Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2024 23:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe
-
Size
151KB
-
MD5
b5c8f9566b612d6bacf6aa426d3b3e9d
-
SHA1
0b114e0aad1eee532069a1aeb9419b9d7b440fcd
-
SHA256
587aaddf0d7141722792a0e0a3350d829600814db3e354bde9d6ed6e3cbfefe3
-
SHA512
b1c186d163810a4cb024e5abb4adb162d5b22bc512741a43fa06996aa8eadc474e660124cd77b774ae9881512de1e40c09eb0bb39d5b3b49faf6b97176ebfa0c
-
SSDEEP
3072:SB3SnzpTtvWxb+I58nAw8YiIC9iXw+lyvB7XvF:oizWx9584OmigBvBrF
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpctd32.exe -
Deletes itself 1 IoCs
pid Process 2548 wmpctd32.exe -
Executes dropped EXE 32 IoCs
pid Process 4676 wmpctd32.exe 2548 wmpctd32.exe 388 wmpctd32.exe 2164 wmpctd32.exe 4292 wmpctd32.exe 752 wmpctd32.exe 2908 wmpctd32.exe 2372 wmpctd32.exe 2736 wmpctd32.exe 864 wmpctd32.exe 4356 wmpctd32.exe 1988 wmpctd32.exe 2080 wmpctd32.exe 1140 wmpctd32.exe 4864 wmpctd32.exe 4028 wmpctd32.exe 2016 wmpctd32.exe 2740 wmpctd32.exe 3300 wmpctd32.exe 2300 wmpctd32.exe 3652 wmpctd32.exe 1408 wmpctd32.exe 3728 wmpctd32.exe 4488 wmpctd32.exe 116 wmpctd32.exe 632 wmpctd32.exe 4812 wmpctd32.exe 4500 wmpctd32.exe 2568 wmpctd32.exe 3480 wmpctd32.exe 2056 wmpctd32.exe 5040 wmpctd32.exe -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctd32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File opened for modification C:\Windows\SysWOW64\ wmpctd32.exe File opened for modification C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe File created C:\Windows\SysWOW64\wmpctd32.exe wmpctd32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 4252 set thread context of 4888 4252 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 83 PID 4676 set thread context of 2548 4676 wmpctd32.exe 94 PID 388 set thread context of 2164 388 wmpctd32.exe 100 PID 4292 set thread context of 752 4292 wmpctd32.exe 102 PID 2908 set thread context of 2372 2908 wmpctd32.exe 107 PID 2736 set thread context of 864 2736 wmpctd32.exe 109 PID 4356 set thread context of 1988 4356 wmpctd32.exe 111 PID 2080 set thread context of 1140 2080 wmpctd32.exe 114 PID 4864 set thread context of 4028 4864 wmpctd32.exe 116 PID 2016 set thread context of 2740 2016 wmpctd32.exe 118 PID 3300 set thread context of 2300 3300 wmpctd32.exe 120 PID 3652 set thread context of 1408 3652 wmpctd32.exe 122 PID 3728 set thread context of 4488 3728 wmpctd32.exe 124 PID 116 set thread context of 632 116 wmpctd32.exe 126 PID 4812 set thread context of 4500 4812 wmpctd32.exe 128 PID 2568 set thread context of 3480 2568 wmpctd32.exe 130 PID 2056 set thread context of 5040 2056 wmpctd32.exe 132 -
resource yara_rule behavioral2/memory/4888-0-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4888-2-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4888-3-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4888-4-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4888-31-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2548-43-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4888-45-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2548-47-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2548-54-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2164-59-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2164-62-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/752-67-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/752-70-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2372-75-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2372-78-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/864-83-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/864-86-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1988-91-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1988-94-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1140-100-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1140-103-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4028-108-