81KB

MD5
b3e63de0ee2812b92c280e2ae78808cd

SHA1
0cc3966cd4a307f84b6a69c1aa59998e1fafd66d

SHA256
e2fe63ffbe9f45034849ecb306e5399eb70a219758e421b3dc368be9aa4da307

SHA512
f9a871880ebaa7c89fd9e6418310bf6876ffee12ec7a9974c0132a27cf55f452a3d4caf4cfc3ee12bb52e204895c256d140ee28d00ed3d2f258af9563b6fb646

Download Submit
memory/1216-28-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1216-29-0x0000000002520000-0x000000000252E000-memory.dmp

Filesize
56KB

Download
memory/2332-0-0x0000000001000000-0x0000000001074000-memory.dmp

Filesize
464KB

Download
memory/2332-5-0x0000000001000000-0x0000000001074000-memory.dmp

Filesize
464KB

Download
memory/2332-3-0x0000000001000000-0x0000000001074000-memory.dmp

Filesize
464KB

Download
memory/2332-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2332-6-0x0000000001000000-0x0000000001074000-memory.dmp

Filesize
464KB

Download
memory/2332-17-0x0000000001000000-0x0000000001074000-memory.dmp

Filesize
464KB

Download
memory/2816-26-0x0000000001000000-0x0000000001074000-memory.dmp

Filesize
464KB

Download
memory/2816-27-0x0000000001000000-0x0000000001074000-memory.dmp

Filesize
464KB

Download