metasploit | 52bd891fe5e54aba4b381eae5f74efba20d3c8b46aa94b550627615cbb9ca5fd

Analysis

max time kernel
148s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
Size

548KB
MD5

8aa0892ed756ce1a48507cf2ce970bec
SHA1

855faa99639923c7a9a88ae8409e0d59f1443ae3
SHA256

52bd891fe5e54aba4b381eae5f74efba20d3c8b46aa94b550627615cbb9ca5fd
SHA512

19200fdc0ce0be456bbaa23e860c8b873f254cb375d58d6417d0bd25654c67299413f122922c93ca70d641a52fc4471b1a80caa6db3318e84ff4d587edaed441
SSDEEP

12288:izP3mTLt4Buvhzdjn+xT64x5nLO0CrnMzqzvR:byBuvhzAx6E52rMz

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wmpxv1.exe

Deletes itself 1 IoCs

pid	Process
2876	wmpxv1.exe

Executes dropped EXE 19 IoCs

pid	Process
2876	wmpxv1.exe
4892	wmpxv1.exe
2040	wmpxv1.exe
5980	wmpxv1.exe
4808	wmpxv1.exe
3260	wmpxv1.exe
3712	wmpxv1.exe
4064	wmpxv1.exe
1176	wmpxv1.exe
2280	wmpxv1.exe
1764	wmpxv1.exe
448	wmpxv1.exe
4732	wmpxv1.exe
2320	wmpxv1.exe
3008	wmpxv1.exe
4936	wmpxv1.exe
4896	wmpxv1.exe
5348	wmpxv1.exe
4840	wmpxv1.exe