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4028-111-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2740-117-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2740-120-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2300-125-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2300-128-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1408-134-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1408-139-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4488-143-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4488-148-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/632-152-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/632-157-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4500-161-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4500-166-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3480-171-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3480-176-0x0000000000400000-0x0000000000456000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctd32.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctd32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4888 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 4888 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 4888 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 4888 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 2548 wmpctd32.exe 2548 wmpctd32.exe 2548 wmpctd32.exe 2548 wmpctd32.exe 2164 wmpctd32.exe 2164 wmpctd32.exe 2164 wmpctd32.exe 2164 wmpctd32.exe 752 wmpctd32.exe 752 wmpctd32.exe 752 wmpctd32.exe 752 wmpctd32.exe 2372 wmpctd32.exe 2372 wmpctd32.exe 2372 wmpctd32.exe 2372 wmpctd32.exe 864 wmpctd32.exe 864 wmpctd32.exe 864 wmpctd32.exe 864 wmpctd32.exe 1988 wmpctd32.exe 1988 wmpctd32.exe 1988 wmpctd32.exe 1988 wmpctd32.exe 1140 wmpctd32.exe 1140 wmpctd32.exe 1140 wmpctd32.exe 1140 wmpctd32.exe 4028 wmpctd32.exe 4028 wmpctd32.exe 4028 wmpctd32.exe 4028 wmpctd32.exe 2740 wmpctd32.exe 2740 wmpctd32.exe 2740 wmpctd32.exe 2740 wmpctd32.exe 2300 wmpctd32.exe 2300 wmpctd32.exe 2300 wmpctd32.exe 2300 wmpctd32.exe 1408 wmpctd32.exe 1408 wmpctd32.exe 1408 wmpctd32.exe 1408 wmpctd32.exe 4488 wmpctd32.exe 4488 wmpctd32.exe 4488 wmpctd32.exe 4488 wmpctd32.exe 632 wmpctd32.exe 632 wmpctd32.exe 632 wmpctd32.exe 632 wmpctd32.exe 4500 wmpctd32.exe 4500 wmpctd32.exe 4500 wmpctd32.exe 4500 wmpctd32.exe 3480 wmpctd32.exe 3480 wmpctd32.exe 3480 wmpctd32.exe 3480 wmpctd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4252 wrote to memory of 4888 4252 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 83 PID 4252 wrote to memory of 4888 4252 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 83 PID 4252 wrote to memory of 4888 4252 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 83 PID 4252 wrote to memory of 4888 4252 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 83 PID 4252 wrote to memory of 4888 4252 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 83 PID 4252 wrote to memory of 4888 4252 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 83 PID 4252 wrote to memory of 4888 4252 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 83 PID 4888 wrote to memory of 4676 4888 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 93 PID 4888 wrote to memory of 4676 4888 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 93 PID 4888 wrote to memory of 4676 4888 b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe 93 PID 4676 wrote to memory of 2548 4676 wmpctd32.exe 94 PID 4676 wrote to memory of 2548 4676 wmpctd32.exe 94 PID 4676 wrote to memory of 2548 4676 wmpctd32.exe 94 PID 4676 wrote to memory of 2548 4676 wmpctd32.exe 94 PID 4676 wrote to memory of 2548 4676 wmpctd32.exe 94 PID 4676 wrote to memory of 2548 4676 wmpctd32.exe 94 PID 4676 wrote to memory of 2548 4676 wmpctd32.exe 94 PID 2548 wrote to memory of 388 2548 wmpctd32.exe 99 PID 2548 wrote to memory of 388 2548 wmpctd32.exe 99 PID 2548 wrote to memory of 388 2548 wmpctd32.exe 99 PID 388 wrote