metasploit | 450ec5de5bbca56129025758c3536c915993912e7aebdc96f7db78a98cb4946d

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe
Size

250KB
MD5

b8b71b9def235363cf64ba1605e14e46
SHA1

7217d66f37eb1103623a42611ca188389063ce82
SHA256

450ec5de5bbca56129025758c3536c915993912e7aebdc96f7db78a98cb4946d
SHA512

5116bd160e45f293b7cf660b8441f5a63686b024f76cd1712ab017af750dfb6fde5699aacc7b0fafd6ff0e620179dfde7f360e9af518cdf297b0d79d2a785936
SSDEEP

3072:C6Kz5Ipid7aERbmz87Qeb7o9kjszRUPRUAF5agmDz3Gpr6Y9dSs32FNB0cbOVGUt:3lpk3RbKheud6UDj0D/3aIl

Score

10^/10

metasploit backdoor defense_evasion discovery persistence trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	wmpbd64.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	wmpbd64.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	wmpbd64.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	wmpbd64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpbd64.exe = "C:\\Windows\\SysWOW64\\wmpbd64.exe:*:Enabled:Windows Media Monitor"	wmpbd64.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List	wmpbd64.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	wmpbd64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpbd64.exe = "C:\\Windows\\SysWOW64\\wmpbd64.exe:*:Enabled:Windows Media Monitor"	wmpbd64.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	wmpbd64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	wmpbd64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	wmpbd64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	wmpbd64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	wmpbd64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	wmpbd64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	wmpbd64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe

Deletes itself 1 IoCs

pid	Process
1920	wmpbd64.exe

Executes dropped EXE 16 IoCs

pid	Process
2680	wmpbd64.exe
1920	wmpbd64.exe
5480	wmpbd64.exe
4768	wmpbd64.exe
6088	wmpbd64.exe
5152	wmpbd64.exe
2180	wmpbd64.exe
392	wmpbd64.exe
5108	wmpbd64.exe
3968	wmpbd64.exe
4372	wmpbd64.exe
4364	wmpbd64.exe
5368	wmpbd64.exe
4376	wmpbd64.exe
5280	wmpbd64.exe
1420	wmpbd64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Media Monitor = "C:\\Windows\\SysWOW64\\wmpbd64.exe"	wmpbd64.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Maps connected drives based on registry 3 TTPs 18 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpbd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpbd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpbd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpbd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpbd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpbd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpbd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpbd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpbd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe
File opened for modification	C:\Windows\SysWOW64\wmpbd64.exe	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe
File created	C:\Windows\SysWOW64\wmpbd64.exe	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe
File opened for modification	C:\Windows\SysWOW64\	wmpbd64.exe
File opened for modification	C:\Windows\SysWOW64\wmpbd64.exe	wmpbd64.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 4616 set thread context of 1300	4616	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe	86
PID 2680 set thread context of 1920	2680	wmpbd64.exe	97
PID 5480 set thread context of 4768	5480	wmpbd64.exe	101
PID 6088 set thread context of 5152	6088	wmpbd64.exe	111
PID 2180 set thread context of 392	2180	wmpbd64.exe	117
PID 5108 set thread context of 3968	5108	wmpbd64.exe	124
PID 4372 set thread context of 4364	4372	wmpbd64.exe	130
PID 5368 set thread context of 4376	5368	wmpbd64.exe	136
PID 5280 set thread context of 1420	5280	wmpbd64.exe	142