Maps connected drives based on registry 3 TTPs 38 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxv1.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2976	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
2976	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
2876	wmpxv1.exe
2876	wmpxv1.exe
4892	wmpxv1.exe
4892	wmpxv1.exe
2040	wmpxv1.exe
2040	wmpxv1.exe
5980	wmpxv1.exe
5980	wmpxv1.exe
4808	wmpxv1.exe
4808	wmpxv1.exe
3260	wmpxv1.exe
3260	wmpxv1.exe
3712	wmpxv1.exe
3712	wmpxv1.exe
4064	wmpxv1.exe
4064	wmpxv1.exe
1176	wmpxv1.exe
1176	wmpxv1.exe
2280	wmpxv1.exe
2280	wmpxv1.exe
1764	wmpxv1.exe
1764	wmpxv1.exe
448	wmpxv1.exe
448	wmpxv1.exe
4732	wmpxv1.exe
4732	wmpxv1.exe
2320	wmpxv1.exe
2320	wmpxv1.exe
3008	wmpxv1.exe
3008	wmpxv1.exe
4936	wmpxv1.exe
4936	wmpxv1.exe
4896	wmpxv1.exe
4896	wmpxv1.exe
5348	wmpxv1.exe
5348	wmpxv1.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2876	2976	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe	97
PID 2976 wrote to memory of 2876	2976	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe	97
PID 2976 wrote to memory of 2876	2976	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe	97
PID 2876 wrote to memory of 4892	2876	wmpxv1.exe	100
PID 2876 wrote to memory of 4892	2876	wmpxv1.exe	100
PID 2876 wrote to memory of 4892	2876	wmpxv1.exe	100
PID 4892 wrote to memory of 2040	4892	wmpxv1.exe	101
PID 4892 wrote to memory of 2040	4892	wmpxv1.exe	101
PID 4892 wrote to memory of 2040	4892	wmpxv1.exe	101
PID 2040 wrote to memory of 5980	2040	wmpxv1.exe	104
PID 2040 wrote to memory of 5980	2040	wmpxv1.exe	104
PID 2040 wrote to memory of 5980	2040	wmpxv1.exe	104
PID 5980 wrote to memory of 4808	5980	wmpxv1.exe	112
PID 5980 wrote to memory of 4808	5980	wmpxv1.exe	112
PID 5980 wrote to memory of 4808	5980	wmpxv1.exe	112
PID 4808 wrote to memory of 3260	4808	wmpxv1.exe	113
PID 4808 wrote to memory of 3260	4808	wmpxv1.exe	113
PID 4808 wrote to memory of 3260	4808	wmpxv1.exe	113
PID 3260 wrote to memory of 3712	3260	wmpxv1.exe	114
PID 3260 wrote to memory of 3712	3260	wmpxv1.exe	114
PID 3260 wrote to memory of 3712	3260	wmpxv1.exe	114
PID 3712 wrote to memory of 4064	3712	wmpxv1.exe	115
PID 3712 wrote to memory of 4064	3712	wmpxv1.exe	115
PID 3712 wrote to memory of 4064	3712	wmpxv1.exe	115
PID 4064 wrote to memory of 1176	4064	wmpxv1.exe	117
PID 4064 wrote to memory of 1176	4064	wmpxv1.exe	117
PID 4064 wrote to memory of 1176	4064	wmpxv1.exe	117
PID 1176 wrote to memory of 2280	1176	wmpxv1.exe	118
PID 1176 wrote to memory of 2280	1176	wmpxv1.exe	118
PID 1176 wrote to memory of 2280	1176	wmpxv1.exe	118
PID 2280 wrote to memory of 1764	2280	wmpxv1.exe	119
PID 2280 wrote to memory of 1764	2280	wmpxv1.exe	119
PID 2280 wrote to memory of 1764	2280	wmpxv1.exe	119
PID 1764 wrote to memory of 448	1764	wmpxv1.exe	120
PID 1764 wrote to memory of 448	1764	wmpxv1.exe	120
PID 1764 wrote to memory of 448	1764	wmpxv1.exe	120
PID 448 wrote to memory of 4732	448	wmpxv1.exe	121
PID 448 wrote to memory of 4732	448	wmpxv1.exe	121
PID 448 wrote to memory of 4732	448	wmpxv1.exe	121
PID 4732 wrote to memory of 2320	4732	wmpxv1.exe	122
PID 4732 wrote to memory of 2320	4732	wmpxv1.exe	122
PID 4732 wrote to memory of 2320	4732	wmpxv1.exe	122
PID 2320 wrote to memory of 3008	2320	wmpxv1.exe	123
PID 2320 wrote to memory of 3008	2320	wmpxv1.exe	123
PID 2320 wrote to memory of 3008	2320	wmpxv1.exe	123
PID 3008 wrote to memory of 4936	3008	wmpxv1.exe	124
PID 3008 wrote to memory of 4936	3008	wmpxv1.exe	124
PID 3008 wrote to memory of 4936	3008	wmpxv1.exe	124
PID 4936 wrote to memory of 4896	4936	wmpxv1.exe	125
PID 4936 wrote to memory of 4896	4936	wmpxv1.exe	125
PID 4936 wrote to memory of 4896	4936	wmpxv1.exe	125
PID 4896 wrote to memory of 5348	4896	wmpxv1.exe	126
PID 4896 wrote to memory of 5348	4896	wmpxv1.exe	126
PID 4896 wrote to memory of 5348	4896	wmpxv1.exe	126
PID 5348 wrote to memory of 4840	5348	wmpxv1.exe	127
PID 5348 wrote to memory of 4840	5348	wmpxv1.exe	127
PID 5348 wrote to memory of 4840	5348	wmpxv1.exe	127

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\wmpxv1.exe
  "C:\Windows\system32\wmpxv1.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\wmpxv1.exe
    "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\SysWOW64\wmpxv1.exe
      "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5980
      - C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5348
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        20⤵
        Executes dropped EXE
        
        PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmpxv1.exe

Filesize
548KB

MD5
8aa0892ed756ce1a48507cf2ce970bec

SHA1
855faa99639923c7a9a88ae8409e0d59f1443ae3

SHA256
52bd891fe5e54aba4b381eae5f74efba20d3c8b46aa94b550627615cbb9ca5fd

SHA512
19200fdc0ce0be456bbaa23e860c8b873f254cb375d58d6417d0bd25654c67299413f122922c93ca70d641a52fc4471b1a80caa6db3318e84ff4d587edaed441

Download Submit
memory/448-61-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/448-58-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1176-53-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1764-59-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2040-40-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2280-55-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2320-66-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2320-64-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2876-36-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2976-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2976-34-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3008-68-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3260-47-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3712-49-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4064-73-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4732-63-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4808-45-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4892-38-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4896-74-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4936-71-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5348-76-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5980-42-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download