metasploit | b5b17bc7bdb64909ae5277f967d739e73743d9406a65cc646753b21ede516031

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
Size

169KB
MD5

18a441df203f749c24027a8f61464e7e
SHA1

bff7d814b8a76605e82addc1e67f652579534d4e
SHA256

b5b17bc7bdb64909ae5277f967d739e73743d9406a65cc646753b21ede516031
SHA512

4515f22267f6b5344240a9eccdf98c065b9e4f626b91848a981283ab1e3c35a9661d04e1aed008572243bb06e9f3cddd226f4b90469964d1a8350e01cb2610ba
SSDEEP

3072:lGEEhqaY4n5OR/V5DI1KWWwW3bkPLrV0JhTxKQbVRkIuYfdpN6WjFk:lGAN4ID+KbwW3mLZwhTxKQbVRFfPN6WG

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18a441df203f749c24027a8f61464e7e_JaffaCakes118.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wmpfv4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wmpfv4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wmpfv4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wmpfv4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wmpfv4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wmpfv4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wmpfv4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wmpfv4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wmpfv4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wmpfv4.exe

Deletes itself 1 IoCs

Processes:

wmpfv4.exe

pid process

3380 wmpfv4.exe

pid	process
3380	wmpfv4.exe

Executes dropped EXE 21 IoCs

Processes:

wmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exe

pid	process
4444	wmpfv4.exe
3380	wmpfv4.exe
4888	wmpfv4.exe
2436	wmpfv4.exe
4920	wmpfv4.exe
468	wmpfv4.exe
3120	wmpfv4.exe
3568	wmpfv4.exe
2100	wmpfv4.exe
4252	wmpfv4.exe
3048	wmpfv4.exe
1940	wmpfv4.exe
1044	wmpfv4.exe
4744	wmpfv4.exe
2128	wmpfv4.exe
2376	wmpfv4.exe
216	wmpfv4.exe
2748	wmpfv4.exe
2560	wmpfv4.exe
3608	wmpfv4.exe
2332	wmpfv4.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/884-0-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/884-3-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/884-1-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/884-4-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/884-7-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/884-6-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/884-5-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/884-8-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/884-45-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3380-51-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3380-53-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3380-52-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3380-54-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3380-59-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2436-65-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2436-68-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2436-67-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2436-66-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2436-71-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/468-83-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3568-95-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4252-106-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1940-121-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4744-128-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4744-135-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2376-148-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2748-161-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3608-174-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 22 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exe18a441df203f749c24027a8f61464e7e_JaffaCakes118.exewmpfv4.exewmpfv4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfv4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfv4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfv4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfv4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfv4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfv4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfv4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfv4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfv4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfv4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfv4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfv4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfv4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfv4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfv4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfv4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfv4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfv4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfv4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfv4.exe

Drops file in System32 directory 22 IoCs

Processes:

wmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exe18a441df203f749c24027a8f61464e7e_JaffaCakes118.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File created	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File created	C:\Windows\SysWOW64\wmpfv4.exe	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File created	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File created	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File created	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File created	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv4.exe	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File created	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File created	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File created	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File created	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv4.exe	wmpfv4.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

18a441df203f749c24027a8f61464e7e_JaffaCakes118.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exe

description	pid	process	target process
PID 1336 set thread context of 884	1336	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
PID 4444 set thread context of 3380	4444	wmpfv4.exe	wmpfv4.exe
PID 4888 set thread context of 2436	4888	wmpfv4.exe	wmpfv4.exe
PID 4920 set thread context of 468	4920	wmpfv4.exe	wmpfv4.exe
PID 3120 set thread context of 3568	3120	wmpfv4.exe	wmpfv4.exe
PID 2100 set thread context of 4252	2100	wmpfv4.exe	wmpfv4.exe
PID 3048 set thread context of 1940	3048	wmpfv4.exe	wmpfv4.exe
PID 1044 set thread context of 4744	1044	wmpfv4.exe	wmpfv4.exe
PID 2128 set thread context of 2376	2128	wmpfv4.exe	wmpfv4.exe
PID 216 set thread context of 2748	216	wmpfv4.exe	wmpfv4.exe
PID 2560 set thread context of 3608	2560	wmpfv4.exe	wmpfv4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

Processes:

18a441df203f749c24027a8f61464e7e_JaffaCakes118.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfv4.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

18a441df203f749c24027a8f61464e7e_JaffaCakes118.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exe

pid	process
884	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
884	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
3380	wmpfv4.exe
3380	wmpfv4.exe
2436	wmpfv4.exe
2436	wmpfv4.exe
468	wmpfv4.exe
468	wmpfv4.exe
3568	wmpfv4.exe
3568	wmpfv4.exe
4252	wmpfv4.exe
4252	wmpfv4.exe
1940	wmpfv4.exe
1940	wmpfv4.exe
4744	wmpfv4.exe
4744	wmpfv4.exe
2376	wmpfv4.exe
2376	wmpfv4.exe
2748	wmpfv4.exe
2748	wmpfv4.exe
3608	wmpfv4.exe
3608	wmpfv4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe18a441df203f749c24027a8f61464e7e_JaffaCakes118.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exewmpfv4.exe

description	pid	process	target process
PID 1336 wrote to memory of 884	1336	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
PID 1336 wrote to memory of 884	1336	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
PID 1336 wrote to memory of 884	1336	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
PID 1336 wrote to memory of 884	1336	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
PID 1336 wrote to memory of 884	1336	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
PID 1336 wrote to memory of 884	1336	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
PID 1336 wrote to memory of 884	1336	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
PID 1336 wrote to memory of 884	1336	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
PID 884 wrote to memory of 4444	884	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe	wmpfv4.exe
PID 884 wrote to memory of 4444	884	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe	wmpfv4.exe
PID 884 wrote to memory of 4444	884	18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe	wmpfv4.exe
PID 4444 wrote to memory of 3380	4444	wmpfv4.exe	wmpfv4.exe
PID 4444 wrote to memory of 3380	4444	wmpfv4.exe	wmpfv4.exe
PID 4444 wrote to memory of 3380	4444	wmpfv4.exe	wmpfv4.exe
PID 4444 wrote to memory of 3380	4444	wmpfv4.exe	wmpfv4.exe
PID 4444 wrote to memory of 3380	4444	wmpfv4.exe	wmpfv4.exe
PID 4444 wrote to memory of 3380	4444	wmpfv4.exe	wmpfv4.exe
PID 4444 wrote to memory of 3380	4444	wmpfv4.exe	wmpfv4.exe
PID 4444 wrote to memory of 3380	4444	wmpfv4.exe	wmpfv4.exe
PID 3380 wrote to memory of 4888	3380	wmpfv4.exe	wmpfv4.exe
PID 3380 wrote to memory of 4888	3380	wmpfv4.exe	wmpfv4.exe
PID 3380 wrote to memory of 4888	3380	wmpfv4.exe	wmpfv4.exe
PID 4888 wrote to memory of 2436	4888	wmpfv4.exe	wmpfv4.exe
PID 4888 wrote to memory of 2436	4888	wmpfv4.exe	wmpfv4.exe
PID 4888 wrote to memory of 2436	4888	wmpfv4.exe	wmpfv4.exe
PID 4888 wrote to memory of 2436	4888	wmpfv4.exe	wmpfv4.exe
PID 4888 wrote to memory of 2436	4888	wmpfv4.exe	wmpfv4.exe
PID 4888 wrote to memory of 2436	4888	wmpfv4.exe	wmpfv4.exe
PID 4888 wrote to memory of 2436	4888	wmpfv4.exe	wmpfv4.exe
PID 4888 wrote to memory of 2436	4888	wmpfv4.exe	wmpfv4.exe
PID 2436 wrote to memory of 4920	2436	wmpfv4.exe	wmpfv4.exe
PID 2436 wrote to memory of 4920	2436	wmpfv4.exe	wmpfv4.exe
PID 2436 wrote to memory of 4920	2436	wmpfv4.exe	wmpfv4.exe
PID 4920 wrote to memory of 468	4920	wmpfv4.exe	wmpfv4.exe
PID 4920 wrote to memory of 468	4920	wmpfv4.exe	wmpfv4.exe
PID 4920 wrote to memory of 468	4920	wmpfv4.exe	wmpfv4.exe
PID 4920 wrote to memory of 468	4920	wmpfv4.exe	wmpfv4.exe
PID 4920 wrote to memory of 468	4920	wmpfv4.exe	wmpfv4.exe
PID 4920 wrote to memory of 468	4920	wmpfv4.exe	wmpfv4.exe
PID 4920 wrote to memory of 468	4920	wmpfv4.exe	wmpfv4.exe
PID 4920 wrote to memory of 468	4920	wmpfv4.exe	wmpfv4.exe
PID 468 wrote to memory of 3120	468	wmpfv4.exe	wmpfv4.exe
PID 468 wrote to memory of 3120	468	wmpfv4.exe	wmpfv4.exe
PID 468 wrote to memory of 3120	468	wmpfv4.exe	wmpfv4.exe
PID 3120 wrote to memory of 3568	3120	wmpfv4.exe	wmpfv4.exe
PID 3120 wrote to memory of 3568	3120	wmpfv4.exe	wmpfv4.exe
PID 3120 wrote to memory of 3568	3120	wmpfv4.exe	wmpfv4.exe
PID 3120 wrote to memory of 3568	3120	wmpfv4.exe	wmpfv4.exe
PID 3120 wrote to memory of 3568	3120	wmpfv4.exe	wmpfv4.exe
PID 3120 wrote to memory of 3568	3120	wmpfv4.exe	wmpfv4.exe
PID 3120 wrote to memory of 3568	3120	wmpfv4.exe	wmpfv4.exe
PID 3120 wrote to memory of 3568	3120	wmpfv4.exe	wmpfv4.exe
PID 3568 wrote to memory of 2100	3568	wmpfv4.exe	wmpfv4.exe
PID 3568 wrote to memory of 2100	3568	wmpfv4.exe	wmpfv4.exe
PID 3568 wrote to memory of 2100	3568	wmpfv4.exe	wmpfv4.exe
PID 2100 wrote to memory of 4252	2100	wmpfv4.exe	wmpfv4.exe
PID 2100 wrote to memory of 4252	2100	wmpfv4.exe	wmpfv4.exe
PID 2100 wrote to memory of 4252	2100	wmpfv4.exe	wmpfv4.exe
PID 2100 wrote to memory of 4252	2100	wmpfv4.exe	wmpfv4.exe
PID 2100 wrote to memory of 4252	2100	wmpfv4.exe	wmpfv4.exe
PID 2100 wrote to memory of 4252	2100	wmpfv4.exe	wmpfv4.exe
PID 2100 wrote to memory of 4252	2100	wmpfv4.exe	wmpfv4.exe
PID 2100 wrote to memory of 4252	2100	wmpfv4.exe	wmpfv4.exe
PID 4252 wrote to memory of 3048	4252	wmpfv4.exe	wmpfv4.exe