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1300-0-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/1300-2-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/1300-4-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/1300-3-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/1300-38-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/1920-44-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/1920-46-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/4768-53-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/1920-54-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/4768-57-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/1920-58-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/5152-72-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/1920-73-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/392-80-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/3968-88-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/4364-97-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/4376-105-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/1420-114-0x0000000000400000-0x0000000000461000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpbd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1300	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe
1300	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe
1300	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe
1300	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe
1920	wmpbd64.exe
1920	wmpbd64.exe
1920	wmpbd64.exe
1920	wmpbd64.exe
4768	wmpbd64.exe
4768	wmpbd64.exe
1920	wmpbd64.exe
1920	wmpbd64.exe
1920	wmpbd64.exe
1920	wmpbd64.exe
5152	wmpbd64.exe
5152	wmpbd64.exe
1920	wmpbd64.exe
1920	wmpbd64.exe
392	wmpbd64.exe
392	wmpbd64.exe
1920	wmpbd64.exe
1920	wmpbd64.exe
3968	wmpbd64.exe
3968	wmpbd64.exe
1920	wmpbd64.exe
1920	wmpbd64.exe
4364	wmpbd64.exe
4364	wmpbd64.exe
1920	wmpbd64.exe
1920	wmpbd64.exe
4376	wmpbd64.exe
4376	wmpbd64.exe
1920	wmpbd64.exe
1920	wmpbd64.exe
1420	wmpbd64.exe
1420	wmpbd64.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4768	wmpbd64.exe
Token: SeIncBasePriorityPrivilege	5152	wmpbd64.exe
Token: SeIncBasePriorityPrivilege	392	wmpbd64.exe
Token: SeIncBasePriorityPrivilege	3968	wmpbd64.exe
Token: SeIncBasePriorityPrivilege	4364	wmpbd64.exe
Token: SeIncBasePriorityPrivilege	4376	wmpbd64.exe
Token: SeIncBasePriorityPrivilege	1420	wmpbd64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 1300	4616	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe	86
PID 4616 wrote to memory of 1300	4616	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe	86
PID 4616 wrote to memory of 1300	4616	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe	86
PID 4616 wrote to memory of 1300	4616	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe	86
PID 4616 wrote to memory of 1300	4616	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe	86
PID 4616 wrote to memory of 1300	4616	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe	86
PID 4616 wrote to memory of 1300	4616	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe	86
PID 4616 wrote to memory of 1300	4616	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe	86
PID 1300 wrote to memory of 2680	1300	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe	96
PID 1300 wrote to memory of 2680	1300	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe	96
PID 1300 wrote to memory of 2680	1300	JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe	96
PID 2680 wrote to memory of 1920	2680	wmpbd64.exe	97
PID 2680 wrote to memory of 1920	2680	wmpbd64.exe	97
PID 2680 wrote to memory of 1920	2680	wmpbd64.exe	97
PID 2680 wrote to memory of 1920	2680	wmpbd64.exe	97
PID 2680 wrote to memory of 1920	2680	wmpbd64.exe	97
PID 2680 wrote to memory of 1920	2680	wmpbd64.exe	97
PID 2680 wrote to memory of 1920	2680	wmpbd64.exe	97
PID 2680 wrote to memory of 1920	2680	wmpbd64.exe	97
PID 5344 wrote to memory of 5480	5344	cmd.exe	100
PID 5344 wrote to memory of 5480	5344	cmd.exe	100
PID 5344 wrote to memory of 5480	5344	cmd.exe	100
PID 1920 wrote to memory of 3560	1920	wmpbd64.exe	56
PID 1920 wrote to memory of 3560	1920	wmpbd64.exe	56
PID 5480 wrote to memory of 4768	5480	wmpbd64.exe	101
PID 5480 wrote to memory of 4768	5480	wmpbd64.exe	101
PID 5480 wrote to memory of 4768	5480	wmpbd64.exe	101
PID 5480 wrote to memory of 4768	5480	wmpbd64.exe	101
PID 5480 wrote to memory of 4768	5480	wmpbd64.exe	101
PID 5480 wrote to memory of 4768	5480	wmpbd64.exe	101
PID 5480 wrote to memory of 4768	5480	wmpbd64.exe	101
PID 5480 wrote to memory of 4768	5480	wmpbd64.exe	101
PID 4768 wrote to memory of 2788	4768	wmpbd64.exe	102
PID 4768 wrote to memory of 2788	4768	wmpbd64.exe	102
PID 4768 wrote to memory of 2788	4768	wmpbd64.exe	102
PID 2240 wrote to memory of 6088	2240	cmd.exe	110
PID 2240 wrote to memory of 6088	2240	cmd.exe	110
PID 2240 wrote to memory of 6088	2240	cmd.exe	110
PID 6088 wrote to memory of 5152	6088	wmpbd64.exe	111
PID 6088 wrote to memory of 5152	6088	wmpbd64.exe	111
PID 6088 wrote to memory of 5152	6088	wmpbd64.exe	111
PID 6088 wrote to memory of 5152	6088	wmpbd64.exe	111
PID 6088 wrote to memory of 5152	6088	wmpbd64.exe	111
PID 6088 wrote to memory of 5152	6088	wmpbd64.exe	111
PID 6088 wrote to memory of 5152	6088	wmpbd64.exe	111
PID 6088 wrote to memory of 5152	6088	wmpbd64.exe	111
PID 5152 wrote to memory of 3488	5152	wmpbd64.exe	112
PID 5152 wrote to memory of 3488	5152	wmpbd64.exe	112
PID 5152 wrote to memory of 3488	5152	wmpbd64.exe	112
PID 3728 wrote to memory of 2180	3728	cmd.exe	116
PID 3728 wrote to memory of 2180	3728	cmd.exe	116
PID 3728 wrote to memory of 2180	3728	cmd.exe	116
PID 2180 wrote to memory of 392	2180	wmpbd64.exe	117
PID 2180 wrote to memory of 392	2180	wmpbd64.exe	117
PID 2180 wrote to memory of 392	2180	wmpbd64.exe	117
PID 2180 wrote to memory of 392	2180	wmpbd64.exe	117
PID 2180 wrote to memory of 392	2180	wmpbd64.exe	117
PID 2180 wrote to memory of 392	2180	wmpbd64.exe	117
PID 2180 wrote to memory of 392	2180	wmpbd64.exe	117
PID 2180 wrote to memory of 392	2180	wmpbd64.exe	117
PID 392 wrote to memory of 916	392	wmpbd64.exe	118
PID 392 wrote to memory of 916	392	wmpbd64.exe	118
PID 392 wrote to memory of 916	392	wmpbd64.exe	118
PID 2644 wrote to memory of 5108	2644	cmd.exe	123