to memory of 2164 388 wmpctd32.exe 100 PID 388 wrote to memory of 2164 388 wmpctd32.exe 100 PID 388 wrote to memory of 2164 388 wmpctd32.exe 100 PID 388 wrote to memory of 2164 388 wmpctd32.exe 100 PID 388 wrote to memory of 2164 388 wmpctd32.exe 100 PID 388 wrote to memory of 2164 388 wmpctd32.exe 100 PID 388 wrote to memory of 2164 388 wmpctd32.exe 100 PID 2164 wrote to memory of 4292 2164 wmpctd32.exe 101 PID 2164 wrote to memory of 4292 2164 wmpctd32.exe 101 PID 2164 wrote to memory of 4292 2164 wmpctd32.exe 101 PID 4292 wrote to memory of 752 4292 wmpctd32.exe 102 PID 4292 wrote to memory of 752 4292 wmpctd32.exe 102 PID 4292 wrote to memory of 752 4292 wmpctd32.exe 102 PID 4292 wrote to memory of 752 4292 wmpctd32.exe 102 PID 4292 wrote to memory of 752 4292 wmpctd32.exe 102 PID 4292 wrote to memory of 752 4292 wmpctd32.exe 102 PID 4292 wrote to memory of 752 4292 wmpctd32.exe 102 PID 752 wrote to memory of 2908 752 wmpctd32.exe 106 PID 752 wrote to memory of 2908 752 wmpctd32.exe 106 PID 752 wrote to memory of 2908 752 wmpctd32.exe 106 PID 2908 wrote to memory of 2372 2908 wmpctd32.exe 107 PID 2908 wrote to memory of 2372 2908 wmpctd32.exe 107 PID 2908 wrote to memory of 2372 2908 wmpctd32.exe 107 PID 2908 wrote to memory of 2372 2908 wmpctd32.exe 107 PID 2908 wrote to memory of 2372 2908 wmpctd32.exe 107 PID 2908 wrote to memory of 2372 2908 wmpctd32.exe 107 PID 2908 wrote to memory of 2372 2908 wmpctd32.exe 107 PID 2372 wrote to memory of 2736 2372 wmpctd32.exe 108 PID 2372 wrote to memory of 2736 2372 wmpctd32.exe 108 PID 2372 wrote to memory of 2736 2372 wmpctd32.exe 108 PID 2736 wrote to memory of 864 2736 wmpctd32.exe 109 PID 2736 wrote to memory of 864 2736 wmpctd32.exe 109 PID 2736 wrote to memory of 864 2736 wmpctd32.exe 109 PID 2736 wrote to memory of 864 2736 wmpctd32.exe 109 PID 2736 wrote to memory of 864 2736 wmpctd32.exe 109 PID 2736 wrote to memory of 864 2736 wmpctd32.exe 109 PID 2736 wrote to memory of 864 2736 wmpctd32.exe 109 PID 864 wrote to memory of 4356 864 wmpctd32.exe 110 PID 864 wrote to memory of 4356 864 wmpctd32.exe 110 PID 864 wrote to memory of 4356 864 wmpctd32.exe 110 PID 4356 wrote to memory of 1988 4356 wmpctd32.exe 111 PID 4356 wrote to memory of 1988 4356 wmpctd32.exe 111 PID 4356 wrote to memory of 1988 4356 wmpctd32.exe 111 PID 4356 wrote to memory of 1988 4356 wmpctd32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b5c8f9566b612d6bacf6aa426d3b3e9d_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Users\Admin\AppData\Local\Temp\B5C8F9~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Users\Admin\AppData\Local\Temp\B5C8F9~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1988 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1140 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4028 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2740 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3300 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3652 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1408 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3728 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4488 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:116 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:632 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4812 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4500 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3480 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\wmpctd32.exe"C:\Windows\system32\wmpctd32.exe" C:\Windows\SysWOW64\wmpctd32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:5040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD5b5c8f9566b612d6bacf6aa426d3b3e9d
SHA10b114e0aad1eee532069a1aeb9419b9d7b440fcd
SHA256587aaddf0d7141722792a0e0a3350d829600814db3e354bde9d6ed6e3cbfefe3
SHA512b1c186d163810a4cb024e5abb4adb162d5b22bc512741a43fa06996aa8eadc474e660124cd77b774ae9881512de1e40c09eb0bb39d5b3b49faf6b97176ebfa0c