C:\Users\Admin\AppData\Local\Temp\18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18a441df203f749c24027a8f61464e7e_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Users\Admin\AppData\Local\Temp\18A441~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Users\Admin\AppData\Local\Temp\18A441~1.EXE
4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3048

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1044

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4744

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2128

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2376

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:216

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2560

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3608

C:\Windows\SysWOW64\wmpfv4.exe
"C:\Windows\system32\wmpfv4.exe" C:\Windows\SysWOW64\wmpfv4.exe
23⤵
- Executes dropped EXE
PID:2332

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmpfv4.exe
Filesize
169KB

MD5
18a441df203f749c24027a8f61464e7e

SHA1
bff7d814b8a76605e82addc1e67f652579534d4e

SHA256
b5b17bc7bdb64909ae5277f967d739e73743d9406a65cc646753b21ede516031

SHA512
4515f22267f6b5344240a9eccdf98c065b9e4f626b91848a981283ab1e3c35a9661d04e1aed008572243bb06e9f3cddd226f4b90469964d1a8350e01cb2610ba

Download Submit
memory/468-83-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/884-8-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/884-6-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/884-7-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/884-5-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/884-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/884-4-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/884-45-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/884-3-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/884-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1336-9-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1940-121-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2100-105-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2376-148-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2436-71-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2436-66-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2436-65-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2436-68-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2436-67-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2748-161-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3120-93-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3380-53-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3380-51-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3380-54-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3380-52-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3380-59-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3568-95-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3608-174-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4252-106-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4444-55-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4744-128-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4744-135-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4888-69-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4920-81-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download