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3560
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b8b71b9def235363cf64ba1605e14e46.exe"
    3⤵
    - Checks computer location settings
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\SysWOW64\wmpbd64.exe
      "C:\Windows\SysWOW64\wmpbd64.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\wmpbd64.exe
        
        "C:\Windows\SysWOW64\wmpbd64.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
        5⤵
        Modifies firewall policy service
        Deletes itself
        Executes dropped EXE
        Adds Run key to start application
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\wmpbd64.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5344
- - C:\Windows\SysWOW64\wmpbd64.exe
    C:\Windows\SysWOW64\wmpbd64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5480
  - - C:\Windows\SysWOW64\wmpbd64.exe
      C:\Windows\SysWOW64\wmpbd64.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\wmpbd64.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\wmpbd64.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\wmpbd64.exe
    C:\Windows\SysWOW64\wmpbd64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:6088
  - - C:\Windows\SysWOW64\wmpbd64.exe
      C:\Windows\SysWOW64\wmpbd64.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5152
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\wmpbd64.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\wmpbd64.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\SysWOW64\wmpbd64.exe
    C:\Windows\SysWOW64\wmpbd64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\wmpbd64.exe
      C:\Windows\SysWOW64\wmpbd64.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\wmpbd64.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\wmpbd64.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\wmpbd64.exe
    C:\Windows\SysWOW64\wmpbd64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5108
  - - C:\Windows\SysWOW64\wmpbd64.exe
      C:\Windows\SysWOW64\wmpbd64.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3968
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\wmpbd64.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\wmpbd64.exe
  2⤵
  PID:6016
- - C:\Windows\SysWOW64\wmpbd64.exe
    C:\Windows\SysWOW64\wmpbd64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4372
  - - C:\Windows\SysWOW64\wmpbd64.exe
      C:\Windows\SysWOW64\wmpbd64.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4364
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\wmpbd64.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\wmpbd64.exe
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\wmpbd64.exe
    C:\Windows\SysWOW64\wmpbd64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5368
  - - C:\Windows\SysWOW64\wmpbd64.exe
      C:\Windows\SysWOW64\wmpbd64.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4376
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\wmpbd64.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\wmpbd64.exe
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\wmpbd64.exe
    C:\Windows\SysWOW64\wmpbd64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5280
  - - C:\Windows\SysWOW64\wmpbd64.exe
      C:\Windows\SysWOW64\wmpbd64.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1420
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\wmpbd64.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5128

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmpbd64.exe

Filesize
250KB

MD5
b8b71b9def235363cf64ba1605e14e46

SHA1
7217d66f37eb1103623a42611ca188389063ce82

SHA256
450ec5de5bbca56129025758c3536c915993912e7aebdc96f7db78a98cb4946d

SHA512
5116bd160e45f293b7cf660b8441f5a63686b024f76cd1712ab017af750dfb6fde5699aacc7b0fafd6ff0e620179dfde7f360e9af518cdf297b0d79d2a785936

Download Submit
memory/392-80-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1300-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1300-3-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1300-4-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1300-38-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1300-2-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1420-114-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1920-54-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1920-46-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1920-58-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1920-73-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1920-44-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3968-88-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4364-97-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4376-105-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4768-53-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4768-57-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/5152-72-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download